Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Ruby: Add support for Grape Framework #20427

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Ruby: Add support for Grape Framework #20427

wants to merge 10 commits into from
+604 −1

Conversation

felickz
Copy link
Contributor

@felickz felickz commented Sep 13, 2025
edited
Loading

This pull request adds modeling support for the Grape Ruby API framework to the CodeQL library. It introduces a new Grape.qll library that models Grape API classes, endpoints, and sources of user input such as parameters, headers, cookies, and route parameters.

Taint Source Description Example Usage
params Request parameters params[:user_id], params['name']
headers HTTP headers + DSL blocks headers[:Authorization], headers do...end
cookies HTTP cookies + DSL blocks cookies[:session_id], cookies do...end
route_param URL path parameters route_param(:user_id)
request HTTP request object request.body.read

The changes are validated with new framework and vulnerability tests and expected outputs, and Grape is now imported in the main Ruby frameworks library.

[1/1 comp 1m6s eval 21.3s] PASSED ruby\ql\test\library-tests\frameworks\grape\Grape.ql
Cleaning out existing ruby\ql\test\library-tests\frameworks\grape\grape.testproj.
Completed in 1m35s (extract 5.1s comp 1m6s eval 22.1s).
All 1 tests passed.
...

[1/1 comp 2.7s eval 26s] PASSED ruby\ql\test\query-tests\security\cwe-089\SqlInjection.qlref
Completed in 46.3s (extract 6.5s comp 2.7s eval 26.8s).
All 1 tests passed.

Vulnerable tests verified: https://github.com/vulna-felickz/ruby-grape-sqli/blob/main/app/api/potato_api.rb
image

@github-actions github-actions bot added the Ruby label Sep 13, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 13, 2025
View reviewed changes
@felickz felickz marked this pull request as ready for review September 16, 2025 02:02
@felickz felickz requested a review from a team as a code owner September 16, 2025 02:02
@Copilot Copilot AI review requested due to automatic review settings September 16, 2025 02:02
Copilot
Copilot AI reviewed Sep 16, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request introduces comprehensive CodeQL modeling support for the Ruby Grape API framework. The implementation identifies Grape API classes, their endpoints, and various sources of user input including parameters, headers, cookies, route parameters, and request objects.

Key changes:

  • New Grape.qll library with classes to model Grape API structure and taint sources
  • Framework integration by importing Grape in the main Ruby frameworks library
  • Comprehensive test coverage with vulnerability detection validation

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
ruby/ql/lib/codeql/ruby/frameworks/Grape.qll Core Grape framework modeling with API class detection and taint source definitions
ruby/ql/lib/codeql/ruby/Frameworks.qll Integration of Grape framework into main Ruby frameworks library
ruby/ql/test/library-tests/frameworks/grape/Grape.ql Query predicates for testing Grape framework modeling
ruby/ql/test/library-tests/frameworks/grape/app.rb Test application demonstrating various Grape API patterns
ruby/ql/test/library-tests/frameworks/grape/Grape.expected Expected test results for Grape framework modeling
ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb Additional vulnerability test cases using Grape taint sources
ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected Updated expected results including Grape-based SQL injection detection
ruby/ql/lib/change-notes/2025-09-15-grape-framework-support.md Release notes documenting the new Grape framework support

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 16, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Ruby
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@felickz