remove the "send(..)" and similar from unsafe-code-construction

2026-04-30 11:15:13 +02:00 · 2022-10-17 21:00:59 +02:00
parent f1668801d3
commit e7c6571f52
2 changed files with 6 additions and 1 deletions
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll
@@ -47,7 +47,8 @@ module UnsafeCodeConstruction {
    TypeTracker::TypeBackTracker t, Concepts::CodeExecution codeExec
  ) {
    t.start() and
-    result = codeExec.getCode().getALocalSource()
+    result = codeExec.getCode().getALocalSource() and
+    codeExec.runsArbitraryCode() // methods like `Object.send` is benign here, because of the string-construction the attacker cannot control the entire method name
    or
    exists(TypeTracker::TypeBackTracker t2 |
      result = getANodeExecutedAsCode(t2, codeExec).backtrack(t2, t)
--- a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb
+++ b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb
@@ -16,4 +16,8 @@ class Foobar
  def indirect_eval(x)
    eval(x) # OK - no construction.
  end
+
+  def send_stuff(x)
+    foo.send("foo_#{x}") # OK - attacker cannot control entire string.
+  end
 end