Ruby: use DeduplicatePathGraph in CodeInjection query

github · Dec 11, 2024 · f9c0ba3 · f9c0ba3
1 parent 815581d
commit f9c0ba3
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 80 deletions.
diff --git a/ruby/ql/src/queries/security/cwe-094/CodeInjection.ql b/ruby/ql/src/queries/security/cwe-094/CodeInjection.ql
@@ -16,20 +16,9 @@
 
 private import codeql.ruby.AST
 private import codeql.ruby.security.CodeInjectionQuery
-import CodeInjectionFlow::PathGraph
+import DataFlow::DeduplicatePathGraph<CodeInjectionFlow::PathNode, CodeInjectionFlow::PathGraph>
 
-from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Source sourceNode
-where
-  CodeInjectionFlow::flowPath(source, sink) and
-  sourceNode = source.getNode() and
-  // removing duplications of the same path, but different flow-labels.
-  sink =
-    min(CodeInjectionFlow::PathNode otherSink |
-      CodeInjectionFlow::flowPath(any(CodeInjectionFlow::PathNode s | s.getNode() = sourceNode),
-        otherSink) and
-      otherSink.getNode() = sink.getNode()
-    |
-      otherSink order by otherSink.getState().getStringRepresentation()
-    )
-select sink.getNode(), source, sink, "This code execution depends on a $@.", sourceNode,
+from PathNode source, PathNode sink
+where CodeInjectionFlow::flowPath(source.getAnOriginalPathNode(), sink.getAnOriginalPathNode())
+select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
   "user-provided value"
diff --git a/ruby/ql/test/query-tests/security/cwe-094/CodeInjection/CodeInjection.expected b/ruby/ql/test/query-tests/security/cwe-094/CodeInjection/CodeInjection.expected
@@ -1,98 +1,60 @@
-edges
-| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:8:10:8:13 | code | provenance |  |
-| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:8:10:8:13 | code | provenance |  |
-| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:20:20:20:23 | code | provenance |  |
-| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:20:20:20:23 | code | provenance |  |
-| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:23:21:23:24 | code | provenance |  |
-| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:23:21:23:24 | code | provenance |  |
-| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:29:15:29:18 | code | provenance |  |
-| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:32:19:32:22 | code | provenance |  |
-| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:38:24:38:27 | code | provenance |  |
-| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:38:24:38:27 | code | provenance |  |
-| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:41:40:41:43 | code | provenance |  |
-| CodeInjection.rb:5:12:5:17 | call to params | CodeInjection.rb:5:12:5:24 | ...[...] | provenance |  |
-| CodeInjection.rb:5:12:5:17 | call to params | CodeInjection.rb:5:12:5:24 | ...[...] | provenance |  |
-| CodeInjection.rb:5:12:5:24 | ...[...] | CodeInjection.rb:5:5:5:8 | code | provenance |  |
-| CodeInjection.rb:5:12:5:24 | ...[...] | CodeInjection.rb:5:5:5:8 | code | provenance |  |
-| CodeInjection.rb:38:24:38:27 | code | CodeInjection.rb:38:10:38:28 | call to escape | provenance | MaD:21 |
-| CodeInjection.rb:38:24:38:27 | code | CodeInjection.rb:38:10:38:28 | call to escape | provenance | MaD:21 |
-| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:80:16:80:19 | code | provenance |  |
-| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:86:10:86:37 | ... + ... | provenance |  |
-| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:86:22:86:25 | code | provenance |  |
-| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:88:10:88:32 | "prefix_#{...}_suffix" | provenance | AdditionalTaintStep |
-| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:90:10:90:13 | code | provenance |  |
-| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:90:10:90:13 | code | provenance |  |
-| CodeInjection.rb:78:12:78:17 | call to params | CodeInjection.rb:78:12:78:24 | ...[...] | provenance |  |
-| CodeInjection.rb:78:12:78:17 | call to params | CodeInjection.rb:78:12:78:24 | ...[...] | provenance |  |
-| CodeInjection.rb:78:12:78:24 | ...[...] | CodeInjection.rb:78:5:78:8 | code | provenance |  |
-| CodeInjection.rb:78:12:78:24 | ...[...] | CodeInjection.rb:78:5:78:8 | code | provenance |  |
-| CodeInjection.rb:86:10:86:25 | ... + ... [element] | CodeInjection.rb:86:10:86:37 | ... + ... | provenance |  |
-| CodeInjection.rb:86:22:86:25 | code | CodeInjection.rb:86:10:86:25 | ... + ... [element] | provenance |  |
-| CodeInjection.rb:101:3:102:5 | self in index [@foo] | CodeInjection.rb:111:3:113:5 | self in baz [@foo] | provenance |  |
-| CodeInjection.rb:101:3:102:5 | self in index [@foo] | CodeInjection.rb:111:3:113:5 | self in baz [@foo] | provenance |  |
-| CodeInjection.rb:105:5:105:8 | [post] self [@foo] | CodeInjection.rb:108:3:109:5 | self in bar [@foo] | provenance |  |
-| CodeInjection.rb:105:5:105:8 | [post] self [@foo] | CodeInjection.rb:108:3:109:5 | self in bar [@foo] | provenance |  |
-| CodeInjection.rb:105:12:105:17 | call to params | CodeInjection.rb:105:12:105:23 | ...[...] | provenance |  |
-| CodeInjection.rb:105:12:105:17 | call to params | CodeInjection.rb:105:12:105:23 | ...[...] | provenance |  |
-| CodeInjection.rb:105:12:105:23 | ...[...] | CodeInjection.rb:105:5:105:8 | [post] self [@foo] | provenance |  |
-| CodeInjection.rb:105:12:105:23 | ...[...] | CodeInjection.rb:105:5:105:8 | [post] self [@foo] | provenance |  |
-| CodeInjection.rb:108:3:109:5 | self in bar [@foo] | CodeInjection.rb:101:3:102:5 | self in index [@foo] | provenance |  |
-| CodeInjection.rb:108:3:109:5 | self in bar [@foo] | CodeInjection.rb:101:3:102:5 | self in index [@foo] | provenance |  |
-| CodeInjection.rb:111:3:113:5 | self in baz [@foo] | CodeInjection.rb:112:10:112:13 | self [@foo] | provenance |  |
-| CodeInjection.rb:111:3:113:5 | self in baz [@foo] | CodeInjection.rb:112:10:112:13 | self [@foo] | provenance |  |
-| CodeInjection.rb:112:10:112:13 | self [@foo] | CodeInjection.rb:112:10:112:13 | @foo | provenance |  |
-| CodeInjection.rb:112:10:112:13 | self [@foo] | CodeInjection.rb:112:10:112:13 | @foo | provenance |  |
 nodes
 | CodeInjection.rb:5:5:5:8 | code | semmle.label | code |
-| CodeInjection.rb:5:5:5:8 | code | semmle.label | code |
-| CodeInjection.rb:5:12:5:17 | call to params | semmle.label | call to params |
 | CodeInjection.rb:5:12:5:17 | call to params | semmle.label | call to params |
 | CodeInjection.rb:5:12:5:24 | ...[...] | semmle.label | ...[...] |
-| CodeInjection.rb:5:12:5:24 | ...[...] | semmle.label | ...[...] |
-| CodeInjection.rb:8:10:8:13 | code | semmle.label | code |
 | CodeInjection.rb:8:10:8:13 | code | semmle.label | code |
 | CodeInjection.rb:11:10:11:15 | call to params | semmle.label | call to params |
-| CodeInjection.rb:11:10:11:15 | call to params | semmle.label | call to params |
 | CodeInjection.rb:20:20:20:23 | code | semmle.label | code |
-| CodeInjection.rb:20:20:20:23 | code | semmle.label | code |
-| CodeInjection.rb:23:21:23:24 | code | semmle.label | code |
 | CodeInjection.rb:23:21:23:24 | code | semmle.label | code |
 | CodeInjection.rb:29:15:29:18 | code | semmle.label | code |
 | CodeInjection.rb:32:19:32:22 | code | semmle.label | code |
 | CodeInjection.rb:38:10:38:28 | call to escape | semmle.label | call to escape |
-| CodeInjection.rb:38:10:38:28 | call to escape | semmle.label | call to escape |
-| CodeInjection.rb:38:24:38:27 | code | semmle.label | code |
 | CodeInjection.rb:38:24:38:27 | code | semmle.label | code |
 | CodeInjection.rb:41:40:41:43 | code | semmle.label | code |
 | CodeInjection.rb:78:5:78:8 | code | semmle.label | code |
-| CodeInjection.rb:78:5:78:8 | code | semmle.label | code |
-| CodeInjection.rb:78:12:78:17 | call to params | semmle.label | call to params |
 | CodeInjection.rb:78:12:78:17 | call to params | semmle.label | call to params |
 | CodeInjection.rb:78:12:78:24 | ...[...] | semmle.label | ...[...] |
-| CodeInjection.rb:78:12:78:24 | ...[...] | semmle.label | ...[...] |
 | CodeInjection.rb:80:16:80:19 | code | semmle.label | code |
 | CodeInjection.rb:86:10:86:25 | ... + ... [element] | semmle.label | ... + ... [element] |
 | CodeInjection.rb:86:10:86:37 | ... + ... | semmle.label | ... + ... |
 | CodeInjection.rb:86:22:86:25 | code | semmle.label | code |
 | CodeInjection.rb:88:10:88:32 | "prefix_#{...}_suffix" | semmle.label | "prefix_#{...}_suffix" |
 | CodeInjection.rb:90:10:90:13 | code | semmle.label | code |
-| CodeInjection.rb:90:10:90:13 | code | semmle.label | code |
-| CodeInjection.rb:101:3:102:5 | self in index [@foo] | semmle.label | self in index [@foo] |
 | CodeInjection.rb:101:3:102:5 | self in index [@foo] | semmle.label | self in index [@foo] |
 | CodeInjection.rb:105:5:105:8 | [post] self [@foo] | semmle.label | [post] self [@foo] |
-| CodeInjection.rb:105:5:105:8 | [post] self [@foo] | semmle.label | [post] self [@foo] |
-| CodeInjection.rb:105:12:105:17 | call to params | semmle.label | call to params |
 | CodeInjection.rb:105:12:105:17 | call to params | semmle.label | call to params |
 | CodeInjection.rb:105:12:105:23 | ...[...] | semmle.label | ...[...] |
-| CodeInjection.rb:105:12:105:23 | ...[...] | semmle.label | ...[...] |
 | CodeInjection.rb:108:3:109:5 | self in bar [@foo] | semmle.label | self in bar [@foo] |
-| CodeInjection.rb:108:3:109:5 | self in bar [@foo] | semmle.label | self in bar [@foo] |
-| CodeInjection.rb:111:3:113:5 | self in baz [@foo] | semmle.label | self in baz [@foo] |
 | CodeInjection.rb:111:3:113:5 | self in baz [@foo] | semmle.label | self in baz [@foo] |
 | CodeInjection.rb:112:10:112:13 | @foo | semmle.label | @foo |
-| CodeInjection.rb:112:10:112:13 | @foo | semmle.label | @foo |
-| CodeInjection.rb:112:10:112:13 | self [@foo] | semmle.label | self [@foo] |
 | CodeInjection.rb:112:10:112:13 | self [@foo] | semmle.label | self [@foo] |
+edges
+| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:8:10:8:13 | code | provenance |  |
+| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:20:20:20:23 | code | provenance |  |
+| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:23:21:23:24 | code | provenance |  |
+| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:29:15:29:18 | code | provenance |  |
+| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:32:19:32:22 | code | provenance |  |
+| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:38:24:38:27 | code | provenance |  |
+| CodeInjection.rb:5:5:5:8 | code | CodeInjection.rb:41:40:41:43 | code | provenance |  |
+| CodeInjection.rb:5:12:5:17 | call to params | CodeInjection.rb:5:12:5:24 | ...[...] | provenance |  |
+| CodeInjection.rb:5:12:5:24 | ...[...] | CodeInjection.rb:5:5:5:8 | code | provenance |  |
+| CodeInjection.rb:38:24:38:27 | code | CodeInjection.rb:38:10:38:28 | call to escape | provenance | MaD:21 |
+| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:80:16:80:19 | code | provenance |  |
+| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:86:10:86:37 | ... + ... | provenance |  |
+| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:86:22:86:25 | code | provenance |  |
+| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:88:10:88:32 | "prefix_#{...}_suffix" | provenance | AdditionalTaintStep |
+| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:90:10:90:13 | code | provenance |  |
+| CodeInjection.rb:78:12:78:17 | call to params | CodeInjection.rb:78:12:78:24 | ...[...] | provenance |  |
+| CodeInjection.rb:78:12:78:24 | ...[...] | CodeInjection.rb:78:5:78:8 | code | provenance |  |
+| CodeInjection.rb:86:10:86:25 | ... + ... [element] | CodeInjection.rb:86:10:86:37 | ... + ... | provenance |  |
+| CodeInjection.rb:86:22:86:25 | code | CodeInjection.rb:86:10:86:25 | ... + ... [element] | provenance |  |
+| CodeInjection.rb:101:3:102:5 | self in index [@foo] | CodeInjection.rb:111:3:113:5 | self in baz [@foo] | provenance |  |
+| CodeInjection.rb:105:5:105:8 | [post] self [@foo] | CodeInjection.rb:108:3:109:5 | self in bar [@foo] | provenance |  |
+| CodeInjection.rb:105:12:105:17 | call to params | CodeInjection.rb:105:12:105:23 | ...[...] | provenance |  |
+| CodeInjection.rb:105:12:105:23 | ...[...] | CodeInjection.rb:105:5:105:8 | [post] self [@foo] | provenance |  |
+| CodeInjection.rb:108:3:109:5 | self in bar [@foo] | CodeInjection.rb:101:3:102:5 | self in index [@foo] | provenance |  |
+| CodeInjection.rb:111:3:113:5 | self in baz [@foo] | CodeInjection.rb:112:10:112:13 | self [@foo] | provenance |  |
+| CodeInjection.rb:112:10:112:13 | self [@foo] | CodeInjection.rb:112:10:112:13 | @foo | provenance |  |
 subpaths
 #select
 | CodeInjection.rb:8:10:8:13 | code | CodeInjection.rb:5:12:5:17 | call to params | CodeInjection.rb:8:10:8:13 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |