Ruby: Model ActionDispatch::Request#body_stream

2026-04-30 19:26:02 +02:00 · 2022-11-01 14:13:33 +13:00
parent 9f357837fa
commit d2c0250b41
3 changed files with 8 additions and 2 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -296,7 +296,7 @@ private module Request {

  /** A method call on `request` which returns the request body. */
  private class BodyCall extends RequestInputAccess {
-    BodyCall() { this.getMethodName() = ["body", "raw_post"] }
+    BodyCall() { this.getMethodName() = ["body", "raw_post", "body_stream"] }

    override Http::Server::RequestInputKind getKind() { result = Http::Server::bodyInputKind() }
  }
--- a/ruby/ql/test/library-tests/frameworks/action_controller/ActionController.expected
+++ b/ruby/ql/test/library-tests/frameworks/action_controller/ActionController.expected
@@ -1,5 +1,5 @@
 actionControllerControllerClasses
-| controllers/comments_controller.rb:1:1:49:3 | CommentsController |
+| controllers/comments_controller.rb:1:1:53:3 | CommentsController |
 | controllers/foo/bars_controller.rb:3:1:46:3 | BarsController |
 | controllers/photos_controller.rb:1:1:4:3 | PhotosController |
 | controllers/posts_controller.rb:1:1:10:3 | PostsController |
@@ -12,6 +12,7 @@ actionControllerActionMethods
 | controllers/comments_controller.rb:2:3:36:5 | index |
 | controllers/comments_controller.rb:38:3:44:5 | show |
 | controllers/comments_controller.rb:46:3:48:5 | photo |
+| controllers/comments_controller.rb:50:3:52:5 | destroy |
 | controllers/foo/bars_controller.rb:5:3:7:5 | index |
 | controllers/foo/bars_controller.rb:9:3:18:5 | show_debug |
 | controllers/foo/bars_controller.rb:20:3:24:5 | show |
@@ -160,6 +161,7 @@ httpInputAccesses
 | controllers/comments_controller.rb:7:5:7:28 | call to query_parameters | ActionDispatch::Request#query_parameters |
 | controllers/comments_controller.rb:8:5:8:30 | call to request_parameters | ActionDispatch::Request#request_parameters |
 | controllers/comments_controller.rb:9:5:9:31 | call to filtered_parameters | ActionDispatch::Request#filtered_parameters |
+| controllers/comments_controller.rb:51:12:51:30 | call to body_stream | ActionDispatch::Request#body_stream |
 | controllers/foo/bars_controller.rb:10:27:10:33 | call to cookies | ActionController::Metal#cookies |
 | controllers/foo/bars_controller.rb:13:21:13:26 | call to params | ActionController::Metal#params |
 | controllers/foo/bars_controller.rb:14:10:14:15 | call to params | ActionController::Metal#params |
--- a/ruby/ql/test/library-tests/frameworks/action_controller/controllers/comments_controller.rb
+++ b/ruby/ql/test/library-tests/frameworks/action_controller/controllers/comments_controller.rb
@@ -46,4 +46,8 @@ class CommentsController < ApplicationController
  def photo
    send_data @photo
  end
+
+  def destroy
+    body = request.body_stream
+  end
 end