Ruby: more accurate modeling of which ActionCable channel methods become endpoints

2026-04-28 18:25:24 +02:00 · 2022-11-09 16:14:11 +00:00
parent 611ed93e39
commit cfde7e9edc
1 changed files with 11 additions and 2 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActionCable.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActionCable.qll
@@ -43,8 +43,17 @@ module ActionCable {
              .getConstant("Channel")
              .getConstant("Base")
              .getADescendentModule()
-              .getAnOwnInstanceMethod() and
-        // as long as it's public
+              .getAnInstanceMethod() and
+        // as long as it's not an instance method of
+        // `ActionCable::Channel::Base` itself, which might exist in the
+        // database
+        not m =
+          DataFlow::getConstant("ActionCable")
+              .getConstant("Channel")
+              .getConstant("Base")
+              .asModule()
+              .getAnInstanceMethod() and
+        // and as long as it's public
        m.asCallableAstNode().isPublic() and
        // and is not called `subscribed` or `unsubscribed`.
        not m.getMethodName() = ["subscribed", "unsubscribed"]