Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit a4c42aa

Browse files
erik-krogherik-krogh
committed
more custom array steps from unsafe-code-construction to a utility predicate
1 parent 89d835b commit a4c42aa

2 files changed

Lines changed: 21 additions & 12 deletions

File tree

ruby/ql/lib/codeql/ruby/frameworks/core/Array.qll

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1815,6 +1815,25 @@ module Array {
18151815
preservesValue = true
18161816
}
18171817
}
1818+
1819+
/**
1820+
* Holds if there an array element `pred` might taint the array defined by `succ`.
1821+
* This is used for queries where we consider an entire array to be tainted if any of its elements are tainted.
1822+
*/
1823+
predicate taintedArrayObjectSteps(DataFlow::Node pred, DataFlow::Node succ) {
1824+
exists(DataFlow::CallNode call |
1825+
call.getMethodName() = ["<<", "push", "append"] and
1826+
call.getReceiver() = succ and
1827+
pred = call.getArgument(0) and
1828+
call.getNumberOfArguments() = 1
1829+
)
1830+
or
1831+
exists(DataFlow::CallNode call |
1832+
call.getMethodName() = "[]" and
1833+
succ = call and
1834+
pred = call.getArgument(_)
1835+
)
1836+
}
18181837
}
18191838

18201839
/**

ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll

Lines changed: 2 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ import codeql.ruby.DataFlow
1010
import UnsafeCodeConstructionCustomizations::UnsafeCodeConstruction
1111
private import codeql.ruby.TaintTracking
1212
private import codeql.ruby.dataflow.BarrierGuards
13+
private import codeql.ruby.frameworks.core.Array
1314

1415
/**
1516
* A taint-tracking configuration for detecting code constructed from library input vulnerabilities.
@@ -33,17 +34,6 @@ class Configuration extends TaintTracking::Configuration {
3334

3435
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
3536
// if an array element gets tainted, then we treat the entire array as tainted
36-
exists(DataFlow::CallNode call |
37-
call.getMethodName() = ["<<", "push", "append"] and
38-
call.getReceiver() = succ and
39-
pred = call.getArgument(0) and
40-
call.getNumberOfArguments() = 1
41-
)
42-
or
43-
exists(DataFlow::CallNode call |
44-
call.getMethodName() = "[]" and
45-
succ = call and
46-
pred = call.getArgument(_)
47-
)
37+
Array::taintedArrayObjectSteps(pred, succ)
4838
}
4939
}

0 commit comments

Comments
 (0)