mirror of
https://github.com/github/codeql.git
synced 2025-12-19 18:33:16 +01:00
69 lines
1.5 KiB
Ruby
69 lines
1.5 KiB
Ruby
class FooController < ActionController::Base
|
|
# BAD
|
|
def route0
|
|
path = params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - File.absolute_path preserves taint
|
|
def route1
|
|
path = File.absolute_path params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - File.dirname preserves taint
|
|
def route2
|
|
path = "#{File.dirname(params[:path])}/foo"
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - File.expand_path preserves taint
|
|
def route3
|
|
path = File.expand_path params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - File.path preserves taint
|
|
def route4
|
|
path = File.path params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - File.realdirpath preserves taint
|
|
def route5
|
|
path = File.realdirpath params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - File.realpath preserves taint
|
|
def route6
|
|
path = File.realpath params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - tainted arguments in any position propagate to the return value of
|
|
# File.join
|
|
def route7
|
|
path = File.join("foo", "bar", "baz", params[:path], "qux")
|
|
@content = File.read path
|
|
end
|
|
|
|
# GOOD - File.basename does not preserve taint
|
|
def route8
|
|
path = File.basename params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD
|
|
def route9
|
|
path = ActiveStorage::Filename.new(params[:path])
|
|
@content = File.read path
|
|
end
|
|
|
|
# GOOD - explicitly sanitized
|
|
def route10
|
|
path = ActiveStorage::Filename.new(params[:path]).sanitized
|
|
@content = File.read path
|
|
end
|
|
end
|