hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/main' into nickrolfe/active_support_flow_summaries

Browse Source
This commit is contained in:
Nick Rolfe
2022-11-09 17:02:05 +00:00
parent 97e939ae2b d35e5ac752
commit c8c53cb424
183 changed files with 3953 additions and 1019 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
ruby/ql/test/library-tests/frameworks/ActionController.expected
View File

@@ -1,17 +1,18 @@
actionControllerControllerClasses
| action_controller/input_access.rb:1:1:50:3 | UsersController |
| action_controller/params_flow.rb:1:1:160:3 | MyController |
| action_controller/params_flow.rb:1:1:162:3 | MyController |
| action_controller/params_flow.rb:170:1:178:3 | Subclass |
| active_record/ActiveRecord.rb:23:1:39:3 | FooController |
| active_record/ActiveRecord.rb:41:1:64:3 | BarController |
| active_record/ActiveRecord.rb:66:1:98:3 | BazController |
| active_record/ActiveRecord.rb:100:1:108:3 | AnnotatedController |
| active_storage/active_storage.rb:39:1:45:3 | PostsController |
| active_storage/active_storage.rb:39:1:45:3 | PostsController2 |
| app/controllers/comments_controller.rb:1:1:40:3 | CommentsController |
| app/controllers/foo/bars_controller.rb:3:1:46:3 | BarsController |
| app/controllers/photos_controller.rb:1:1:4:3 | PhotosController |
| app/controllers/posts_controller.rb:1:1:10:3 | PostsController |
| app/controllers/tags_controller.rb:1:1:2:3 | TagsController |
| app/controllers/users/notifications_controller.rb:2:3:5:5 | NotificationsController |
| app/controllers/users/notifications_controller.rb:2:3:5:5 | Users::NotificationsController |
actionControllerActionMethods
| action_controller/input_access.rb:2:3:49:5 | index |
| action_controller/params_flow.rb:2:3:4:5 | m1 |
@@ -48,6 +49,7 @@ actionControllerActionMethods
| action_controller/params_flow.rb:134:3:141:5 | m31 |
| action_controller/params_flow.rb:143:3:150:5 | m32 |
| action_controller/params_flow.rb:152:3:159:5 | m33 |
| action_controller/params_flow.rb:171:3:173:5 | m34 |
| active_record/ActiveRecord.rb:27:3:38:5 | some_request_handler |
| active_record/ActiveRecord.rb:42:3:47:5 | some_other_request_handler |
| active_record/ActiveRecord.rb:49:3:63:5 | safe_paths |
@@ -121,6 +123,9 @@ paramsCalls
| action_controller/params_flow.rb:153:10:153:15 | call to params |
| action_controller/params_flow.rb:154:32:154:37 | call to params |
| action_controller/params_flow.rb:157:22:157:27 | call to params |
| action_controller/params_flow.rb:166:10:166:15 | call to params |
| action_controller/params_flow.rb:172:10:172:15 | call to params |
| action_controller/params_flow.rb:176:10:176:15 | call to params |
| action_mailer/mailer.rb:3:10:3:15 | call to params |
| active_record/ActiveRecord.rb:28:30:28:35 | call to params |
| active_record/ActiveRecord.rb:29:29:29:34 | call to params |
@@ -199,6 +204,9 @@ paramsSources
| action_controller/params_flow.rb:153:10:153:15 | call to params |
| action_controller/params_flow.rb:154:32:154:37 | call to params |
| action_controller/params_flow.rb:157:22:157:27 | call to params |
| action_controller/params_flow.rb:166:10:166:15 | call to params |
| action_controller/params_flow.rb:172:10:172:15 | call to params |
| action_controller/params_flow.rb:176:10:176:15 | call to params |
| action_mailer/mailer.rb:3:10:3:15 | call to params |
| active_record/ActiveRecord.rb:28:30:28:35 | call to params |
| active_record/ActiveRecord.rb:29:29:29:34 | call to params |
@@ -316,6 +324,9 @@ httpInputAccesses
| action_controller/params_flow.rb:153:10:153:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:154:32:154:37 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:157:22:157:27 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:166:10:166:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:172:10:172:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:176:10:176:15 | call to params | ActionController::Metal#params |
| action_mailer/mailer.rb:3:10:3:15 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:28:30:28:35 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:29:29:29:34 | call to params | ActionController::Metal#params |

6
ruby/ql/test/library-tests/frameworks/ActionController.ql
View File

@@ -5,7 +5,7 @@ private import codeql.ruby.frameworks.ActionView
private import codeql.ruby.Concepts
private import codeql.ruby.DataFlow
query predicate actionControllerControllerClasses(ActionControllerControllerClass cls) { any() }
query predicate actionControllerControllerClasses(ActionControllerClass cls) { any() }
query predicate actionControllerActionMethods(ActionControllerActionMethod m) { any() }
@@ -25,11 +25,11 @@ query predicate redirectToCalls(RedirectToCall c) { any() }
query predicate actionControllerHelperMethods(ActionControllerHelperMethod m) { any() }
query predicate getAssociatedControllerClasses(ActionControllerControllerClass cls, ErbFile f) {
query predicate getAssociatedControllerClasses(ActionControllerClass cls, ErbFile f) {
cls = getAssociatedControllerClass(f)
}
query predicate controllerTemplateFiles(ActionControllerControllerClass cls, ErbFile templateFile) {
query predicate controllerTemplateFiles(ActionControllerClass cls, ErbFile templateFile) {
controllerTemplateFile(cls, templateFile)
}

12
ruby/ql/test/library-tests/frameworks/action_controller/params-flow.expected
View File

@@ -48,6 +48,9 @@ edges
| params_flow.rb:154:32:154:37 | call to params : | params_flow.rb:154:10:154:38 | call to reverse_update |
| params_flow.rb:157:5:157:5 | [post] p : | params_flow.rb:158:10:158:10 | p |
| params_flow.rb:157:22:157:27 | call to params : | params_flow.rb:157:5:157:5 | [post] p : |
| params_flow.rb:166:10:166:15 | call to params : | params_flow.rb:166:10:166:19 | ...[...] |
| params_flow.rb:172:10:172:15 | call to params : | params_flow.rb:172:10:172:19 | ...[...] |
| params_flow.rb:176:10:176:15 | call to params : | params_flow.rb:176:10:176:19 | ...[...] |
nodes
| params_flow.rb:3:10:3:15 | call to params : | semmle.label | call to params : |
| params_flow.rb:3:10:3:19 | ...[...] | semmle.label | ...[...] |
@@ -141,6 +144,12 @@ nodes
| params_flow.rb:157:5:157:5 | [post] p : | semmle.label | [post] p : |
| params_flow.rb:157:22:157:27 | call to params : | semmle.label | call to params : |
| params_flow.rb:158:10:158:10 | p | semmle.label | p |
| params_flow.rb:166:10:166:15 | call to params : | semmle.label | call to params : |
| params_flow.rb:166:10:166:19 | ...[...] | semmle.label | ...[...] |
| params_flow.rb:172:10:172:15 | call to params : | semmle.label | call to params : |
| params_flow.rb:172:10:172:19 | ...[...] | semmle.label | ...[...] |
| params_flow.rb:176:10:176:15 | call to params : | semmle.label | call to params : |
| params_flow.rb:176:10:176:19 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| params_flow.rb:3:10:3:19 | ...[...] | params_flow.rb:3:10:3:15 | call to params : | params_flow.rb:3:10:3:19 | ...[...] | $@ | params_flow.rb:3:10:3:15 | call to params : | call to params : |
@@ -187,3 +196,6 @@ subpaths
| params_flow.rb:153:10:153:44 | call to reverse_update | params_flow.rb:153:10:153:15 | call to params : | params_flow.rb:153:10:153:44 | call to reverse_update | $@ | params_flow.rb:153:10:153:15 | call to params : | call to params : |
| params_flow.rb:154:10:154:38 | call to reverse_update | params_flow.rb:154:32:154:37 | call to params : | params_flow.rb:154:10:154:38 | call to reverse_update | $@ | params_flow.rb:154:32:154:37 | call to params : | call to params : |
| params_flow.rb:158:10:158:10 | p | params_flow.rb:157:22:157:27 | call to params : | params_flow.rb:158:10:158:10 | p | $@ | params_flow.rb:157:22:157:27 | call to params : | call to params : |
| params_flow.rb:166:10:166:19 | ...[...] | params_flow.rb:166:10:166:15 | call to params : | params_flow.rb:166:10:166:19 | ...[...] | $@ | params_flow.rb:166:10:166:15 | call to params : | call to params : |
| params_flow.rb:172:10:172:19 | ...[...] | params_flow.rb:172:10:172:15 | call to params : | params_flow.rb:172:10:172:19 | ...[...] | $@ | params_flow.rb:172:10:172:15 | call to params : | call to params : |
| params_flow.rb:176:10:176:19 | ...[...] | params_flow.rb:176:10:176:15 | call to params : | params_flow.rb:176:10:176:19 | ...[...] | $@ | params_flow.rb:176:10:176:15 | call to params : | call to params : |

18
ruby/ql/test/library-tests/frameworks/action_controller/params_flow.rb
View File

@@ -157,4 +157,22 @@ class MyController < ActionController::Base
p.reverse_update(params)
sink p # $hasTaintFlow
end
include Mixin
end
module Mixin
def m33
sink params[:x] # $hasTaintFlow
end
end
class Subclass < MyController
def m34
sink params[:x] # $hasTaintFlow
end
rescue_from 'Foo::Bar' do |err|
sink params[:x] # $hasTaintFlow
end
end

2
ruby/ql/test/library-tests/frameworks/active_storage/active_storage.rb
View File

@@ -36,7 +36,7 @@ ActiveStorage.video_preview_arguments = custom_preview_args
ActiveStorage.variant_processor = custom_processor
class PostsController < ActionController::Base
class PostsController2 < ActionController::Base
def create
post = Post.new(params[:post])
post.images.attach(params[:images])