Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit ba8ff07

Browse files
alexrfordalexrford
committed
Ruby: configsig rb/request-forgery
1 parent df91735 commit ba8ff07

2 files changed

Lines changed: 25 additions & 6 deletions

File tree

ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,9 @@
22
* Provides a taint-tracking configuration for detecting
33
* "Server side request forgery" vulnerabilities.
44
*
5-
* Note, for performance reasons: only import this file if `Configuration` is needed,
6-
* otherwise `ServerSideRequestForgeryCustomizations` should be imported instead.
5+
* Note, for performance reasons: only import this file if
6+
* `ServerSideRequestForgeryFlow` is needed, otherwise
7+
* `ServerSideRequestForgeryCustomizations` should be imported instead.
78
*/
89

910
import codeql.ruby.DataFlow
@@ -14,8 +15,9 @@ import codeql.ruby.dataflow.BarrierGuards
1415
/**
1516
* A taint-tracking configuration for detecting
1617
* "Server side request forgery" vulnerabilities.
18+
* DEPRECATED: Use `ServerSideRequestForgeryFlow`
1719
*/
18-
class Configuration extends TaintTracking::Configuration {
20+
deprecated class Configuration extends TaintTracking::Configuration {
1921
Configuration() { this = "ServerSideRequestForgery" }
2022

2123
override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -32,3 +34,20 @@ class Configuration extends TaintTracking::Configuration {
3234
guard instanceof SanitizerGuard
3335
}
3436
}
37+
38+
private module ServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
39+
predicate isSource(DataFlow::Node source) { source instanceof Source }
40+
41+
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
42+
43+
predicate isBarrier(DataFlow::Node node) {
44+
node instanceof Sanitizer or
45+
node instanceof StringConstCompareBarrier or
46+
node instanceof StringConstArrayInclusionCallBarrier
47+
}
48+
}
49+
50+
/**
51+
* Taint-tracking for detecting "Server side request forgery" vulnerabilities.
52+
*/
53+
module ServerSideRequestForgeryFlow = TaintTracking::Global<ServerSideRequestForgeryConfig>;

ruby/ql/src/queries/security/cwe-918/ServerSideRequestForgery.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,9 @@
1313
import codeql.ruby.AST
1414
import codeql.ruby.DataFlow
1515
import codeql.ruby.security.ServerSideRequestForgeryQuery
16-
import DataFlow::PathGraph
16+
import ServerSideRequestForgeryFlow::PathGraph
1717

18-
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
19-
where config.hasFlowPath(source, sink)
18+
from ServerSideRequestForgeryFlow::PathNode source, ServerSideRequestForgeryFlow::PathNode sink
19+
where ServerSideRequestForgeryFlow::flowPath(source, sink)
2020
select sink.getNode(), source, sink, "The URL of this request depends on a $@.", source.getNode(),
2121
"user-provided value"

0 commit comments

Comments
 (0)