Improve Mysql2 test

2026-02-24 02:43:40 +01:00 · 2026-02-17 15:30:10 +00:00
parent 1d7a39a093
commit fc429c1757
3 changed files with 23 additions and 4 deletions
--- a/ruby/ql/test/library-tests/frameworks/mysql2/Mysql2.rb
+++ b/ruby/ql/test/library-tests/frameworks/mysql2/Mysql2.rb
@@ -1,6 +1,6 @@
 class UsersController < ActionController::Base
  def mysql2_handler(event:, context:)
-    name = params[:user_name]
+    name = params[:user_name] # $ Source[rb/sql-injection]

    conn = Mysql2::Client.new(
        host: "127.0.0.1",
@@ -10,7 +10,7 @@ class UsersController < ActionController::Base
    results1 = conn.query("SELECT * FROM users")

    # BAD: SQL statement constructed from user input
-    results2 = conn.query("SELECT * FROM users WHERE username='#{name}'")
+    results2 = conn.query("SELECT * FROM users WHERE username='#{name}'") # $ Alert[rb/sql-injection]

    # GOOD: user input is escaped
    escaped = Mysql2::Client.escape(name)
@@ -21,10 +21,10 @@ class UsersController < ActionController::Base
    results4 = statement1.execute(1, name, :as => :array)

    # BAD: SQL statement constructed from user input
-    statement2 = conn.prepare("SELECT * FROM users WHERE username='#{name}' AND password = ?")
+    statement2 = conn.prepare("SELECT * FROM users WHERE username='#{name}' AND password = ?") # $ Alert[rb/sql-injection]
    results4 = statement2.execute("password", :as => :array)

    # NOT EXECUTED
    statement3 = conn.prepare("SELECT * FROM users WHERE username = ?")
  end
-end
+end
--- a/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.expected
+++ b/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.expected
@@ -0,0 +1,15 @@
+#select
+| Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | This SQL query depends on a $@. | Mysql2.rb:3:12:3:17 | call to params | user-provided value |
+| Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | This SQL query depends on a $@. | Mysql2.rb:3:12:3:17 | call to params | user-provided value |
+edges
+| Mysql2.rb:3:5:3:8 | name | Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | provenance | AdditionalTaintStep |
+| Mysql2.rb:3:5:3:8 | name | Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | provenance | AdditionalTaintStep |
+| Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:3:12:3:29 | ...[...] | provenance |  |
+| Mysql2.rb:3:12:3:29 | ...[...] | Mysql2.rb:3:5:3:8 | name | provenance |  |
+nodes
+| Mysql2.rb:3:5:3:8 | name | semmle.label | name |
+| Mysql2.rb:3:12:3:17 | call to params | semmle.label | call to params |
+| Mysql2.rb:3:12:3:29 | ...[...] | semmle.label | ...[...] |
+| Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | semmle.label | "SELECT * FROM users WHERE use..." |
+| Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | semmle.label | "SELECT * FROM users WHERE use..." |
+subpaths
--- a/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.qlref
+++ b/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.qlref
@@ -0,0 +1,4 @@
+query: queries/security/cwe-089/SqlInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql