hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11575 from erik-krogh/kernelLoad

Browse Source 
Rb: add Kernel methods as sinks to path-injection
This commit is contained in:
Erik Krogh Kristensen
2022-12-19 15:09:21 +01:00
committed by GitHub
parent 55a04e7ff8 d0af30b40a
commit f136651384
16 changed files with 168 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ruby/ql/lib/change-notes/2022-12-07-kernel-paths.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Calls to `Kernel.load`, `Kernel.require`, `Kernel.autoload` are now modeled as sinks for path injection.

11
ruby/ql/lib/codeql/ruby/ast/Call.qll
View File

@@ -97,6 +97,15 @@ class MethodCall extends Call instanceof MethodCallImpl {
* ```
*
* the result is `"bar"`.
*
* Super calls call a method with the same name as the current method, so
* the result for a super call is the name of the current method.
* E.g:
* ```rb
* def foo
* super # the result for this super call is "foo"
* end
* ```
*/
final string getMethodName() { result = super.getMethodNameImpl() }
@@ -201,6 +210,8 @@ class YieldCall extends Call instanceof YieldCallImpl {
*/
class SuperCall extends MethodCall instanceof SuperCallImpl {
final override string getAPrimaryQlClass() { result = "SuperCall" }
override string toString() { result = "super call to " + this.getMethodName() }
}
/**

27
ruby/ql/lib/codeql/ruby/ast/internal/Call.qll
View File

@@ -78,12 +78,9 @@ class RegularMethodCall extends MethodCallImpl, TRegularMethodCall {
}
final override string getMethodNameImpl() {
isRegularMethodCall(g) and
(
result = "call" and not exists(g.getMethod())
or
result = g.getMethod().(Ruby::Token).getValue()
)
result = "call" and not exists(g.getMethod())
or
result = g.getMethod().(Ruby::Token).getValue()
}
final override Expr getArgumentImpl(int n) { toGenerated(result) = g.getArguments().getChild(n) }
@@ -115,12 +112,26 @@ class ElementReferenceImpl extends MethodCallImpl, TElementReference {
abstract class SuperCallImpl extends MethodCallImpl, TSuperCall { }
private Ruby::AstNode getSuperParent(Ruby::Super sup) {
result = sup
or
result = getSuperParent(sup).getParent() and
not result instanceof Ruby::Method
}
private string getSuperMethodName(Ruby::Super sup) {
exists(Ruby::Method meth |
meth = getSuperParent(sup).getParent() and
result = any(Method c | toGenerated(c) = meth).getName()
)
}
class TokenSuperCall extends SuperCallImpl, TTokenSuperCall {
private Ruby::Super g;
TokenSuperCall() { this = TTokenSuperCall(g) }
final override string getMethodNameImpl() { result = g.getValue() }
final override string getMethodNameImpl() { result = getSuperMethodName(g) }
final override Expr getReceiverImpl() { none() }
@@ -136,7 +147,7 @@ class RegularSuperCall extends SuperCallImpl, TRegularSuperCall {
RegularSuperCall() { this = TRegularSuperCall(g) }
final override string getMethodNameImpl() { result = g.getMethod().(Ruby::Super).getValue() }
final override string getMethodNameImpl() { result = getSuperMethodName(g.getMethod()) }
final override Expr getReceiverImpl() { none() }

40
ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
View File

@@ -24,9 +24,12 @@ module Kernel {
this.asExpr().getExpr() instanceof UnknownMethodCall and
(
this.getReceiver().asExpr().getExpr() instanceof SelfVariableAccess and
isPrivateKernelMethod(this.getMethodName())
isPrivateKernelMethod(super.getMethodName())
or
isPublicKernelMethod(this.getMethodName())
this.asExpr().getExpr() instanceof SuperCall and
isPrivateKernelMethod(super.getMethodName())
or
isPublicKernelMethod(super.getMethodName())
)
}
}
@@ -92,14 +95,14 @@ module Kernel {
* ```
* Ruby documentation: https://docs.ruby-lang.org/en/3.0.0/Kernel.html#method-i-system
*/
class KernelSystemCall extends SystemCommandExecution::Range, KernelMethodCall {
class KernelSystemCall extends SystemCommandExecution::Range instanceof KernelMethodCall {
KernelSystemCall() { this.getMethodName() = "system" }
override DataFlow::Node getAnArgument() { result = this.getArgument(_) }
override DataFlow::Node getAnArgument() { result = super.getArgument(_) }
override predicate isShellInterpreted(DataFlow::Node arg) {
// Kernel.system invokes a subshell if you provide a single string as argument
this.getNumberOfArguments() = 1 and arg = this.getAnArgument()
super.getNumberOfArguments() = 1 and arg = this.getAnArgument()
}
}
@@ -108,14 +111,14 @@ module Kernel {
* `Kernel.exec` takes the same argument forms as `Kernel.system`. See `KernelSystemCall` for details.
* Ruby documentation: https://docs.ruby-lang.org/en/3.0.0/Kernel.html#method-i-exec
*/
class KernelExecCall extends SystemCommandExecution::Range, KernelMethodCall {
class KernelExecCall extends SystemCommandExecution::Range instanceof KernelMethodCall {
KernelExecCall() { this.getMethodName() = "exec" }
override DataFlow::Node getAnArgument() { result = this.getArgument(_) }
override DataFlow::Node getAnArgument() { result = super.getArgument(_) }
override predicate isShellInterpreted(DataFlow::Node arg) {
// Kernel.exec invokes a subshell if you provide a single string as argument
this.getNumberOfArguments() = 1 and arg = this.getAnArgument()
super.getNumberOfArguments() = 1 and arg = this.getAnArgument()
}
}
@@ -129,14 +132,14 @@ module Kernel {
* spawn([env,] command... [,options]) -> pid
* ```
*/
class KernelSpawnCall extends SystemCommandExecution::Range, KernelMethodCall {
class KernelSpawnCall extends SystemCommandExecution::Range instanceof KernelMethodCall {
KernelSpawnCall() { this.getMethodName() = "spawn" }
override DataFlow::Node getAnArgument() { result = this.getArgument(_) }
override DataFlow::Node getAnArgument() { result = super.getArgument(_) }
override predicate isShellInterpreted(DataFlow::Node arg) {
// Kernel.spawn invokes a subshell if you provide a single string as argument
this.getNumberOfArguments() = 1 and arg = this.getAnArgument()
super.getNumberOfArguments() = 1 and arg = this.getAnArgument()
}
}
@@ -179,4 +182,19 @@ module Kernel {
preservesValue = true
}
}
/** A call to e.g. `Kernel.load` that accesses a file. */
private class KernelFileAccess extends FileSystemAccess::Range instanceof KernelMethodCall {
KernelFileAccess() {
super.getMethodName() = ["load", "require", "require_relative", "autoload", "autoload?"]
}
override DataFlow::Node getAPathArgument() {
result = super.getArgument(0) and
super.getMethodName() = ["load", "require", "require_relative"]
or
result = super.getArgument(1) and
super.getMethodName() = ["autoload", "autoload?"]
}
}
}

4
ruby/ql/lib/codeql/ruby/security/StackTraceExposureCustomizations.qll
View File

@@ -41,8 +41,8 @@ module StackTraceExposure {
/**
* A call to `Kernel#caller`, considered as a flow source.
*/
class KernelCallerCall extends Source, Kernel::KernelMethodCall {
KernelCallerCall() { this.getMethodName() = "caller" }
class KernelCallerCall extends Source instanceof Kernel::KernelMethodCall {
KernelCallerCall() { super.getMethodName() = "caller" }
}
/**

8
ruby/ql/src/queries/meta/internal/TaintMetrics.qll
View File

@@ -1,5 +1,5 @@
private import ruby
private import codeql.files.FileSystem
private import codeql.ruby.DataFlow
private import codeql.ruby.dataflow.RemoteFlowSources
private import codeql.ruby.security.CodeInjectionCustomizations
private import codeql.ruby.security.CommandInjectionCustomizations
@@ -34,6 +34,12 @@ DataFlow::Node relevantTaintSink(string kind) {
kind = "UnsafeDeserialization" and result instanceof UnsafeDeserialization::Sink
or
kind = "UrlRedirect" and result instanceof UrlRedirect::Sink
) and
// the sink is not a string literal
not exists(Ast::StringLiteral str |
str = result.asExpr().getExpr() and
// ensure there is no interpolation, as that is not a literal
not str.getComponent(_) instanceof Ast::StringInterpolationComponent
)
}

3
ruby/ql/src/queries/security/cwe-022/PathInjection.ql
View File

@@ -15,9 +15,8 @@
* external/cwe/cwe-099
*/
import codeql.ruby.AST
import ruby
import codeql.ruby.security.PathInjectionQuery
import codeql.ruby.DataFlow
import DataFlow::PathGraph
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink

22
ruby/ql/test/library-tests/ast/Ast.expected
View File

@@ -496,30 +496,30 @@ calls/calls.rb:
# 279| getReceiver: [ConstantReadAccess] X
# 284| getStmt: [ClassDeclaration] MyClass
# 285| getStmt: [Method] my_method
# 286| getStmt: [SuperCall] call to super
# 287| getStmt: [SuperCall] call to super
# 288| getStmt: [SuperCall] call to super
# 286| getStmt: [SuperCall] super call to my_method
# 287| getStmt: [SuperCall] super call to my_method
# 288| getStmt: [SuperCall] super call to my_method
# 288| getArgument: [StringLiteral] "blah"
# 288| getComponent: [StringTextComponent] blah
# 289| getStmt: [SuperCall] call to super
# 289| getStmt: [SuperCall] super call to my_method
# 289| getArgument: [IntegerLiteral] 1
# 289| getArgument: [IntegerLiteral] 2
# 289| getArgument: [IntegerLiteral] 3
# 290| getStmt: [SuperCall] call to super
# 290| getStmt: [SuperCall] super call to my_method
# 290| getBlock: [BraceBlock] { ... }
# 290| getParameter: [SimpleParameter] x
# 290| getDefiningAccess: [LocalVariableAccess] x
# 290| getStmt: [AddExpr] ... + ...
# 290| getAnOperand/getLeftOperand/getReceiver: [LocalVariableAccess] x
# 290| getAnOperand/getArgument/getRightOperand: [IntegerLiteral] 1
# 291| getStmt: [SuperCall] call to super
# 291| getStmt: [SuperCall] super call to my_method
# 291| getBlock: [DoBlock] do ... end
# 291| getParameter: [SimpleParameter] x
# 291| getDefiningAccess: [LocalVariableAccess] x
# 291| getStmt: [MulExpr] ... * ...
# 291| getAnOperand/getLeftOperand/getReceiver: [LocalVariableAccess] x
# 291| getAnOperand/getArgument/getRightOperand: [IntegerLiteral] 2
# 292| getStmt: [SuperCall] call to super
# 292| getStmt: [SuperCall] super call to my_method
# 292| getArgument: [IntegerLiteral] 4
# 292| getArgument: [IntegerLiteral] 5
# 292| getBlock: [BraceBlock] { ... }
@@ -528,7 +528,7 @@ calls/calls.rb:
# 292| getStmt: [AddExpr] ... + ...
# 292| getAnOperand/getLeftOperand/getReceiver: [LocalVariableAccess] x
# 292| getAnOperand/getArgument/getRightOperand: [IntegerLiteral] 100
# 293| getStmt: [SuperCall] call to super
# 293| getStmt: [SuperCall] super call to my_method
# 293| getArgument: [IntegerLiteral] 6
# 293| getArgument: [IntegerLiteral] 7
# 293| getBlock: [DoBlock] do ... end
@@ -545,7 +545,7 @@ calls/calls.rb:
# 304| getStmt: [MethodCall] call to super
# 304| getReceiver: [SelfVariableAccess] self
# 305| getStmt: [MethodCall] call to super
# 305| getReceiver: [SuperCall] call to super
# 305| getReceiver: [SuperCall] super call to another_method
# 310| getStmt: [MethodCall] call to call
# 310| getReceiver: [MethodCall] call to foo
# 310| getReceiver: [SelfVariableAccess] self
@@ -646,7 +646,7 @@ calls/calls.rb:
# 328| getComponent: [StringTextComponent] error
# 331| getStmt: [Method] foo
# 331| getParameter: [ForwardParameter] ...
# 332| getStmt: [SuperCall] call to super
# 332| getStmt: [SuperCall] super call to foo
# 332| getArgument: [ForwardedArguments] ...
# 335| getStmt: [Method] foo
# 335| getParameter: [SimpleParameter] a
@@ -1293,7 +1293,7 @@ modules/classes.rb:
# 42| getStmt: [Method] length
# 43| getStmt: [MulExpr] ... * ...
# 43| getAnOperand/getLeftOperand/getReceiver: [IntegerLiteral] 100
# 43| getAnOperand/getArgument/getRightOperand: [SuperCall] call to super
# 43| getAnOperand/getArgument/getRightOperand: [SuperCall] super call to length
# 46| getStmt: [Method] wibble
# 47| getStmt: [MethodCall] call to puts
# 47| getReceiver: [SelfVariableAccess] self

80
ruby/ql/test/library-tests/ast/calls/calls.expected
View File

@@ -1,8 +1,8 @@
callsWithNoReceiverArgumentsOrBlock
| calls.rb:31:3:31:7 | yield ... | (none) |
| calls.rb:286:5:286:9 | call to super | super |
| calls.rb:287:5:287:11 | call to super | super |
| calls.rb:305:5:305:9 | call to super | super |
| calls.rb:286:5:286:9 | super call to my_method | my_method |
| calls.rb:287:5:287:11 | super call to my_method | my_method |
| calls.rb:305:5:305:9 | super call to another_method | another_method |
| calls.rb:345:9:345:13 | call to novar | novar |
callsWithArguments
| calls.rb:14:1:14:11 | call to foo | foo | 0 | calls.rb:14:5:14:5 | 0 |
@@ -34,17 +34,17 @@ callsWithArguments
| calls.rb:275:1:275:13 | call to foo | foo | 0 | calls.rb:275:5:275:12 | ** ... |
| calls.rb:278:1:278:14 | call to foo | foo | 0 | calls.rb:278:5:278:13 | Pair |
| calls.rb:279:1:279:17 | call to foo | foo | 0 | calls.rb:279:5:279:16 | Pair |
| calls.rb:288:5:288:16 | call to super | super | 0 | calls.rb:288:11:288:16 | "blah" |
| calls.rb:289:5:289:17 | call to super | super | 0 | calls.rb:289:11:289:11 | 1 |
| calls.rb:289:5:289:17 | call to super | super | 1 | calls.rb:289:14:289:14 | 2 |
| calls.rb:289:5:289:17 | call to super | super | 2 | calls.rb:289:17:289:17 | 3 |
| calls.rb:288:5:288:16 | super call to my_method | my_method | 0 | calls.rb:288:11:288:16 | "blah" |
| calls.rb:289:5:289:17 | super call to my_method | my_method | 0 | calls.rb:289:11:289:11 | 1 |
| calls.rb:289:5:289:17 | super call to my_method | my_method | 1 | calls.rb:289:14:289:14 | 2 |
| calls.rb:289:5:289:17 | super call to my_method | my_method | 2 | calls.rb:289:17:289:17 | 3 |
| calls.rb:290:17:290:21 | ... + ... | + | 0 | calls.rb:290:21:290:21 | 1 |
| calls.rb:291:18:291:22 | ... * ... | * | 0 | calls.rb:291:22:291:22 | 2 |
| calls.rb:292:5:292:30 | call to super | super | 0 | calls.rb:292:11:292:11 | 4 |
| calls.rb:292:5:292:30 | call to super | super | 1 | calls.rb:292:14:292:14 | 5 |
| calls.rb:292:5:292:30 | super call to my_method | my_method | 0 | calls.rb:292:11:292:11 | 4 |
| calls.rb:292:5:292:30 | super call to my_method | my_method | 1 | calls.rb:292:14:292:14 | 5 |
| calls.rb:292:22:292:28 | ... + ... | + | 0 | calls.rb:292:26:292:28 | 100 |
| calls.rb:293:5:293:33 | call to super | super | 0 | calls.rb:293:11:293:11 | 6 |
| calls.rb:293:5:293:33 | call to super | super | 1 | calls.rb:293:14:293:14 | 7 |
| calls.rb:293:5:293:33 | super call to my_method | my_method | 0 | calls.rb:293:11:293:11 | 6 |
| calls.rb:293:5:293:33 | super call to my_method | my_method | 1 | calls.rb:293:14:293:14 | 7 |
| calls.rb:293:23:293:29 | ... + ... | + | 0 | calls.rb:293:27:293:29 | 200 |
| calls.rb:311:1:311:7 | call to call | call | 0 | calls.rb:311:6:311:6 | 1 |
| calls.rb:314:1:314:8 | call to foo= | foo= | 0 | calls.rb:314:12:314:13 | ... = ... |
@@ -91,7 +91,7 @@ callsWithArguments
| calls.rb:320:21:320:31 | ... + ... | + | 0 | calls.rb:320:31:320:31 | 1 |
| calls.rb:320:34:320:35 | ... * ... | * | 0 | calls.rb:320:37:320:37 | 2 |
| calls.rb:328:25:328:37 | call to print | print | 0 | calls.rb:328:31:328:37 | "error" |
| calls.rb:332:3:332:12 | call to super | super | 0 | calls.rb:332:9:332:11 | ... |
| calls.rb:332:3:332:12 | super call to foo | foo | 0 | calls.rb:332:9:332:11 | ... |
| calls.rb:336:3:336:13 | call to bar | bar | 0 | calls.rb:336:7:336:7 | b |
| calls.rb:336:3:336:13 | call to bar | bar | 1 | calls.rb:336:10:336:12 | ... |
| calls.rb:340:5:340:5 | call to [] | [] | 0 | calls.rb:340:5:340:5 | 0 |
@@ -305,7 +305,7 @@ callsWithReceiver
| calls.rb:303:5:303:7 | call to foo | calls.rb:303:5:303:7 | self |
| calls.rb:303:5:303:13 | call to super | calls.rb:303:5:303:7 | call to foo |
| calls.rb:304:5:304:14 | call to super | calls.rb:304:5:304:8 | self |
| calls.rb:305:5:305:15 | call to super | calls.rb:305:5:305:9 | call to super |
| calls.rb:305:5:305:15 | call to super | calls.rb:305:5:305:9 | super call to another_method |
| calls.rb:310:1:310:3 | call to foo | calls.rb:310:1:310:3 | self |
| calls.rb:310:1:310:6 | call to call | calls.rb:310:1:310:3 | call to foo |
| calls.rb:311:1:311:3 | call to foo | calls.rb:311:1:311:3 | self |
@@ -398,10 +398,10 @@ callsWithBlock
| calls.rb:95:1:98:3 | call to foo | calls.rb:95:7:98:3 | do ... end |
| calls.rb:226:1:228:3 | call to each | calls.rb:226:1:228:3 | { ... } |
| calls.rb:229:1:231:3 | call to each | calls.rb:229:1:231:3 | { ... } |
| calls.rb:290:5:290:23 | call to super | calls.rb:290:11:290:23 | { ... } |
| calls.rb:291:5:291:26 | call to super | calls.rb:291:11:291:26 | do ... end |
| calls.rb:292:5:292:30 | call to super | calls.rb:292:16:292:30 | { ... } |
| calls.rb:293:5:293:33 | call to super | calls.rb:293:16:293:33 | do ... end |
| calls.rb:290:5:290:23 | super call to my_method | calls.rb:290:11:290:23 | { ... } |
| calls.rb:291:5:291:26 | super call to my_method | calls.rb:291:11:291:26 | do ... end |
| calls.rb:292:5:292:30 | super call to my_method | calls.rb:292:16:292:30 | { ... } |
| calls.rb:293:5:293:33 | super call to my_method | calls.rb:293:16:293:33 | do ... end |
| calls.rb:340:1:342:3 | call to each | calls.rb:340:1:342:3 | { ... } |
| calls.rb:364:1:364:23 | call to bar | calls.rb:364:15:364:23 | { ... } |
| calls.rb:364:1:364:23 | call to bar | calls.rb:364:15:364:23 | { ... } |
@@ -409,31 +409,31 @@ yieldCalls
| calls.rb:31:3:31:7 | yield ... |
| calls.rb:36:3:36:16 | yield ... |
superCalls
| calls.rb:286:5:286:9 | call to super |
| calls.rb:287:5:287:11 | call to super |
| calls.rb:288:5:288:16 | call to super |
| calls.rb:289:5:289:17 | call to super |
| calls.rb:290:5:290:23 | call to super |
| calls.rb:291:5:291:26 | call to super |
| calls.rb:292:5:292:30 | call to super |
| calls.rb:293:5:293:33 | call to super |
| calls.rb:305:5:305:9 | call to super |
| calls.rb:332:3:332:12 | call to super |
| calls.rb:286:5:286:9 | super call to my_method |
| calls.rb:287:5:287:11 | super call to my_method |
| calls.rb:288:5:288:16 | super call to my_method |
| calls.rb:289:5:289:17 | super call to my_method |
| calls.rb:290:5:290:23 | super call to my_method |
| calls.rb:291:5:291:26 | super call to my_method |
| calls.rb:292:5:292:30 | super call to my_method |
| calls.rb:293:5:293:33 | super call to my_method |
| calls.rb:305:5:305:9 | super call to another_method |
| calls.rb:332:3:332:12 | super call to foo |
superCallsWithArguments
| calls.rb:288:5:288:16 | call to super | 0 | calls.rb:288:11:288:16 | "blah" |
| calls.rb:289:5:289:17 | call to super | 0 | calls.rb:289:11:289:11 | 1 |
| calls.rb:289:5:289:17 | call to super | 1 | calls.rb:289:14:289:14 | 2 |
| calls.rb:289:5:289:17 | call to super | 2 | calls.rb:289:17:289:17 | 3 |
| calls.rb:292:5:292:30 | call to super | 0 | calls.rb:292:11:292:11 | 4 |
| calls.rb:292:5:292:30 | call to super | 1 | calls.rb:292:14:292:14 | 5 |
| calls.rb:293:5:293:33 | call to super | 0 | calls.rb:293:11:293:11 | 6 |
| calls.rb:293:5:293:33 | call to super | 1 | calls.rb:293:14:293:14 | 7 |
| calls.rb:332:3:332:12 | call to super | 0 | calls.rb:332:9:332:11 | ... |
| calls.rb:288:5:288:16 | super call to my_method | 0 | calls.rb:288:11:288:16 | "blah" |
| calls.rb:289:5:289:17 | super call to my_method | 0 | calls.rb:289:11:289:11 | 1 |
| calls.rb:289:5:289:17 | super call to my_method | 1 | calls.rb:289:14:289:14 | 2 |
| calls.rb:289:5:289:17 | super call to my_method | 2 | calls.rb:289:17:289:17 | 3 |
| calls.rb:292:5:292:30 | super call to my_method | 0 | calls.rb:292:11:292:11 | 4 |
| calls.rb:292:5:292:30 | super call to my_method | 1 | calls.rb:292:14:292:14 | 5 |
| calls.rb:293:5:293:33 | super call to my_method | 0 | calls.rb:293:11:293:11 | 6 |
| calls.rb:293:5:293:33 | super call to my_method | 1 | calls.rb:293:14:293:14 | 7 |
| calls.rb:332:3:332:12 | super call to foo | 0 | calls.rb:332:9:332:11 | ... |
superCallsWithBlock
| calls.rb:290:5:290:23 | call to super | calls.rb:290:11:290:23 | { ... } |
| calls.rb:291:5:291:26 | call to super | calls.rb:291:11:291:26 | do ... end |
| calls.rb:292:5:292:30 | call to super | calls.rb:292:16:292:30 | { ... } |
| calls.rb:293:5:293:33 | call to super | calls.rb:293:16:293:33 | do ... end |
| calls.rb:290:5:290:23 | super call to my_method | calls.rb:290:11:290:23 | { ... } |
| calls.rb:291:5:291:26 | super call to my_method | calls.rb:291:11:291:26 | do ... end |
| calls.rb:292:5:292:30 | super call to my_method | calls.rb:292:16:292:30 | { ... } |
| calls.rb:293:5:293:33 | super call to my_method | calls.rb:293:16:293:33 | do ... end |
setterCalls
| calls.rb:314:1:314:8 | call to foo= |
| calls.rb:315:1:315:6 | call to []= |

4
ruby/ql/test/library-tests/controlflow/graph/Cfg.expected
View File

@@ -3049,9 +3049,9 @@ cfg.rb:
#-----| -> exit print (normal)
# 147| self
#-----| -> call to super
#-----| -> super call to print
# 147| call to super
# 147| super call to print
#-----| -> call to print
# 147| call to print

2
ruby/ql/test/library-tests/controlflow/graph/Nodes.expected
View File

@@ -31,7 +31,7 @@ callsWithNoArguments
| cfg.rb:138:17:138:23 | * ... |
| cfg.rb:141:1:141:8 | call to itself |
| cfg.rb:143:10:143:21 | call to itself |
| cfg.rb:147:10:147:14 | call to super |
| cfg.rb:147:10:147:14 | super call to print |
| cfg.rb:147:10:147:22 | call to print |
| cfg.rb:151:9:151:17 | call to new |
| cfg.rb:158:16:158:21 | * ... |

6
ruby/ql/test/library-tests/modules/callgraph.expected
View File

@@ -17,7 +17,7 @@ getTarget
| calls.rb:60:5:60:9 | call to new | calls.rb:117:5:117:16 | new |
| calls.rb:61:1:61:5 | call to baz | calls.rb:51:5:57:7 | baz |
| calls.rb:63:1:63:12 | call to instance_m | calls.rb:22:5:24:7 | instance_m |
| calls.rb:67:9:67:13 | call to super | calls.rb:51:5:57:7 | baz |
| calls.rb:67:9:67:13 | super call to baz | calls.rb:51:5:57:7 | baz |
| calls.rb:71:5:71:9 | call to new | calls.rb:117:5:117:16 | new |
| calls.rb:72:1:72:5 | call to baz | calls.rb:66:5:68:7 | baz |
| calls.rb:74:1:74:12 | call to instance_m | calls.rb:22:5:24:7 | instance_m |
@@ -236,7 +236,7 @@ getTarget
| calls.rb:620:9:620:16 | call to bar | calls.rb:622:5:623:7 | bar |
| calls.rb:620:9:620:16 | call to bar | calls.rb:628:5:630:7 | bar |
| calls.rb:627:5:627:20 | call to include | calls.rb:108:5:110:7 | include |
| calls.rb:629:9:629:13 | call to super | calls.rb:622:5:623:7 | bar |
| calls.rb:629:9:629:13 | super call to bar | calls.rb:622:5:623:7 | bar |
| calls.rb:635:9:635:14 | call to new | calls.rb:117:5:117:16 | new |
| calls.rb:639:1:639:14 | call to new | calls.rb:117:5:117:16 | new |
| calls.rb:639:1:639:14 | call to new | calls.rb:634:5:636:7 | new |
@@ -247,7 +247,7 @@ getTarget
| calls.rb:651:1:651:23 | call to instance | calls.rb:646:5:648:7 | instance |
| hello.rb:12:5:12:24 | call to include | calls.rb:108:5:110:7 | include |
| hello.rb:14:16:14:20 | call to hello | hello.rb:2:5:4:7 | hello |
| hello.rb:20:16:20:20 | call to super | hello.rb:13:5:15:7 | message |
| hello.rb:20:16:20:20 | super call to message | hello.rb:13:5:15:7 | message |
| hello.rb:20:30:20:34 | call to world | hello.rb:5:5:7:7 | world |
| instance_fields.rb:4:22:4:35 | call to new | calls.rb:117:5:117:16 | new |
| instance_fields.rb:7:13:7:25 | call to target | instance_fields.rb:12:5:13:7 | target |

6
ruby/ql/test/library-tests/modules/methods.expected
View File

@@ -687,7 +687,7 @@ enclosingMethod
| calls.rb:55:9:55:19 | self | calls.rb:51:5:57:7 | baz |
| calls.rb:56:9:56:12 | self | calls.rb:51:5:57:7 | baz |
| calls.rb:56:9:56:24 | call to singleton_m | calls.rb:51:5:57:7 | baz |
| calls.rb:67:9:67:13 | call to super | calls.rb:66:5:68:7 | baz |
| calls.rb:67:9:67:13 | super call to baz | calls.rb:66:5:68:7 | baz |
| calls.rb:76:18:76:18 | a | calls.rb:76:1:79:3 | optional_arg |
| calls.rb:76:18:76:18 | a | calls.rb:76:1:79:3 | optional_arg |
| calls.rb:76:22:76:22 | 4 | calls.rb:76:1:79:3 | optional_arg |
@@ -1016,7 +1016,7 @@ enclosingMethod
| calls.rb:610:9:610:18 | self | calls.rb:609:5:611:7 | call_singleton1 |
| calls.rb:620:9:620:12 | self | calls.rb:619:5:621:7 | foo |
| calls.rb:620:9:620:16 | call to bar | calls.rb:619:5:621:7 | foo |
| calls.rb:629:9:629:13 | call to super | calls.rb:628:5:630:7 | bar |
| calls.rb:629:9:629:13 | super call to bar | calls.rb:628:5:630:7 | bar |
| calls.rb:635:9:635:10 | C1 | calls.rb:634:5:636:7 | new |
| calls.rb:635:9:635:14 | call to new | calls.rb:634:5:636:7 | new |
| calls.rb:643:9:643:12 | self | calls.rb:642:5:644:7 | new |
@@ -1035,7 +1035,7 @@ enclosingMethod
| hello.rb:14:16:14:20 | call to hello | hello.rb:13:5:15:7 | message |
| hello.rb:14:16:14:20 | self | hello.rb:13:5:15:7 | message |
| hello.rb:20:9:20:40 | return | hello.rb:19:5:21:7 | message |
| hello.rb:20:16:20:20 | call to super | hello.rb:19:5:21:7 | message |
| hello.rb:20:16:20:20 | super call to message | hello.rb:19:5:21:7 | message |
| hello.rb:20:16:20:26 | ... + ... | hello.rb:19:5:21:7 | message |
| hello.rb:20:16:20:34 | ... + ... | hello.rb:19:5:21:7 | message |
| hello.rb:20:16:20:40 | ... + ... | hello.rb:19:5:21:7 | message |

6
ruby/ql/test/library-tests/modules/modules.expected
View File

@@ -606,7 +606,7 @@ enclosingModule
| calls.rb:65:1:69:3 | D | calls.rb:1:1:651:24 | calls.rb |
| calls.rb:65:11:65:11 | C | calls.rb:1:1:651:24 | calls.rb |
| calls.rb:66:5:68:7 | baz | calls.rb:65:1:69:3 | D |
| calls.rb:67:9:67:13 | call to super | calls.rb:65:1:69:3 | D |
| calls.rb:67:9:67:13 | super call to baz | calls.rb:65:1:69:3 | D |
| calls.rb:71:1:71:1 | d | calls.rb:1:1:651:24 | calls.rb |
| calls.rb:71:1:71:9 | ... = ... | calls.rb:1:1:651:24 | calls.rb |
| calls.rb:71:5:71:5 | D | calls.rb:1:1:651:24 | calls.rb |
@@ -1522,7 +1522,7 @@ enclosingModule
| calls.rb:627:5:627:20 | self | calls.rb:626:1:631:3 | IncludesIncluded |
| calls.rb:627:13:627:20 | Included | calls.rb:626:1:631:3 | IncludesIncluded |
| calls.rb:628:5:630:7 | bar | calls.rb:626:1:631:3 | IncludesIncluded |
| calls.rb:629:9:629:13 | call to super | calls.rb:626:1:631:3 | IncludesIncluded |
| calls.rb:629:9:629:13 | super call to bar | calls.rb:626:1:631:3 | IncludesIncluded |
| calls.rb:633:1:637:3 | CustomNew1 | calls.rb:1:1:651:24 | calls.rb |
| calls.rb:634:5:636:7 | new | calls.rb:633:1:637:3 | CustomNew1 |
| calls.rb:634:9:634:12 | self | calls.rb:633:1:637:3 | CustomNew1 |
@@ -1565,7 +1565,7 @@ enclosingModule
| hello.rb:18:20:18:27 | Greeting | hello.rb:1:1:22:3 | hello.rb |
| hello.rb:19:5:21:7 | message | hello.rb:18:1:22:3 | HelloWorld |
| hello.rb:20:9:20:40 | return | hello.rb:18:1:22:3 | HelloWorld |
| hello.rb:20:16:20:20 | call to super | hello.rb:18:1:22:3 | HelloWorld |
| hello.rb:20:16:20:20 | super call to message | hello.rb:18:1:22:3 | HelloWorld |
| hello.rb:20:16:20:26 | ... + ... | hello.rb:18:1:22:3 | HelloWorld |
| hello.rb:20:16:20:34 | ... + ... | hello.rb:18:1:22:3 | HelloWorld |
| hello.rb:20:16:20:40 | ... + ... | hello.rb:18:1:22:3 | HelloWorld |

19
ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected
View File

@@ -43,6 +43,13 @@ edges
| tainted_path.rb:77:12:77:53 | call to new : | tainted_path.rb:79:14:79:17 | path |
| tainted_path.rb:77:40:77:45 | call to params : | tainted_path.rb:77:40:77:52 | ...[...] : |
| tainted_path.rb:77:40:77:52 | ...[...] : | tainted_path.rb:77:12:77:53 | call to new : |
| tainted_path.rb:84:12:84:53 | call to new : | tainted_path.rb:85:10:85:13 | path |
| tainted_path.rb:84:12:84:53 | call to new : | tainted_path.rb:86:25:86:28 | path |
| tainted_path.rb:84:40:84:45 | call to params : | tainted_path.rb:84:40:84:52 | ...[...] : |
| tainted_path.rb:84:40:84:52 | ...[...] : | tainted_path.rb:84:12:84:53 | call to new : |
| tainted_path.rb:90:12:90:53 | call to new : | tainted_path.rb:92:11:92:14 | path |
| tainted_path.rb:90:40:90:45 | call to params : | tainted_path.rb:90:40:90:52 | ...[...] : |
| tainted_path.rb:90:40:90:52 | ...[...] : | tainted_path.rb:90:12:90:53 | call to new : |
nodes
| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params : | semmle.label | call to params : |
| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] : | semmle.label | ...[...] : |
@@ -102,6 +109,15 @@ nodes
| tainted_path.rb:77:40:77:52 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:78:19:78:22 | path | semmle.label | path |
| tainted_path.rb:79:14:79:17 | path | semmle.label | path |
| tainted_path.rb:84:12:84:53 | call to new : | semmle.label | call to new : |
| tainted_path.rb:84:40:84:45 | call to params : | semmle.label | call to params : |
| tainted_path.rb:84:40:84:52 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:85:10:85:13 | path | semmle.label | path |
| tainted_path.rb:86:25:86:28 | path | semmle.label | path |
| tainted_path.rb:90:12:90:53 | call to new : | semmle.label | call to new : |
| tainted_path.rb:90:40:90:45 | call to params : | semmle.label | call to params : |
| tainted_path.rb:90:40:90:52 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:92:11:92:14 | path | semmle.label | path |
subpaths
#select
| ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params : | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | This path depends on a $@. | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | user-provided value |
@@ -119,3 +135,6 @@ subpaths
| tainted_path.rb:72:15:72:18 | path | tainted_path.rb:71:40:71:45 | call to params : | tainted_path.rb:72:15:72:18 | path | This path depends on a $@. | tainted_path.rb:71:40:71:45 | call to params | user-provided value |
| tainted_path.rb:78:19:78:22 | path | tainted_path.rb:77:40:77:45 | call to params : | tainted_path.rb:78:19:78:22 | path | This path depends on a $@. | tainted_path.rb:77:40:77:45 | call to params | user-provided value |
| tainted_path.rb:79:14:79:17 | path | tainted_path.rb:77:40:77:45 | call to params : | tainted_path.rb:79:14:79:17 | path | This path depends on a $@. | tainted_path.rb:77:40:77:45 | call to params | user-provided value |
| tainted_path.rb:85:10:85:13 | path | tainted_path.rb:84:40:84:45 | call to params : | tainted_path.rb:85:10:85:13 | path | This path depends on a $@. | tainted_path.rb:84:40:84:45 | call to params | user-provided value |
| tainted_path.rb:86:25:86:28 | path | tainted_path.rb:84:40:84:45 | call to params : | tainted_path.rb:86:25:86:28 | path | This path depends on a $@. | tainted_path.rb:84:40:84:45 | call to params | user-provided value |
| tainted_path.rb:92:11:92:14 | path | tainted_path.rb:90:40:90:45 | call to params : | tainted_path.rb:92:11:92:14 | path | This path depends on a $@. | tainted_path.rb:90:40:90:45 | call to params | user-provided value |

13
ruby/ql/test/query-tests/security/cwe-022/tainted_path.rb
View File

@@ -78,4 +78,17 @@ class FooController < ActionController::Base
bla (Dir.glob path)
bla (Dir[path])
end
# BAD
def route13
path = ActiveStorage::Filename.new(params[:path])
load(path)
autoload(:MyModule, path)
end
def require_relative()
path = ActiveStorage::Filename.new(params[:path])
puts "Debug: require_relative(#{path})"
super(path)
end
end