Ruby: Identify domain in Net::HTTP requests

2026-05-02 12:15:17 +02:00 · 2022-04-05 10:07:09 +12:00
parent 2d05ea3519
commit ce7675ef43
2 changed files with 18 additions and 4 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll
@@ -21,9 +21,10 @@ private import codeql.ruby.DataFlow
 class NetHttpRequest extends HTTP::Client::Request::Range {
  private DataFlow::CallNode request;
  private DataFlow::Node responseBody;
+  private API::Node requestNode;

  NetHttpRequest() {
-    exists(API::Node requestNode, string method |
+    exists(string method |
      request = requestNode.getAnImmediateUse() and
      this = request.asExpr().getExpr()
    |
@@ -48,10 +49,19 @@ class NetHttpRequest extends HTTP::Client::Request::Range {
  }

  /**
-   * Gets the node representing the URL of the request.
-   * Currently unused, but may be useful in future, e.g. to filter out certain requests.
+   * Gets a node that contributes to the URL of the request.
   */
-  override DataFlow::Node getAUrlPart() { result = request.getArgument(0) }
+  override DataFlow::Node getAUrlPart() {
+    result = request.getArgument(0)
+    or
+    // Net::HTTP.new(...).get(...)
+    exists(API::Node new |
+      new = API::getTopLevelMember("Net").getMember("HTTP").getInstance() and
+      requestNode = new.getReturn(_)
+    |
+      result = new.getAnImmediateUse().(DataFlow::CallNode).getArgument(0)
+    )
+  }

  override DataFlow::Node getResponseBody() { result = responseBody }

--- a/ruby/ql/test/library-tests/frameworks/http_clients/HttpClients.expected
+++ b/ruby/ql/test/library-tests/frameworks/http_clients/HttpClients.expected
@@ -48,9 +48,13 @@
 | NetHttp.rb:6:8:6:50 | call to post | Net::HTTP | NetHttp.rb:6:23:6:36 | call to parse | NetHttp.rb:7:1:7:9 | call to body |
 | NetHttp.rb:6:8:6:50 | call to post | Net::HTTP | NetHttp.rb:6:23:6:36 | call to parse | NetHttp.rb:8:1:8:14 | call to read_body |
 | NetHttp.rb:6:8:6:50 | call to post | Net::HTTP | NetHttp.rb:6:23:6:36 | call to parse | NetHttp.rb:9:1:9:11 | call to entity |
+| NetHttp.rb:13:6:13:17 | call to get | Net::HTTP | NetHttp.rb:11:21:11:41 | "https://example.com" | NetHttp.rb:18:1:18:7 | call to body |
 | NetHttp.rb:13:6:13:17 | call to get | Net::HTTP | NetHttp.rb:13:14:13:16 | "/" | NetHttp.rb:18:1:18:7 | call to body |
+| NetHttp.rb:14:6:14:18 | call to post | Net::HTTP | NetHttp.rb:11:21:11:41 | "https://example.com" | NetHttp.rb:19:1:19:12 | call to read_body |
 | NetHttp.rb:14:6:14:18 | call to post | Net::HTTP | NetHttp.rb:14:15:14:17 | "/" | NetHttp.rb:19:1:19:12 | call to read_body |
+| NetHttp.rb:15:6:15:17 | call to put | Net::HTTP | NetHttp.rb:11:21:11:41 | "https://example.com" | NetHttp.rb:20:1:20:9 | call to entity |
 | NetHttp.rb:15:6:15:17 | call to put | Net::HTTP | NetHttp.rb:15:14:15:16 | "/" | NetHttp.rb:20:1:20:9 | call to entity |
+| NetHttp.rb:24:3:24:33 | call to get | Net::HTTP | NetHttp.rb:24:17:24:22 | domain | NetHttp.rb:27:1:27:28 | call to body |
 | NetHttp.rb:24:3:24:33 | call to get | Net::HTTP | NetHttp.rb:24:29:24:32 | path | NetHttp.rb:27:1:27:28 | call to body |
 | OpenURI.rb:3:9:3:41 | call to open | OpenURI | OpenURI.rb:3:21:3:40 | "http://example.com" | OpenURI.rb:4:1:4:10 | call to read |
 | OpenURI.rb:6:9:6:34 | call to open | OpenURI | OpenURI.rb:6:14:6:33 | "http://example.com" | OpenURI.rb:7:1:7:15 | call to readlines |