Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit df90b99

Browse files
asgerfasgerf
authoredSep 8, 2022
Merge pull request #10348 from RasmusWL/ruby-fix
Ruby: Fix ActiveResource HTTP client request modeling
2 parents 57bf92a + 978c165 commit df90b99

File tree

1 file changed

+22
-16
lines changed

1 file changed

+22
-16
lines changed
 

‎ruby/ql/lib/codeql/ruby/frameworks/ActiveResource.qll‎

Lines changed: 22 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -215,35 +215,37 @@ module ActiveResource {
215215
Collection getCollection() { result = this.getReceiver() }
216216
}
217217

218-
private class ModelClassMethodCallAsHttpRequest extends HTTP::Client::Request::Range {
219-
ModelClassMethodCall call;
218+
private class ModelClassMethodCallAsHttpRequest extends HTTP::Client::Request::Range,
219+
ModelClassMethodCall {
220220
ModelClass cls;
221221

222222
ModelClassMethodCallAsHttpRequest() {
223-
this = call.asExpr().getExpr() and
224-
call.getModelClass() = cls and
225-
call.getMethodName() = ["all", "build", "create", "create!", "find", "first", "last"]
223+
this.getModelClass() = cls and
224+
this.getMethodName() = ["all", "build", "create", "create!", "find", "first", "last"]
226225
}
227226

228227
override string getFramework() { result = "ActiveResource" }
229228

230-
override predicate disablesCertificateValidation(DataFlow::Node disablingNode) {
231-
cls.disablesCertificateValidation(disablingNode)
229+
override predicate disablesCertificateValidation(
230+
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
231+
) {
232+
cls.disablesCertificateValidation(disablingNode) and
233+
// TODO: highlight real argument origin
234+
argumentOrigin = disablingNode
232235
}
233236

234237
override DataFlow::Node getAUrlPart() { result = cls.getASiteAssignment().getAUrlPart() }
235238

236-
override DataFlow::Node getResponseBody() { result = call }
239+
override DataFlow::Node getResponseBody() { result = this }
237240
}
238241

239-
private class ModelInstanceMethodCallAsHttpRequest extends HTTP::Client::Request::Range {
240-
ModelInstanceMethodCall call;
242+
private class ModelInstanceMethodCallAsHttpRequest extends HTTP::Client::Request::Range,
243+
ModelInstanceMethodCall {
241244
ModelClass cls;
242245

243246
ModelInstanceMethodCallAsHttpRequest() {
244-
this = call.asExpr().getExpr() and
245-
call.getModelClass() = cls and
246-
call.getMethodName() =
247+
this.getModelClass() = cls and
248+
this.getMethodName() =
247249
[
248250
"exists?", "reload", "save", "save!", "destroy", "delete", "get", "patch", "post", "put",
249251
"update_attribute", "update_attributes"
@@ -252,13 +254,17 @@ module ActiveResource {
252254

253255
override string getFramework() { result = "ActiveResource" }
254256

255-
override predicate disablesCertificateValidation(DataFlow::Node disablingNode) {
256-
cls.disablesCertificateValidation(disablingNode)
257+
override predicate disablesCertificateValidation(
258+
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
259+
) {
260+
cls.disablesCertificateValidation(disablingNode) and
261+
// TODO: highlight real argument origin
262+
argumentOrigin = disablingNode
257263
}
258264

259265
override DataFlow::Node getAUrlPart() { result = cls.getASiteAssignment().getAUrlPart() }
260266

261-
override DataFlow::Node getResponseBody() { result = call }
267+
override DataFlow::Node getResponseBody() { result = this }
262268
}
263269

264270
/**

0 commit comments

Comments
 (0)
Please sign in to comment.