Add initial support for Ruby Grape

2026-05-04 13:15:21 +02:00 · 2025-09-12 19:22:05 -04:00
parent e8ddac08b7
commit d295acc3c3
7 changed files with 316 additions and 0 deletions
--- a/ruby/ql/test/library-tests/frameworks/grape/Grape.expected
+++ b/ruby/ql/test/library-tests/frameworks/grape/Grape.expected
@@ -0,0 +1,25 @@
+grapeAPIClasses
+| app.rb:1:1:48:3 | MyAPI |
+| app.rb:50:1:54:3 | AdminAPI |
+grapeEndpoints
+| app.rb:1:1:48:3 | MyAPI | app.rb:7:3:11:5 | call to get | GET | /hello/:name |
+| app.rb:1:1:48:3 | MyAPI | app.rb:17:3:20:5 | call to post | POST | /messages |
+| app.rb:1:1:48:3 | MyAPI | app.rb:23:3:27:5 | call to put | PUT | /update/:id |
+| app.rb:1:1:48:3 | MyAPI | app.rb:30:3:32:5 | call to delete | DELETE | /items/:id |
+| app.rb:1:1:48:3 | MyAPI | app.rb:35:3:37:5 | call to patch | PATCH | /items/:id |
+| app.rb:1:1:48:3 | MyAPI | app.rb:40:3:42:5 | call to head | HEAD | /status |
+| app.rb:1:1:48:3 | MyAPI | app.rb:45:3:47:5 | call to options | OPTIONS | /info |
+| app.rb:50:1:54:3 | AdminAPI | app.rb:51:3:53:5 | call to get | GET | /admin |
+grapeParams
+| app.rb:8:12:8:17 | call to params |
+| app.rb:14:3:16:5 | call to params |
+| app.rb:18:11:18:16 | call to params |
+| app.rb:24:10:24:15 | call to params |
+| app.rb:31:5:31:10 | call to params |
+| app.rb:36:5:36:10 | call to params |
+| app.rb:52:5:52:10 | call to params |
+grapeHeaders
+| app.rb:9:18:9:24 | call to headers |
+| app.rb:46:5:46:11 | call to headers |
+grapeRequest
+| app.rb:25:12:25:18 | call to request |
--- a/ruby/ql/test/library-tests/frameworks/grape/Grape.ql
+++ b/ruby/ql/test/library-tests/frameworks/grape/Grape.ql
@@ -0,0 +1,18 @@
+import ruby
+import codeql.ruby.frameworks.Grape
+import codeql.ruby.Concepts
+import codeql.ruby.AST
+
+query predicate grapeAPIClasses(GrapeAPIClass api) { any() }
+
+query predicate grapeEndpoints(GrapeAPIClass api, GrapeEndpoint endpoint, string method, string path) { 
+  endpoint = api.getAnEndpoint() and
+  method = endpoint.getHttpMethod() and
+  path = endpoint.getPath()
+}
+
+query predicate grapeParams(GrapeParamsSource params) { any() }
+
+query predicate grapeHeaders(GrapeHeadersSource headers) { any() }
+
+query predicate grapeRequest(GrapeRequestSource request) { any() }
--- a/ruby/ql/test/library-tests/frameworks/grape/app.rb
+++ b/ruby/ql/test/library-tests/frameworks/grape/app.rb
@@ -0,0 +1,54 @@
+class MyAPI < Grape::API
+  version 'v1', using: :header, vendor: 'myapi'
+  format :json
+  prefix :api
+
+  desc 'Simple get endpoint'
+  get '/hello/:name' do
+    name = params[:name]
+    user_agent = headers['User-Agent']
+    "Hello #{name}!"
+  end
+  
+  desc 'Post endpoint with params'
+  params do
+    requires :message, type: String
+  end
+  post '/messages' do
+    msg = params[:message]
+    { status: 'received', message: msg }
+  end
+  
+  desc 'Put endpoint accessing request'
+  put '/update/:id' do
+    id = params[:id]
+    body = request.body.read
+    { id: id, body: body }
+  end
+  
+  desc 'Delete endpoint'  
+  delete '/items/:id' do
+    params[:id]
+  end
+  
+  desc 'Patch endpoint'
+  patch '/items/:id' do
+    params[:id]
+  end
+  
+  desc 'Head endpoint'
+  head '/status' do
+    # Just return status
+  end
+  
+  desc 'Options endpoint'
+  options '/info' do
+    headers['Access-Control-Allow-Methods'] = 'GET, POST, OPTIONS'
+  end
+end
+
+class AdminAPI < Grape::API  
+  get '/admin' do
+    params[:token]
+  end
+end