extend ActionController tests

2025-12-24 04:36:35 +01:00 · 2021-08-24 16:14:53 +01:00
parent 41ff10c908
commit d628716c42
4 changed files with 69 additions and 15 deletions
--- a/ql/src/codeql_ruby/frameworks/ActionController.qll
+++ b/ql/src/codeql_ruby/frameworks/ActionController.qll
@@ -127,12 +127,17 @@ class ParamsSource extends RemoteFlowSource::Range {
 // A call to `params` from within a controller.
 private class ActionControllerParamsCall extends ActionControllerContextCall, ParamsCall { }

+// A call to `render` from within a controller.
+private class ActionControllerRenderCall extends ActionControllerContextCall, RenderCall { }
+
 // A call to `render_to` from within a controller.
 private class ActionControllerRenderToCall extends ActionControllerContextCall, RenderToCall { }

 // A call to `html_safe` from within a controller.
 private class ActionControllerHtmlSafeCall extends HtmlSafeCall {
-  ActionControllerHtmlSafeCall() { this.getEnclosingModule() instanceof ActionControllerControllerClass }
+  ActionControllerHtmlSafeCall() {
+    this.getEnclosingModule() instanceof ActionControllerControllerClass
+  }
 }

 /**
@@ -155,13 +160,6 @@ class RedirectToCall extends ActionControllerContextCall {
  }
 }

-/**
- * A `SetterMethodCall` that assigns a value to the `response_body`.
- */
-class ResponseBodySetterCall extends SetterMethodCall {
-  ResponseBodySetterCall() { this.getMethodName() = "response_body=" }
-}
-
 /**
 * A method in an `ActionController` class that is accessible from within a view as a helper method.
 */
@@ -180,3 +178,16 @@ class ActionControllerHelperMethod extends Method {
  /** Gets the class containing this helper method. */
  ActionControllerControllerClass getControllerClass() { result = controllerClass }
 }
+
+/**
+ * Gets an `ActionControllerControllerClass` associated with the given `ErbFile`
+ * according to Rails path conventions.
+ */
+ActionControllerControllerClass getAssociatedControllerClass(ErbFile f) {
+  exists(string localPrefix, string sourcePrefix, string controllerPath |
+    controllerPath = result.getLocation().getFile().getAbsolutePath() and
+    sourcePrefix = f.getAbsolutePath().regexpCapture("^(.*)/app/views/(?:.*?)/(?:[^/]*)$", 1) and
+    localPrefix = f.getAbsolutePath().regexpCapture(".*/app/views/(.*?)/(?:[^/]*)$", 1) and
+    controllerPath = sourcePrefix + "/app/controllers/" + localPrefix + "_controller.rb"
+  )
+}
--- a/ql/src/codeql_ruby/frameworks/ActionView.qll
+++ b/ql/src/codeql_ruby/frameworks/ActionView.qll
@@ -43,16 +43,14 @@ class RawCall extends ActionViewContextCall {
  RawCall() { this.getMethodName() = "raw" }
 }

-/**
- * A call to the `params` method within the context of a template or view component.
- */
+// A call to the `params` method within the context of a template or view component.
 private class ActionViewParamsCall extends ActionViewContextCall, ParamsCall { }

 /**
 * A call to a `render` method that will populate the response body with the
 * rendered content.
 */
-class RenderCall extends ActionViewContextCall {
+abstract class RenderCall extends MethodCall {
  RenderCall() { this.getMethodName() = "render" }

  private string getWorkingDirectory() {
@@ -96,7 +94,7 @@ class RenderCall extends ActionViewContextCall {
  /**
   * Get the template file to be rendered by this call, if any.
   */
-  ErbFile getTemplate() { result.getAbsolutePath().matches(this.getTemplatePathPatterns()) }
+  ErbFile getTemplateFile() { result.getAbsolutePath().matches(this.getTemplatePathPatterns()) }

  /**
   * Get the local variables passed as context to the renderer
@@ -105,6 +103,9 @@ class RenderCall extends ActionViewContextCall {
  // TODO: implicit renders in controller actions
 }

+// A call to the `render` method within the context of a template or view component.
+private class ActionViewRenderCall extends RenderCall, ActionViewContextCall { }
+
 /**
 * A render call that does not automatically set the HTTP response body.
 */
--- a/ql/test/library-tests/frameworks/ActionController.expected
+++ b/ql/test/library-tests/frameworks/ActionController.expected
@@ -1,3 +1,40 @@
+actionControllerControllerClasses
 | ActiveRecordInjection.rb:27:1:58:3 | FooController |
 | ActiveRecordInjection.rb:60:1:90:3 | BarController |
 | ActiveRecordInjection.rb:92:1:96:3 | BazController |
+actionControllerActionMethods
+| ActiveRecordInjection.rb:32:3:57:5 | some_request_handler |
+| ActiveRecordInjection.rb:61:3:69:5 | some_other_request_handler |
+| ActiveRecordInjection.rb:71:3:89:5 | safe_paths |
+| ActiveRecordInjection.rb:93:3:95:5 | yet_another_handler |
+paramsCalls
+| ActiveRecordInjection.rb:35:30:35:35 | call to params |
+| ActiveRecordInjection.rb:39:30:39:35 | call to params |
+| ActiveRecordInjection.rb:43:32:43:37 | call to params |
+| ActiveRecordInjection.rb:48:21:48:26 | call to params |
+| ActiveRecordInjection.rb:54:34:54:39 | call to params |
+| ActiveRecordInjection.rb:56:23:56:28 | call to params |
+| ActiveRecordInjection.rb:56:38:56:43 | call to params |
+| ActiveRecordInjection.rb:62:10:62:15 | call to params |
+| ActiveRecordInjection.rb:72:11:72:16 | call to params |
+| ActiveRecordInjection.rb:77:12:77:17 | call to params |
+| ActiveRecordInjection.rb:83:12:83:17 | call to params |
+| ActiveRecordInjection.rb:88:15:88:20 | call to params |
+| ActiveRecordInjection.rb:94:22:94:27 | call to params |
+paramsSources
+| ActiveRecordInjection.rb:35:30:35:35 | call to params |
+| ActiveRecordInjection.rb:39:30:39:35 | call to params |
+| ActiveRecordInjection.rb:43:32:43:37 | call to params |
+| ActiveRecordInjection.rb:48:21:48:26 | call to params |
+| ActiveRecordInjection.rb:54:34:54:39 | call to params |
+| ActiveRecordInjection.rb:56:23:56:28 | call to params |
+| ActiveRecordInjection.rb:56:38:56:43 | call to params |
+| ActiveRecordInjection.rb:62:10:62:15 | call to params |
+| ActiveRecordInjection.rb:72:11:72:16 | call to params |
+| ActiveRecordInjection.rb:77:12:77:17 | call to params |
+| ActiveRecordInjection.rb:83:12:83:17 | call to params |
+| ActiveRecordInjection.rb:88:15:88:20 | call to params |
+| ActiveRecordInjection.rb:94:22:94:27 | call to params |
+redirectToCalls
+responseBodySetterCalls
+actionControllerHelperMethods
--- a/ql/test/library-tests/frameworks/ActionController.ql
+++ b/ql/test/library-tests/frameworks/ActionController.ql
@@ -1,4 +1,9 @@
-import codeql_ruby.controlflow.CfgNodes
 import codeql_ruby.frameworks.ActionController

-query predicate actionControllerControllerClasses(ActionControllerControllerClass cls) { any() }
+query predicate actionControllerControllerClasses(ActionControllerControllerClass cls) { any() }
+query predicate actionControllerActionMethods(ActionControllerActionMethod m) { any() }
+query predicate paramsCalls(ParamsCall c) { any() }
+query predicate paramsSources(ParamsSource src) { any() }
+query predicate redirectToCalls(RedirectToCall c) { any() }
+query predicate responseBodySetterCalls(ResponseBodySetterCall c) { any() }
+query predicate actionControllerHelperMethods(ActionControllerHelperMethod m) { any() }