Merge pull request #10791 from asgerf/rb/rails-render-file

Ruby: treat render 'file:' argument as a file system access

ruby/ql/lib/codeql/ruby/frameworks/Rails.qll

@@ -71,6 +71,21 @@ module Rails {
 
   /** A render call that does not automatically set the HTTP response body. */
   class RenderToCall extends MethodCall instanceof RenderToCallImpl { }
+
+  /**
+   * A `render` call seen as a file system access.
+   */
+  private class RenderAsFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
+    RenderAsFileSystemAccess() {
+      exists(MethodCall call | this.asExpr().getExpr() = call |
+        call instanceof RenderCall
+        or
+        call instanceof RenderToCall
+      )
+    }
+
+    override DataFlow::Node getAPathArgument() { result = this.getKeywordArgument("file") }
+  }
 }
 
 /**

ruby/ql/src/change-notes/2022-10-12-rails-render-file.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `rb/path-injection` query now treats the `file:` argument of the Rails `render` method as a sink.