Make string interpolation sanitizer reusable

hmac · hmac · commit cd33e4d394e7 · 2021-11-19T11:28:08.000Z
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/Sanitizers.qll b/ruby/ql/lib/codeql/ruby/dataflow/Sanitizers.qll
@@ -0,0 +1,16 @@
+/** Provides commonly used dataflow sanitizers */
+
+private import codeql.ruby.AST
+private import codeql.ruby.DataFlow
+
+/**
+ * A sanitizer for flow into a string interpolation component,
+ * provided that component does not form a prefix of the string.
+ *
+ * This is useful for URLs and paths, where the fixed prefix prevents the user from controlling the target.
+ */
+class PrefixedStringInterpolation extends DataFlow::Node {
+  PrefixedStringInterpolation() {
+    exists(StringlikeLiteral str, int n | str.getComponent(n) = this.asExpr().getExpr() and n > 0)
+  }
+}
diff --git a/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll
@@ -9,6 +9,7 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.Concepts
 private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.dataflow.BarrierGuards
+private import codeql.ruby.dataflow.Sanitizers
 
 /**
  * Provides default sources, sinks and sanitizers for detecting
@@ -103,11 +104,7 @@ module UrlRedirect {
    *
    * We currently don't catch these cases.
    */
-  class StringInterpolationAsSanitizer extends Sanitizer {
-    StringInterpolationAsSanitizer() {
-      exists(StringlikeLiteral str, int n | str.getComponent(n) = this.asExpr().getExpr() and n > 0)
-    }
-  }
+  class StringInterpolationAsSanitizer extends PrefixedStringInterpolation, Sanitizer { }
 
   /**
    * These methods return a new `ActionController::Parameters` or a `Hash` containing a subset of
