Ruby: add a code injection test for flwo through Regexp.escape

2026-04-30 03:05:15 +02:00 · 2022-02-11 13:52:20 +01:00
parent 63e7c16d6b
commit cbd044a768
2 changed files with 8 additions and 0 deletions
--- a/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.expected
+++ b/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.expected
@@ -5,6 +5,8 @@ edges
 | CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:21:21:21:24 | code |
 | CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:27:15:27:18 | code |
 | CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:30:19:30:22 | code |
+| CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:36:24:36:27 | code :  |
+| CodeInjection.rb:36:24:36:27 | code :  | CodeInjection.rb:36:10:36:28 | call to escape |
 nodes
 | CodeInjection.rb:3:12:3:17 | call to params :  | semmle.label | call to params :  |
 | CodeInjection.rb:3:12:3:24 | ...[...] :  | semmle.label | ...[...] :  |
@@ -14,6 +16,8 @@ nodes
 | CodeInjection.rb:21:21:21:24 | code | semmle.label | code |
 | CodeInjection.rb:27:15:27:18 | code | semmle.label | code |
 | CodeInjection.rb:30:19:30:22 | code | semmle.label | code |
+| CodeInjection.rb:36:10:36:28 | call to escape | semmle.label | call to escape |
+| CodeInjection.rb:36:24:36:27 | code :  | semmle.label | code :  |
 subpaths
 #select
 | CodeInjection.rb:6:10:6:13 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:6:10:6:13 | code | This code execution depends on $@. | CodeInjection.rb:3:12:3:17 | call to params | a user-provided value |
@@ -22,3 +26,4 @@ subpaths
 | CodeInjection.rb:21:21:21:24 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:21:21:21:24 | code | This code execution depends on $@. | CodeInjection.rb:3:12:3:17 | call to params | a user-provided value |
 | CodeInjection.rb:27:15:27:18 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:27:15:27:18 | code | This code execution depends on $@. | CodeInjection.rb:3:12:3:17 | call to params | a user-provided value |
 | CodeInjection.rb:30:19:30:22 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:30:19:30:22 | code | This code execution depends on $@. | CodeInjection.rb:3:12:3:17 | call to params | a user-provided value |
+| CodeInjection.rb:36:10:36:28 | call to escape | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:36:10:36:28 | call to escape | This code execution depends on $@. | CodeInjection.rb:3:12:3:17 | call to params | a user-provided value |
--- a/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.rb
+++ b/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.rb
@@ -31,6 +31,9 @@ class UsersController < ActionController::Base
    
    # GOOD
    Bar.const_get(code)
+
+    # BAD
+    eval(Regexp.escape(code))
  end

  def update