Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 8fed9f9

Browse files
alexrfordalexrford
committed
Ruby: ActiveRecord - match OrmWriteAccesses for assignements to the assignment node rather than the setter call
1 parent 6ddacce commit 8fed9f9

2 files changed

Lines changed: 13 additions & 6 deletions

File tree

ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -483,14 +483,21 @@ private module Persistence {
483483
* as an `OrmWriteAccess` to avoid missing cases where the path to a
484484
* subsequent write is not clear.
485485
*/
486-
private class AssignAttributeCall extends DataFlow::CallNode, ActiveRecordInstanceMethodCall,
487-
OrmWriteAccess::Range {
488-
AssignAttributeCall() { this.asExpr().getExpr() instanceof SetterMethodCall }
486+
private class AssignAttribute extends DataFlow::Node, OrmWriteAccess::Range {
487+
private DataFlow::CallNode setter;
488+
private ExprNodes::AssignExprCfgNode assignNode;
489+
490+
AssignAttribute() {
491+
assignNode = this.asExpr() and
492+
setter.getArgument(0) = this and
493+
setter instanceof ActiveRecordInstanceMethodCall and
494+
setter.asExpr().getExpr() instanceof SetterMethodCall
495+
}
489496

490497
override string getFieldNameAssignedTo(DataFlow::Node value) {
491-
result + "=" = this.getMethodName() and
498+
result + "=" = setter.getMethodName() and
492499
// match RHS
493-
this.getArgument(0).asExpr().(ExprNodes::AssignExprCfgNode).getRhs() = value.asExpr()
500+
assignNode.getRhs() = value.asExpr()
494501
}
495502
}
496503
}

ruby/ql/test/library-tests/frameworks/Orm.expected

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,4 +13,4 @@
1313
| app/controllers/users/users_controller.rb:20:7:20:57 | call to update_attributes | name | app/controllers/users/users_controller.rb:20:37:20:41 | "U12" |
1414
| app/controllers/users/users_controller.rb:20:7:20:57 | call to update_attributes | uid | app/controllers/users/users_controller.rb:20:49:20:55 | call to get_uid |
1515
| app/controllers/users/users_controller.rb:23:7:23:42 | call to update_attribute | name | app/controllers/users/users_controller.rb:23:37:23:41 | "U13" |
16-
| app/controllers/users/users_controller.rb:26:7:26:15 | call to name= | name | app/controllers/users/users_controller.rb:26:19:26:23 | "U14" |
16+
| app/controllers/users/users_controller.rb:26:7:26:15 | ... = ... | name | app/controllers/users/users_controller.rb:26:19:26:23 | "U14" |

0 commit comments

Comments
 (0)