Merge pull request #11575 from erik-krogh/kernelLoad

Rb: add Kernel methods as sinks to path-injection
2026-05-02 04:05:14 +02:00 · 2022-12-19 15:09:21 +01:00
parent 55a04e7ff8 d0af30b40a
commit f136651384
16 changed files with 168 additions and 87 deletions
--- a/ruby/ql/src/queries/meta/internal/TaintMetrics.qll
+++ b/ruby/ql/src/queries/meta/internal/TaintMetrics.qll
@@ -1,5 +1,5 @@
+private import ruby
 private import codeql.files.FileSystem
-private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.security.CodeInjectionCustomizations
 private import codeql.ruby.security.CommandInjectionCustomizations
@@ -34,6 +34,12 @@ DataFlow::Node relevantTaintSink(string kind) {
    kind = "UnsafeDeserialization" and result instanceof UnsafeDeserialization::Sink
    or
    kind = "UrlRedirect" and result instanceof UrlRedirect::Sink
+  ) and
+  // the sink is not a string literal
+  not exists(Ast::StringLiteral str |
+    str = result.asExpr().getExpr() and
+    // ensure there is no interpolation, as that is not a literal
+    not str.getComponent(_) instanceof Ast::StringInterpolationComponent
  )
 }

--- a/ruby/ql/src/queries/security/cwe-022/PathInjection.ql
+++ b/ruby/ql/src/queries/security/cwe-022/PathInjection.ql
@@ -15,9 +15,8 @@
 *       external/cwe/cwe-099
 */

-import codeql.ruby.AST
+import ruby
 import codeql.ruby.security.PathInjectionQuery
-import codeql.ruby.DataFlow
 import DataFlow::PathGraph

 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink