Skip to content

Ruby: Model Mime::Type #9918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 4, 2022
Merged

Ruby: Model Mime::Type #9918

merged 7 commits into from
Aug 4, 2022

Conversation

hmac
Copy link
Contributor

@hmac hmac commented Jul 28, 2022
edited
Loading

Mime::Type#match? and Mime::Type#=~ convert their argument to a regular expression, so they're relevant for queries like ReDoS. This PR adds modeling for Mime::Type so we recognise instances of it and consider arguments these two methods to be regular expressions.

hmac added 3 commits July 29, 2022 10:44
@hmac
Ruby: Reorganise ActionDispatch framework
c29eb81 
Put routing modelling inside a Routing module.
@hmac
Ruby: Make isInterpretedAsRegExp extensible
b7be25e 
This allows frameworks to add new instances where a node is interpreted
as a regular expression. We introduce a class
RegExpInterpretation::Range that represents these nodes. In the future
we may want to make this a full Concept, but it's not necessary at the
moment.
@hmac
Ruby: Model Mime::Type
f42d333 
Add type summaries to recognise instances of Mime::Type, and recognise
arguments to Mime::Type.match? and Mime::Type.=~ as regular expression
interpretations.
@github-actions github-actions bot added the Ruby label Jul 28, 2022
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 28, 2022
View reviewed changes
@hmac hmac marked this pull request as ready for review July 29, 2022 06:02
@hmac hmac requested a review from a team as a code owner July 29, 2022 06:02
aibaars
aibaars previously approved these changes Aug 1, 2022
View reviewed changes
Copy link
Contributor

@aibaars aibaars left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Let's add a change note and fix the QLDoc warning.

ruby/ql/lib/codeql/ruby/Regexp.qll Outdated
/**
* Holds if `source` may be interpreted as a regular expression.
* Nodes interpreted as regular expressions via various standard library methods.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's address The QLDoc for a class should start with 'A', 'An', or 'The'. warning.

ruby/ql/lib/codeql/ruby/frameworks/ActionDispatch.qll
row =
[
// Mime[type] : Mime::Type (omitted)
// Method names with brackets like [] cannot be represented in MaD.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@asgerf Is there a way to escape [ and ] symbols in a member name?

@hmac hmac merged commit 74d529d into github:main Aug 4, 2022
@hmac hmac deleted the hmac/mime-type-match branch August 4, 2022 23:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aibaars aibaars aibaars approved these changes

Assignees

@aibaars aibaars

Labels
documentation Ruby
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hmac @aibaars