From fc429c175799f150470f6dbdbaa8e20664187807 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Tue, 17 Feb 2026 15:30:10 +0000
Subject: [PATCH] Improve Mysql2 test

---
 .../library-tests/frameworks/mysql2/Mysql2.rb     |  8 ++++----
 .../frameworks/mysql2/SqlInjection.expected       | 15 +++++++++++++++
 .../frameworks/mysql2/SqlInjection.qlref          |  4 ++++
 3 files changed, 23 insertions(+), 4 deletions(-)
 create mode 100644 ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.expected
 create mode 100644 ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.qlref

diff --git a/ruby/ql/test/library-tests/frameworks/mysql2/Mysql2.rb b/ruby/ql/test/library-tests/frameworks/mysql2/Mysql2.rb
index b9b3b5a7b57..1294f161475 100644
--- a/ruby/ql/test/library-tests/frameworks/mysql2/Mysql2.rb
+++ b/ruby/ql/test/library-tests/frameworks/mysql2/Mysql2.rb
@@ -1,6 +1,6 @@
 class UsersController < ActionController::Base
   def mysql2_handler(event:, context:)
-    name = params[:user_name]
+    name = params[:user_name] # $ Source[rb/sql-injection]
 
     conn = Mysql2::Client.new(
         host: "127.0.0.1",
@@ -10,7 +10,7 @@ class UsersController < ActionController::Base
     results1 = conn.query("SELECT * FROM users")
 
     # BAD: SQL statement constructed from user input
-    results2 = conn.query("SELECT * FROM users WHERE username='#{name}'")
+    results2 = conn.query("SELECT * FROM users WHERE username='#{name}'") # $ Alert[rb/sql-injection]
 
     # GOOD: user input is escaped
     escaped = Mysql2::Client.escape(name)
@@ -21,10 +21,10 @@ class UsersController < ActionController::Base
     results4 = statement1.execute(1, name, :as => :array)
 
     # BAD: SQL statement constructed from user input
-    statement2 = conn.prepare("SELECT * FROM users WHERE username='#{name}' AND password = ?")
+    statement2 = conn.prepare("SELECT * FROM users WHERE username='#{name}' AND password = ?") # $ Alert[rb/sql-injection]
     results4 = statement2.execute("password", :as => :array)
 
     # NOT EXECUTED
     statement3 = conn.prepare("SELECT * FROM users WHERE username = ?")
   end
-end
\ No newline at end of file
+end
diff --git a/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.expected b/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.expected
new file mode 100644
index 00000000000..f29b1738394
--- /dev/null
+++ b/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.expected
@@ -0,0 +1,15 @@
+#select
+| Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | This SQL query depends on a $@. | Mysql2.rb:3:12:3:17 | call to params | user-provided value |
+| Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | This SQL query depends on a $@. | Mysql2.rb:3:12:3:17 | call to params | user-provided value |
+edges
+| Mysql2.rb:3:5:3:8 | name | Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | provenance | AdditionalTaintStep |
+| Mysql2.rb:3:5:3:8 | name | Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | provenance | AdditionalTaintStep |
+| Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:3:12:3:29 | ...[...] | provenance |  |
+| Mysql2.rb:3:12:3:29 | ...[...] | Mysql2.rb:3:5:3:8 | name | provenance |  |
+nodes
+| Mysql2.rb:3:5:3:8 | name | semmle.label | name |
+| Mysql2.rb:3:12:3:17 | call to params | semmle.label | call to params |
+| Mysql2.rb:3:12:3:29 | ...[...] | semmle.label | ...[...] |
+| Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | semmle.label | "SELECT * FROM users WHERE use..." |
+| Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | semmle.label | "SELECT * FROM users WHERE use..." |
+subpaths
diff --git a/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.qlref b/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.qlref
new file mode 100644
index 00000000000..ff400a718e2
--- /dev/null
+++ b/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.qlref
@@ -0,0 +1,4 @@
+query: queries/security/cwe-089/SqlInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql