Ruby: add test for ActiveStorage.Filename.new

2026-04-29 02:35:15 +02:00 · 2022-02-11 20:01:19 +01:00
parent 70c083fa64
commit e6a3747656
2 changed files with 15 additions and 1 deletions
--- a/ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected
+++ b/ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected
@@ -22,6 +22,9 @@ edges
 | tainted_path.rb:47:12:47:63 | call to join :  | tainted_path.rb:48:26:48:29 | path |
 | tainted_path.rb:47:43:47:48 | call to params :  | tainted_path.rb:47:43:47:55 | ...[...] :  |
 | tainted_path.rb:47:43:47:55 | ...[...] :  | tainted_path.rb:47:12:47:63 | call to join :  |
+| tainted_path.rb:59:12:59:53 | call to new :  | tainted_path.rb:60:26:60:29 | path |
+| tainted_path.rb:59:40:59:45 | call to params :  | tainted_path.rb:59:40:59:52 | ...[...] :  |
+| tainted_path.rb:59:40:59:52 | ...[...] :  | tainted_path.rb:59:12:59:53 | call to new :  |
 nodes
 | tainted_path.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
 | tainted_path.rb:4:12:4:24 | ...[...] :  | semmle.label | ...[...] :  |
@@ -54,6 +57,10 @@ nodes
 | tainted_path.rb:47:43:47:48 | call to params :  | semmle.label | call to params :  |
 | tainted_path.rb:47:43:47:55 | ...[...] :  | semmle.label | ...[...] :  |
 | tainted_path.rb:48:26:48:29 | path | semmle.label | path |
+| tainted_path.rb:59:12:59:53 | call to new :  | semmle.label | call to new :  |
+| tainted_path.rb:59:40:59:45 | call to params :  | semmle.label | call to params :  |
+| tainted_path.rb:59:40:59:52 | ...[...] :  | semmle.label | ...[...] :  |
+| tainted_path.rb:60:26:60:29 | path | semmle.label | path |
 subpaths
 #select
 | tainted_path.rb:5:26:5:29 | path | tainted_path.rb:4:12:4:17 | call to params :  | tainted_path.rb:5:26:5:29 | path | This path depends on $@. | tainted_path.rb:4:12:4:17 | call to params | a user-provided value |
@@ -64,3 +71,4 @@ subpaths
 | tainted_path.rb:35:26:35:29 | path | tainted_path.rb:34:29:34:34 | call to params :  | tainted_path.rb:35:26:35:29 | path | This path depends on $@. | tainted_path.rb:34:29:34:34 | call to params | a user-provided value |
 | tainted_path.rb:41:26:41:29 | path | tainted_path.rb:40:26:40:31 | call to params :  | tainted_path.rb:41:26:41:29 | path | This path depends on $@. | tainted_path.rb:40:26:40:31 | call to params | a user-provided value |
 | tainted_path.rb:48:26:48:29 | path | tainted_path.rb:47:43:47:48 | call to params :  | tainted_path.rb:48:26:48:29 | path | This path depends on $@. | tainted_path.rb:47:43:47:48 | call to params | a user-provided value |
+| tainted_path.rb:60:26:60:29 | path | tainted_path.rb:59:40:59:45 | call to params :  | tainted_path.rb:60:26:60:29 | path | This path depends on $@. | tainted_path.rb:59:40:59:45 | call to params | a user-provided value |
--- a/ruby/ql/test/query-tests/security/cwe-022/tainted_path.rb
+++ b/ruby/ql/test/query-tests/security/cwe-022/tainted_path.rb
@@ -54,8 +54,14 @@ class FooController < ActionController::Base
    @content = File.read path
  end

-  # GOOD - explicitly sanitized
+  # BAD
  def route9
+    path = ActiveStorage::Filename.new(params[:path])
+    @content = File.read path
+  end
+
+  # GOOD - explicitly sanitized
+  def route10
    path = ActiveStorage::Filename.new(params[:path]).sanitized
    @content = File.read path
  end