hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12360 from kaspersv/kaspersv/actioncontroller-prevent-bad-join

Browse Source 
ActionController: Prevent bad join
This commit is contained in:
Kasper Svendsen
2023-03-03 13:38:33 +01:00
committed by GitHub
parent f2f972567d 9cac4bbe0f
commit fe65fb8743
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
View File

@@ -520,15 +520,15 @@ ActionControllerClass getAssociatedControllerClass(ErbFile f) {
* templates in `app/views/` and `app/views/layouts/`.
*/
predicate controllerTemplateFile(ActionControllerClass cls, ErbFile templateFile) {
exists(string templatesPath, string sourcePrefix, string subPath, string controllerPath |
exists(string sourcePrefix, string subPath, string controllerPath |
controllerPath = cls.getLocation().getFile().getRelativePath() and
templatesPath = templateFile.getParentContainer().getRelativePath() and
// `sourcePrefix` is either a prefix path ending in a slash, or empty if
// the rails app is at the source root
sourcePrefix = [controllerPath.regexpCapture("^(.*/)app/controllers/(?:.*?)/(?:[^/]*)$", 1), ""] and
controllerPath = sourcePrefix + "app/controllers/" + subPath + "_controller.rb" and
(
templatesPath = sourcePrefix + "app/views/" + subPath or
sourcePrefix + "app/views/" + subPath = templateFile.getParentContainer().getRelativePath()
or
templateFile.getRelativePath().matches(sourcePrefix + "app/views/layouts/" + subPath + "%")
)
)