Skip to content

Ruby: Add some missing Rails sinks #12493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Mar 14, 2023
Merged

Ruby: Add some missing Rails sinks #12493

merged 6 commits into from
Mar 14, 2023

Conversation

hmac
Copy link
Contributor

@hmac hmac commented Mar 12, 2023

  • Ruby: Add reorder as a SQL sink
  • Ruby: Add count_by_sql as SQL sink
  • Ruby: Taint flow through ActionController params
  • Ruby: ActiveRecord::Connection.execute SQL sink

hmac added 4 commits March 13, 2023 08:38
@hmac
Ruby: Add reorder as a SQL sink
c97dccf 
In recent versions of Rails this method doesn't seem to be vulnerable,
but it may be in previous versions. There's a slight FP risk here, but
I think it is small.
@hmac
Ruby: Add count_by_sql as SQL sink
2d95b6a
@hmac
Ruby: Taint flow through ActionController params
025cd34 
We were not recognising "require" as returning a Parameters instance.
@hmac
Ruby: ActiveRecord::Connection.execute SQL sink
fe995dd
@github-actions github-actions bot added the Ruby label Mar 12, 2023
@hmac hmac marked this pull request as ready for review March 13, 2023 05:58
@hmac hmac requested a review from a team as a code owner March 13, 2023 05:58
asgerf
asgerf reviewed Mar 13, 2023
View reviewed changes
Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A quick comment about the use of API graphs, but otherwise LGTM (but maybe get a second pair of eyes on the new sinks; I haven't looked at Ruby in a while)

ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll Outdated
Comment on lines 217 to 221
exists(DataFlow::CallNode executeCall |
executeCall.getReceiver() = activeRecordConnectionInstance() and
executeCall.getMethodName() = "execute" and
this = executeCall.getArgument(0) and
unsafeSqlExpr(this.asExpr().getExpr())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
exists(DataFlow::CallNode executeCall |
executeCall.getReceiver() = activeRecordConnectionInstance() and
executeCall.getMethodName() = "execute" and
this = executeCall.getArgument(0) and
unsafeSqlExpr(this.asExpr().getExpr())
this = activeRecordConnectionInstance().getAMethodCall("execute").getArgument(0) and
unsafeSqlExpr(this.asExpr().getExpr())

We get more benefit from global flow if we stay at the level of API nodes as long as possible before lowering to data-flow nodes.

ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll Outdated
Comment on lines 228 to 231
private DataFlow::Node activeRecordConnectionInstance() {
result = activeRecordClassApiNode().getAMethodCall("connection")
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
private DataFlow::Node activeRecordConnectionInstance() {
result = activeRecordClassApiNode().getAMethodCall("connection")
}
private API::Node activeRecordConnectionInstance() {
result = activeRecordClassApiNode().getReturn("connection")
}

alexrford
alexrford previously approved these changes Mar 13, 2023
View reviewed changes
Copy link
Contributor

@alexrford alexrford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM aside from Asger's suggestions.

@hmac hmac merged commit aaeb8a0 into github:main Mar 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgerf asgerf asgerf approved these changes

@alexrford alexrford alexrford left review comments

Assignees
No one assigned
Labels
documentation Ruby
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hmac @asgerf @alexrford