github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #11058 from hmac/actioncontroller-logger 

Ruby: Model various ActionController methods
This commit is contained in:
Harry Maclean 2022-11-17 08:21:00 +13:00 коммит произвёл GitHub
Родитель baaafadeb0 ed3270fb04
Коммит a6f6936719
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
17 изменённых файлов: 565 добавлений и 414 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

6
ruby/ql/lib/change-notes/2022-11-01-actioncontroller-logger.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
---
category: minorAnalysis
---
* Calls to `logger` in `ActiveSupport` actions are now recognised as logger instances.
* Calls to `send_data` in `ActiveSupport` actions are recognised as HTTP responses.
* Calls to `body_stream` in `ActiveSupport` actions are recognised as HTTP request accesses.

52
ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
Просмотреть файл

@ -12,6 +12,7 @@ private import codeql.ruby.frameworks.ActionDispatch
private import codeql.ruby.frameworks.ActionView
private import codeql.ruby.frameworks.Rails
private import codeql.ruby.frameworks.internal.Rails
private import codeql.ruby.dataflow.internal.DataFlowDispatch
/**
* DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::ParamsCall` instead.
@ -295,7 +296,7 @@ private module Request {
/** A method call on `request` which returns the request body. */
private class BodyCall extends RequestInputAccess {
BodyCall() { this.getMethodName() = ["body", "raw_post"] }
BodyCall() { this.getMethodName() = ["body", "raw_post", "body_stream"] }
override Http::Server::RequestInputKind getKind() { result = Http::Server::bodyInputKind() }
}
@ -538,12 +539,34 @@ private class ActionControllerProtectFromForgeryCall extends CsrfProtectionSetti
/**
* A call to `send_file`, which sends the file at the given path to the client.
*/
private class SendFile extends FileSystemAccess::Range, DataFlow::CallNode {
private class SendFile extends FileSystemAccess::Range, Http::Server::HttpResponse::Range,
DataFlow::CallNode {
SendFile() {
this = [actionControllerInstance(), Response::response()].getAMethodCall("send_file")
}
override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
override DataFlow::Node getBody() { result = this.getArgument(0) }
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
override string getMimetypeDefault() { result = "application/octet-stream" }
}
/**
* A call to `send_data`, which sends the given data to the client.
*/
class SendDataCall extends DataFlow::CallNode, Http::Server::HttpResponse::Range {
SendDataCall() {
this = [actionControllerInstance(), Response::response()].getAMethodCall("send_data")
}
override DataFlow::Node getBody() { result = this.getArgument(0) }
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
override string getMimetypeDefault() { result = "application/octet-stream" }
}
private module ParamsSummaries {
@ -733,3 +756,28 @@ private module Response {
override DataFlow::Node getValue() { result = this.getArgument(0) }
}
}
private class ActionControllerLoggerInstance extends DataFlow::Node {
ActionControllerLoggerInstance() {
this = actionControllerInstance().getAMethodCall("logger")
or
any(ActionControllerLoggerInstance i).(DataFlow::LocalSourceNode).flowsTo(this)
}
}
private class ActionControllerLoggingCall extends DataFlow::CallNode, Logging::Range {
ActionControllerLoggingCall() {
this.getReceiver() instanceof ActionControllerLoggerInstance and
this.getMethodName() = ["debug", "error", "fatal", "info", "unknown", "warn"]
}
// Note: this is identical to the definition `stdlib.Logger.LoggerInfoStyleCall`.
override DataFlow::Node getAnInput() {
// `msg` from `Logger#info(msg)`,
// or `progname` from `Logger#info(progname) <block>`
result = this.getArgument(0)
or
// a return value from the block in `Logger#info(progname) <block>`
exprNodeReturnedFrom(result, this.getBlock().asExpr().getExpr())
}
}

8
ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
Просмотреть файл

@ -60,6 +60,14 @@ class StringReplaceSanitizer extends Sanitizer {
}
}
/**
* A call to `Object#inspect`, considered as a sanitizer.
* This is because `inspect` will replace newlines in strings with `\n`.
*/
class InspectSanitizer extends Sanitizer {
InspectSanitizer() { this.(DataFlow::CallNode).getMethodName() = "inspect" }
}
/**
* A call to an HTML escape method is considered to sanitize its input.
*/

410
ruby/ql/test/library-tests/frameworks/ActionController.expected
Просмотреть файл

@ -1,410 +0,0 @@
actionControllerControllerClasses
| action_controller/input_access.rb:1:1:50:3 | UsersController |
| action_controller/params_flow.rb:1:1:162:3 | MyController |
| action_controller/params_flow.rb:170:1:178:3 | Subclass |
| active_record/ActiveRecord.rb:23:1:39:3 | FooController |
| active_record/ActiveRecord.rb:41:1:64:3 | BarController |
| active_record/ActiveRecord.rb:66:1:98:3 | BazController |
| active_record/ActiveRecord.rb:100:1:108:3 | AnnotatedController |
| active_storage/active_storage.rb:39:1:45:3 | PostsController2 |
| app/controllers/comments_controller.rb:1:1:40:3 | CommentsController |
| app/controllers/foo/bars_controller.rb:3:1:46:3 | BarsController |
| app/controllers/photos_controller.rb:1:1:4:3 | PhotosController |
| app/controllers/posts_controller.rb:1:1:10:3 | PostsController |
| app/controllers/tags_controller.rb:1:1:2:3 | TagsController |
| app/controllers/users/notifications_controller.rb:2:3:5:5 | Users::NotificationsController |
actionControllerActionMethods
| action_controller/input_access.rb:2:3:49:5 | index |
| action_controller/params_flow.rb:2:3:4:5 | m1 |
| action_controller/params_flow.rb:6:3:8:5 | m2 |
| action_controller/params_flow.rb:10:3:12:5 | m2 |
| action_controller/params_flow.rb:14:3:16:5 | m3 |
| action_controller/params_flow.rb:18:3:20:5 | m4 |
| action_controller/params_flow.rb:22:3:24:5 | m5 |
| action_controller/params_flow.rb:26:3:28:5 | m6 |
| action_controller/params_flow.rb:30:3:32:5 | m7 |
| action_controller/params_flow.rb:34:3:36:5 | m8 |
| action_controller/params_flow.rb:38:3:40:5 | m9 |
| action_controller/params_flow.rb:42:3:44:5 | m10 |
| action_controller/params_flow.rb:46:3:48:5 | m11 |
| action_controller/params_flow.rb:50:3:52:5 | m12 |
| action_controller/params_flow.rb:54:3:56:5 | m13 |
| action_controller/params_flow.rb:58:3:60:5 | m14 |
| action_controller/params_flow.rb:62:3:64:5 | m15 |
| action_controller/params_flow.rb:66:3:68:5 | m16 |
| action_controller/params_flow.rb:70:3:72:5 | m17 |
| action_controller/params_flow.rb:74:3:76:5 | m18 |
| action_controller/params_flow.rb:78:3:80:5 | m19 |
| action_controller/params_flow.rb:82:3:84:5 | m20 |
| action_controller/params_flow.rb:86:3:88:5 | m21 |
| action_controller/params_flow.rb:90:3:92:5 | m22 |
| action_controller/params_flow.rb:94:3:96:5 | m23 |
| action_controller/params_flow.rb:98:3:100:5 | m24 |
| action_controller/params_flow.rb:102:3:104:5 | m25 |
| action_controller/params_flow.rb:106:3:108:5 | m26 |
| action_controller/params_flow.rb:110:3:113:5 | m27 |
| action_controller/params_flow.rb:115:3:118:5 | m28 |
| action_controller/params_flow.rb:120:3:123:5 | m29 |
| action_controller/params_flow.rb:125:3:132:5 | m30 |
| action_controller/params_flow.rb:134:3:141:5 | m31 |
| action_controller/params_flow.rb:143:3:150:5 | m32 |
| action_controller/params_flow.rb:152:3:159:5 | m33 |
| action_controller/params_flow.rb:165:3:167:5 | m34 |
| action_controller/params_flow.rb:171:3:173:5 | m35 |
| active_record/ActiveRecord.rb:27:3:38:5 | some_request_handler |
| active_record/ActiveRecord.rb:42:3:47:5 | some_other_request_handler |
| active_record/ActiveRecord.rb:49:3:63:5 | safe_paths |
| active_record/ActiveRecord.rb:67:3:69:5 | yet_another_handler |
| active_record/ActiveRecord.rb:71:3:73:5 | create1 |
| active_record/ActiveRecord.rb:75:3:77:5 | create2 |
| active_record/ActiveRecord.rb:79:3:81:5 | create3 |
| active_record/ActiveRecord.rb:83:3:85:5 | create4 |
| active_record/ActiveRecord.rb:87:3:89:5 | update1 |
| active_record/ActiveRecord.rb:91:3:93:5 | update2 |
| active_record/ActiveRecord.rb:95:3:97:5 | update3 |
| active_record/ActiveRecord.rb:101:3:103:5 | index |
| active_record/ActiveRecord.rb:105:3:107:5 | unsafe_action |
| active_storage/active_storage.rb:40:3:44:5 | create |
| app/controllers/comments_controller.rb:2:3:36:5 | index |
| app/controllers/comments_controller.rb:38:3:39:5 | show |
| app/controllers/foo/bars_controller.rb:5:3:7:5 | index |
| app/controllers/foo/bars_controller.rb:9:3:18:5 | show_debug |
| app/controllers/foo/bars_controller.rb:20:3:24:5 | show |
| app/controllers/foo/bars_controller.rb:26:3:28:5 | go_back |
| app/controllers/foo/bars_controller.rb:30:3:32:5 | go_back_2 |
| app/controllers/foo/bars_controller.rb:34:3:39:5 | show_2 |
| app/controllers/photos_controller.rb:2:3:3:5 | show |
| app/controllers/posts_controller.rb:2:3:3:5 | index |
| app/controllers/posts_controller.rb:5:3:6:5 | show |
| app/controllers/posts_controller.rb:8:3:9:5 | upvote |
| app/controllers/users/notifications_controller.rb:3:5:4:7 | mark_as_read |
paramsCalls
| action_controller/params_flow.rb:3:10:3:15 | call to params |
| action_controller/params_flow.rb:7:10:7:15 | call to params |
| action_controller/params_flow.rb:11:10:11:15 | call to params |
| action_controller/params_flow.rb:15:10:15:15 | call to params |
| action_controller/params_flow.rb:19:10:19:15 | call to params |
| action_controller/params_flow.rb:23:10:23:15 | call to params |
| action_controller/params_flow.rb:27:10:27:15 | call to params |
| action_controller/params_flow.rb:31:10:31:15 | call to params |
| action_controller/params_flow.rb:35:10:35:15 | call to params |
| action_controller/params_flow.rb:39:10:39:15 | call to params |
| action_controller/params_flow.rb:43:10:43:15 | call to params |
| action_controller/params_flow.rb:47:10:47:15 | call to params |
| action_controller/params_flow.rb:51:10:51:15 | call to params |
| action_controller/params_flow.rb:55:10:55:15 | call to params |
| action_controller/params_flow.rb:59:10:59:15 | call to params |
| action_controller/params_flow.rb:63:10:63:15 | call to params |
| action_controller/params_flow.rb:67:10:67:15 | call to params |
| action_controller/params_flow.rb:71:10:71:15 | call to params |
| action_controller/params_flow.rb:75:10:75:15 | call to params |
| action_controller/params_flow.rb:79:10:79:15 | call to params |
| action_controller/params_flow.rb:83:10:83:15 | call to params |
| action_controller/params_flow.rb:87:10:87:15 | call to params |
| action_controller/params_flow.rb:91:10:91:15 | call to params |
| action_controller/params_flow.rb:95:10:95:15 | call to params |
| action_controller/params_flow.rb:99:10:99:15 | call to params |
| action_controller/params_flow.rb:103:10:103:15 | call to params |
| action_controller/params_flow.rb:107:10:107:15 | call to params |
| action_controller/params_flow.rb:111:10:111:15 | call to params |
| action_controller/params_flow.rb:112:23:112:28 | call to params |
| action_controller/params_flow.rb:116:10:116:15 | call to params |
| action_controller/params_flow.rb:117:31:117:36 | call to params |
| action_controller/params_flow.rb:121:10:121:15 | call to params |
| action_controller/params_flow.rb:122:31:122:36 | call to params |
| action_controller/params_flow.rb:126:10:126:15 | call to params |
| action_controller/params_flow.rb:127:24:127:29 | call to params |
| action_controller/params_flow.rb:130:14:130:19 | call to params |
| action_controller/params_flow.rb:135:10:135:15 | call to params |
| action_controller/params_flow.rb:136:32:136:37 | call to params |
| action_controller/params_flow.rb:139:22:139:27 | call to params |
| action_controller/params_flow.rb:144:10:144:15 | call to params |
| action_controller/params_flow.rb:145:32:145:37 | call to params |
| action_controller/params_flow.rb:148:22:148:27 | call to params |
| action_controller/params_flow.rb:153:10:153:15 | call to params |
| action_controller/params_flow.rb:154:32:154:37 | call to params |
| action_controller/params_flow.rb:157:22:157:27 | call to params |
| action_controller/params_flow.rb:166:10:166:15 | call to params |
| action_controller/params_flow.rb:172:10:172:15 | call to params |
| action_controller/params_flow.rb:176:10:176:15 | call to params |
| action_mailer/mailer.rb:3:10:3:15 | call to params |
| active_record/ActiveRecord.rb:28:30:28:35 | call to params |
| active_record/ActiveRecord.rb:29:29:29:34 | call to params |
| active_record/ActiveRecord.rb:30:31:30:36 | call to params |
| active_record/ActiveRecord.rb:32:21:32:26 | call to params |
| active_record/ActiveRecord.rb:34:34:34:39 | call to params |
| active_record/ActiveRecord.rb:35:23:35:28 | call to params |
| active_record/ActiveRecord.rb:35:38:35:43 | call to params |
| active_record/ActiveRecord.rb:43:10:43:15 | call to params |
| active_record/ActiveRecord.rb:50:11:50:16 | call to params |
| active_record/ActiveRecord.rb:54:12:54:17 | call to params |
| active_record/ActiveRecord.rb:59:12:59:17 | call to params |
| active_record/ActiveRecord.rb:62:15:62:20 | call to params |
| active_record/ActiveRecord.rb:68:21:68:26 | call to params |
| active_record/ActiveRecord.rb:72:18:72:23 | call to params |
| active_record/ActiveRecord.rb:76:24:76:29 | call to params |
| active_record/ActiveRecord.rb:76:49:76:54 | call to params |
| active_record/ActiveRecord.rb:80:25:80:30 | call to params |
| active_record/ActiveRecord.rb:80:50:80:55 | call to params |
| active_record/ActiveRecord.rb:88:21:88:26 | call to params |
| active_record/ActiveRecord.rb:92:27:92:32 | call to params |
| active_record/ActiveRecord.rb:92:52:92:57 | call to params |
| active_record/ActiveRecord.rb:96:28:96:33 | call to params |
| active_record/ActiveRecord.rb:96:53:96:58 | call to params |
| active_record/ActiveRecord.rb:106:59:106:64 | call to params |
| active_storage/active_storage.rb:41:21:41:26 | call to params |
| active_storage/active_storage.rb:42:24:42:29 | call to params |
| app/controllers/foo/bars_controller.rb:13:21:13:26 | call to params |
| app/controllers/foo/bars_controller.rb:14:10:14:15 | call to params |
| app/controllers/foo/bars_controller.rb:21:21:21:26 | call to params |
| app/controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
| app/views/foo/bars/show.html.erb:5:9:5:14 | call to params |
paramsSources
| action_controller/params_flow.rb:3:10:3:15 | call to params |
| action_controller/params_flow.rb:7:10:7:15 | call to params |
| action_controller/params_flow.rb:11:10:11:15 | call to params |
| action_controller/params_flow.rb:15:10:15:15 | call to params |
| action_controller/params_flow.rb:19:10:19:15 | call to params |
| action_controller/params_flow.rb:23:10:23:15 | call to params |
| action_controller/params_flow.rb:27:10:27:15 | call to params |
| action_controller/params_flow.rb:31:10:31:15 | call to params |
| action_controller/params_flow.rb:35:10:35:15 | call to params |
| action_controller/params_flow.rb:39:10:39:15 | call to params |
| action_controller/params_flow.rb:43:10:43:15 | call to params |
| action_controller/params_flow.rb:47:10:47:15 | call to params |
| action_controller/params_flow.rb:51:10:51:15 | call to params |
| action_controller/params_flow.rb:55:10:55:15 | call to params |
| action_controller/params_flow.rb:59:10:59:15 | call to params |
| action_controller/params_flow.rb:63:10:63:15 | call to params |
| action_controller/params_flow.rb:67:10:67:15 | call to params |
| action_controller/params_flow.rb:71:10:71:15 | call to params |
| action_controller/params_flow.rb:75:10:75:15 | call to params |
| action_controller/params_flow.rb:79:10:79:15 | call to params |
| action_controller/params_flow.rb:83:10:83:15 | call to params |
| action_controller/params_flow.rb:87:10:87:15 | call to params |
| action_controller/params_flow.rb:91:10:91:15 | call to params |
| action_controller/params_flow.rb:95:10:95:15 | call to params |
| action_controller/params_flow.rb:99:10:99:15 | call to params |
| action_controller/params_flow.rb:103:10:103:15 | call to params |
| action_controller/params_flow.rb:107:10:107:15 | call to params |
| action_controller/params_flow.rb:111:10:111:15 | call to params |
| action_controller/params_flow.rb:112:23:112:28 | call to params |
| action_controller/params_flow.rb:116:10:116:15 | call to params |
| action_controller/params_flow.rb:117:31:117:36 | call to params |
| action_controller/params_flow.rb:121:10:121:15 | call to params |
| action_controller/params_flow.rb:122:31:122:36 | call to params |
| action_controller/params_flow.rb:126:10:126:15 | call to params |
| action_controller/params_flow.rb:127:24:127:29 | call to params |
| action_controller/params_flow.rb:130:14:130:19 | call to params |
| action_controller/params_flow.rb:135:10:135:15 | call to params |
| action_controller/params_flow.rb:136:32:136:37 | call to params |
| action_controller/params_flow.rb:139:22:139:27 | call to params |
| action_controller/params_flow.rb:144:10:144:15 | call to params |
| action_controller/params_flow.rb:145:32:145:37 | call to params |
| action_controller/params_flow.rb:148:22:148:27 | call to params |
| action_controller/params_flow.rb:153:10:153:15 | call to params |
| action_controller/params_flow.rb:154:32:154:37 | call to params |
| action_controller/params_flow.rb:157:22:157:27 | call to params |
| action_controller/params_flow.rb:166:10:166:15 | call to params |
| action_controller/params_flow.rb:172:10:172:15 | call to params |
| action_controller/params_flow.rb:176:10:176:15 | call to params |
| action_mailer/mailer.rb:3:10:3:15 | call to params |
| active_record/ActiveRecord.rb:28:30:28:35 | call to params |
| active_record/ActiveRecord.rb:29:29:29:34 | call to params |
| active_record/ActiveRecord.rb:30:31:30:36 | call to params |
| active_record/ActiveRecord.rb:32:21:32:26 | call to params |
| active_record/ActiveRecord.rb:34:34:34:39 | call to params |
| active_record/ActiveRecord.rb:35:23:35:28 | call to params |
| active_record/ActiveRecord.rb:35:38:35:43 | call to params |
| active_record/ActiveRecord.rb:43:10:43:15 | call to params |
| active_record/ActiveRecord.rb:50:11:50:16 | call to params |
| active_record/ActiveRecord.rb:54:12:54:17 | call to params |
| active_record/ActiveRecord.rb:59:12:59:17 | call to params |
| active_record/ActiveRecord.rb:62:15:62:20 | call to params |
| active_record/ActiveRecord.rb:68:21:68:26 | call to params |
| active_record/ActiveRecord.rb:72:18:72:23 | call to params |
| active_record/ActiveRecord.rb:76:24:76:29 | call to params |
| active_record/ActiveRecord.rb:76:49:76:54 | call to params |
| active_record/ActiveRecord.rb:80:25:80:30 | call to params |
| active_record/ActiveRecord.rb:80:50:80:55 | call to params |
| active_record/ActiveRecord.rb:88:21:88:26 | call to params |
| active_record/ActiveRecord.rb:92:27:92:32 | call to params |
| active_record/ActiveRecord.rb:92:52:92:57 | call to params |
| active_record/ActiveRecord.rb:96:28:96:33 | call to params |
| active_record/ActiveRecord.rb:96:53:96:58 | call to params |
| active_record/ActiveRecord.rb:106:59:106:64 | call to params |
| active_storage/active_storage.rb:41:21:41:26 | call to params |
| active_storage/active_storage.rb:42:24:42:29 | call to params |
| app/controllers/foo/bars_controller.rb:13:21:13:26 | call to params |
| app/controllers/foo/bars_controller.rb:14:10:14:15 | call to params |
| app/controllers/foo/bars_controller.rb:21:21:21:26 | call to params |
| app/controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
| app/views/foo/bars/show.html.erb:5:9:5:14 | call to params |
httpInputAccesses
| action_controller/input_access.rb:3:5:3:18 | call to params | ActionDispatch::Request#params |
| action_controller/input_access.rb:4:5:4:22 | call to parameters | ActionDispatch::Request#parameters |
| action_controller/input_access.rb:5:5:5:15 | call to GET | ActionDispatch::Request#GET |
| action_controller/input_access.rb:6:5:6:16 | call to POST | ActionDispatch::Request#POST |
| action_controller/input_access.rb:7:5:7:28 | call to query_parameters | ActionDispatch::Request#query_parameters |
| action_controller/input_access.rb:8:5:8:30 | call to request_parameters | ActionDispatch::Request#request_parameters |
| action_controller/input_access.rb:9:5:9:31 | call to filtered_parameters | ActionDispatch::Request#filtered_parameters |
| action_controller/input_access.rb:11:5:11:25 | call to authorization | ActionDispatch::Request#authorization |
| action_controller/input_access.rb:12:5:12:23 | call to script_name | ActionDispatch::Request#script_name |
| action_controller/input_access.rb:13:5:13:21 | call to path_info | ActionDispatch::Request#path_info |
| action_controller/input_access.rb:14:5:14:22 | call to user_agent | ActionDispatch::Request#user_agent |
| action_controller/input_access.rb:15:5:15:19 | call to referer | ActionDispatch::Request#referer |
| action_controller/input_access.rb:16:5:16:20 | call to referrer | ActionDispatch::Request#referrer |
| action_controller/input_access.rb:17:5:17:26 | call to host_authority | ActionDispatch::Request#host_authority |
| action_controller/input_access.rb:18:5:18:24 | call to content_type | ActionDispatch::Request#content_type |
| action_controller/input_access.rb:19:5:19:16 | call to host | ActionDispatch::Request#host |
| action_controller/input_access.rb:20:5:20:20 | call to hostname | ActionDispatch::Request#hostname |
| action_controller/input_access.rb:21:5:21:27 | call to accept_encoding | ActionDispatch::Request#accept_encoding |
| action_controller/input_access.rb:22:5:22:27 | call to accept_language | ActionDispatch::Request#accept_language |
| action_controller/input_access.rb:23:5:23:25 | call to if_none_match | ActionDispatch::Request#if_none_match |
| action_controller/input_access.rb:24:5:24:31 | call to if_none_match_etags | ActionDispatch::Request#if_none_match_etags |
| action_controller/input_access.rb:25:5:25:29 | call to content_mime_type | ActionDispatch::Request#content_mime_type |
| action_controller/input_access.rb:27:5:27:21 | call to authority | ActionDispatch::Request#authority |
| action_controller/input_access.rb:28:5:28:16 | call to host | ActionDispatch::Request#host |
| action_controller/input_access.rb:29:5:29:26 | call to host_authority | ActionDispatch::Request#host_authority |
| action_controller/input_access.rb:30:5:30:26 | call to host_with_port | ActionDispatch::Request#host_with_port |
| action_controller/input_access.rb:31:5:31:20 | call to hostname | ActionDispatch::Request#hostname |
| action_controller/input_access.rb:32:5:32:25 | call to forwarded_for | ActionDispatch::Request#forwarded_for |
| action_controller/input_access.rb:33:5:33:26 | call to forwarded_host | ActionDispatch::Request#forwarded_host |
| action_controller/input_access.rb:34:5:34:16 | call to port | ActionDispatch::Request#port |
| action_controller/input_access.rb:35:5:35:26 | call to forwarded_port | ActionDispatch::Request#forwarded_port |
| action_controller/input_access.rb:37:5:37:22 | call to media_type | ActionDispatch::Request#media_type |
| action_controller/input_access.rb:38:5:38:29 | call to media_type_params | ActionDispatch::Request#media_type_params |
| action_controller/input_access.rb:39:5:39:27 | call to content_charset | ActionDispatch::Request#content_charset |
| action_controller/input_access.rb:40:5:40:20 | call to base_url | ActionDispatch::Request#base_url |
| action_controller/input_access.rb:42:5:42:16 | call to body | ActionDispatch::Request#body |
| action_controller/input_access.rb:43:5:43:20 | call to raw_post | ActionDispatch::Request#raw_post |
| action_controller/input_access.rb:45:5:45:30 | ...[...] | ActionDispatch::Request#env[] |
| action_controller/input_access.rb:47:5:47:39 | ...[...] | ActionDispatch::Request#env[] |
| action_controller/params_flow.rb:3:10:3:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:7:10:7:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:11:10:11:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:15:10:15:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:19:10:19:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:23:10:23:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:27:10:27:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:31:10:31:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:35:10:35:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:39:10:39:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:43:10:43:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:47:10:47:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:51:10:51:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:55:10:55:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:59:10:59:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:63:10:63:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:67:10:67:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:71:10:71:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:75:10:75:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:79:10:79:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:83:10:83:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:87:10:87:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:91:10:91:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:95:10:95:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:99:10:99:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:103:10:103:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:107:10:107:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:111:10:111:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:112:23:112:28 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:116:10:116:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:117:31:117:36 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:121:10:121:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:122:31:122:36 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:126:10:126:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:127:24:127:29 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:130:14:130:19 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:135:10:135:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:136:32:136:37 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:139:22:139:27 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:144:10:144:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:145:32:145:37 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:148:22:148:27 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:153:10:153:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:154:32:154:37 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:157:22:157:27 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:166:10:166:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:172:10:172:15 | call to params | ActionController::Metal#params |
| action_controller/params_flow.rb:176:10:176:15 | call to params | ActionController::Metal#params |
| action_mailer/mailer.rb:3:10:3:15 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:28:30:28:35 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:29:29:29:34 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:30:31:30:36 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:32:21:32:26 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:34:34:34:39 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:35:23:35:28 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:35:38:35:43 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:43:10:43:15 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:50:11:50:16 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:54:12:54:17 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:59:12:59:17 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:62:15:62:20 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:68:21:68:26 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:72:18:72:23 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:76:24:76:29 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:76:49:76:54 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:80:25:80:30 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:80:50:80:55 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:88:21:88:26 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:92:27:92:32 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:92:52:92:57 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:96:28:96:33 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:96:53:96:58 | call to params | ActionController::Metal#params |
| active_record/ActiveRecord.rb:106:59:106:64 | call to params | ActionController::Metal#params |
| active_storage/active_storage.rb:41:21:41:26 | call to params | ActionController::Metal#params |
| active_storage/active_storage.rb:42:24:42:29 | call to params | ActionController::Metal#params |
| app/controllers/comments_controller.rb:3:5:3:18 | call to params | ActionDispatch::Request#params |
| app/controllers/comments_controller.rb:4:5:4:22 | call to parameters | ActionDispatch::Request#parameters |
| app/controllers/comments_controller.rb:5:5:5:15 | call to GET | ActionDispatch::Request#GET |
| app/controllers/comments_controller.rb:6:5:6:16 | call to POST | ActionDispatch::Request#POST |
| app/controllers/comments_controller.rb:7:5:7:28 | call to query_parameters | ActionDispatch::Request#query_parameters |
| app/controllers/comments_controller.rb:8:5:8:30 | call to request_parameters | ActionDispatch::Request#request_parameters |
| app/controllers/comments_controller.rb:9:5:9:31 | call to filtered_parameters | ActionDispatch::Request#filtered_parameters |
| app/controllers/foo/bars_controller.rb:10:27:10:33 | call to cookies | ActionController::Metal#cookies |
| app/controllers/foo/bars_controller.rb:13:21:13:26 | call to params | ActionController::Metal#params |
| app/controllers/foo/bars_controller.rb:14:10:14:15 | call to params | ActionController::Metal#params |
| app/controllers/foo/bars_controller.rb:21:21:21:26 | call to params | ActionController::Metal#params |
| app/controllers/foo/bars_controller.rb:22:10:22:15 | call to params | ActionController::Metal#params |
| app/graphql/mutations/dummy.rb:5:24:5:25 | id | GraphQL RoutedParameter |
| app/graphql/mutations/dummy.rb:9:17:9:25 | something | GraphQL RoutedParameter |
| app/graphql/resolvers/dummy_resolver.rb:6:24:6:25 | id | GraphQL RoutedParameter |
| app/graphql/resolvers/dummy_resolver.rb:10:17:10:25 | something | GraphQL RoutedParameter |
| app/graphql/types/query_type.rb:10:18:10:23 | number | GraphQL RoutedParameter |
| app/graphql/types/query_type.rb:18:23:18:33 | blah_number | GraphQL RoutedParameter |
| app/graphql/types/query_type.rb:27:20:27:25 | **args | GraphQL RoutedParameter |
| app/graphql/types/query_type.rb:36:34:36:37 | arg1 | GraphQL RoutedParameter |
| app/graphql/types/query_type.rb:36:41:36:46 | **rest | GraphQL RoutedParameter |
| app/views/foo/bars/show.html.erb:5:9:5:14 | call to params | ActionController::Metal#params |
cookiesCalls
| app/controllers/foo/bars_controller.rb:10:27:10:33 | call to cookies |
cookiesSources
| app/controllers/foo/bars_controller.rb:10:27:10:33 | call to cookies |
redirectToCalls
| app/controllers/foo/bars_controller.rb:17:5:17:30 | call to redirect_to |
| app/controllers/foo/bars_controller.rb:27:5:27:39 | call to redirect_back_or_to |
| app/controllers/foo/bars_controller.rb:31:5:31:56 | call to redirect_back |
actionControllerHelperMethods
getAssociatedControllerClasses
| app/controllers/foo/bars_controller.rb:3:1:46:3 | BarsController | app/views/foo/bars/_widget.html.erb:0:0:0:0 | app/views/foo/bars/_widget.html.erb |
| app/controllers/foo/bars_controller.rb:3:1:46:3 | BarsController | app/views/foo/bars/show.html.erb:0:0:0:0 | app/views/foo/bars/show.html.erb |
controllerTemplateFiles
| app/controllers/foo/bars_controller.rb:3:1:46:3 | BarsController | app/views/foo/bars/_widget.html.erb:0:0:0:0 | app/views/foo/bars/_widget.html.erb |
| app/controllers/foo/bars_controller.rb:3:1:46:3 | BarsController | app/views/foo/bars/show.html.erb:0:0:0:0 | app/views/foo/bars/show.html.erb |
headerWriteAccesses
| app/controllers/comments_controller.rb:15:5:15:35 | call to []= | content-type | app/controllers/comments_controller.rb:15:39:15:49 | ... = ... |
| app/controllers/comments_controller.rb:16:5:16:46 | call to set_header | content-length | app/controllers/comments_controller.rb:16:43:16:45 | 100 |
| app/controllers/comments_controller.rb:17:5:17:39 | call to []= | x-custom-header | app/controllers/comments_controller.rb:17:43:17:46 | ... = ... |
| app/controllers/comments_controller.rb:18:5:18:39 | call to []= | x-another-custom-header | app/controllers/comments_controller.rb:18:43:18:47 | ... = ... |
| app/controllers/comments_controller.rb:19:5:19:49 | call to add_header | x-yet-another | app/controllers/comments_controller.rb:19:42:19:49 | "indeed" |
| app/controllers/comments_controller.rb:25:5:25:21 | call to location= | location | app/controllers/comments_controller.rb:25:25:25:36 | ... = ... |
| app/controllers/comments_controller.rb:26:5:26:26 | call to cache_control= | cache-control | app/controllers/comments_controller.rb:26:30:26:36 | ... = ... |
| app/controllers/comments_controller.rb:27:5:27:27 | call to _cache_control= | cache-control | app/controllers/comments_controller.rb:27:31:27:37 | ... = ... |
| app/controllers/comments_controller.rb:28:5:28:17 | call to etag= | etag | app/controllers/comments_controller.rb:28:21:28:27 | ... = ... |
| app/controllers/comments_controller.rb:29:5:29:20 | call to charset= | content-type | app/controllers/comments_controller.rb:29:24:29:30 | ... = ... |
| app/controllers/comments_controller.rb:30:5:30:25 | call to content_type= | content-type | app/controllers/comments_controller.rb:30:29:30:35 | ... = ... |
| app/controllers/comments_controller.rb:32:5:32:17 | call to date= | date | app/controllers/comments_controller.rb:32:21:32:30 | ... = ... |
| app/controllers/comments_controller.rb:33:5:33:26 | call to last_modified= | last-modified | app/controllers/comments_controller.rb:33:30:33:43 | ... = ... |
| app/controllers/comments_controller.rb:34:5:34:22 | call to weak_etag= | etag | app/controllers/comments_controller.rb:34:26:34:32 | ... = ... |
| app/controllers/comments_controller.rb:35:5:35:24 | call to strong_etag= | etag | app/controllers/comments_controller.rb:35:28:35:34 | ... = ... |

11
ruby/ql/test/library-tests/frameworks/ActionDispatch.expected
Просмотреть файл

@ -34,15 +34,26 @@ actionDispatchRoutes
| app/config/routes.rb:49:5:49:95 | call to delete | delete | users/:user/notifications | users/notifications | destroy |
| app/config/routes.rb:50:5:50:94 | call to post | post | users/:user/notifications/:notification_id/mark_as_read | users/notifications | mark_as_read |
actionDispatchControllerMethods
| app/config/routes.rb:2:3:8:5 | call to resources | action_controller/controllers/posts_controller.rb:2:3:3:5 | index |
| app/config/routes.rb:2:3:8:5 | call to resources | action_controller/controllers/posts_controller.rb:5:3:6:5 | show |
| app/config/routes.rb:2:3:8:5 | call to resources | app/controllers/posts_controller.rb:2:3:3:5 | index |
| app/config/routes.rb:2:3:8:5 | call to resources | app/controllers/posts_controller.rb:5:3:6:5 | show |
| app/config/routes.rb:3:5:6:7 | call to resources | action_controller/controllers/comments_controller.rb:2:3:36:5 | index |
| app/config/routes.rb:3:5:6:7 | call to resources | action_controller/controllers/comments_controller.rb:38:3:44:5 | show |
| app/config/routes.rb:3:5:6:7 | call to resources | action_controller/controllers/comments_controller.rb:50:3:52:5 | destroy |
| app/config/routes.rb:3:5:6:7 | call to resources | app/controllers/comments_controller.rb:2:3:36:5 | index |
| app/config/routes.rb:3:5:6:7 | call to resources | app/controllers/comments_controller.rb:38:3:39:5 | show |
| app/config/routes.rb:7:5:7:37 | call to post | action_controller/controllers/posts_controller.rb:8:3:9:5 | upvote |
| app/config/routes.rb:7:5:7:37 | call to post | app/controllers/posts_controller.rb:8:3:9:5 | upvote |
| app/config/routes.rb:27:3:27:48 | call to match | action_controller/controllers/photos_controller.rb:2:3:3:5 | show |
| app/config/routes.rb:27:3:27:48 | call to match | app/controllers/photos_controller.rb:2:3:3:5 | show |
| app/config/routes.rb:28:3:28:50 | call to match | action_controller/controllers/photos_controller.rb:2:3:3:5 | show |
| app/config/routes.rb:28:3:28:50 | call to match | app/controllers/photos_controller.rb:2:3:3:5 | show |
| app/config/routes.rb:29:3:29:69 | call to match | action_controller/controllers/photos_controller.rb:2:3:3:5 | show |
| app/config/routes.rb:29:3:29:69 | call to match | app/controllers/photos_controller.rb:2:3:3:5 | show |
| app/config/routes.rb:30:3:30:50 | call to match | action_controller/controllers/photos_controller.rb:2:3:3:5 | show |
| app/config/routes.rb:30:3:30:50 | call to match | app/controllers/photos_controller.rb:2:3:3:5 | show |
| app/config/routes.rb:50:5:50:94 | call to post | action_controller/controllers/users/notifications_controller.rb:3:5:4:7 | mark_as_read |
| app/config/routes.rb:50:5:50:94 | call to post | app/controllers/users/notifications_controller.rb:3:5:4:7 | mark_as_read |
underscore
| Foo | foo |

17
ruby/ql/test/library-tests/frameworks/ActionView.expected
Просмотреть файл

@ -9,6 +9,12 @@ rawCalls
| app/views/foo/bars/show.html.erb:5:5:5:21 | call to raw |
| app/views/foo/bars/show.html.erb:7:5:7:19 | call to raw |
renderCalls
| action_controller/controllers/comments_controller.rb:42:21:42:64 | call to render |
| action_controller/controllers/foo/bars_controller.rb:6:5:6:37 | call to render |
| action_controller/controllers/foo/bars_controller.rb:23:5:23:76 | call to render |
| action_controller/controllers/foo/bars_controller.rb:35:5:35:33 | call to render |
| action_controller/controllers/foo/bars_controller.rb:38:5:38:50 | call to render |
| action_controller/controllers/foo/bars_controller.rb:44:5:44:17 | call to render |
| app/controllers/foo/bars_controller.rb:6:5:6:37 | call to render |
| app/controllers/foo/bars_controller.rb:23:5:23:76 | call to render |
| app/controllers/foo/bars_controller.rb:35:5:35:33 | call to render |
@ -16,11 +22,22 @@ renderCalls
| app/controllers/foo/bars_controller.rb:44:5:44:17 | call to render |
| app/views/foo/bars/show.html.erb:31:5:31:89 | call to render |
renderToCalls
| action_controller/controllers/foo/bars_controller.rb:15:16:15:97 | call to render_to_string |
| action_controller/controllers/foo/bars_controller.rb:36:12:36:67 | call to render_to_string |
| app/controllers/foo/bars_controller.rb:15:16:15:97 | call to render_to_string |
| app/controllers/foo/bars_controller.rb:36:12:36:67 | call to render_to_string |
linkToCalls
| app/views/foo/bars/show.html.erb:33:5:33:41 | call to link_to |
httpResponses
| action_controller/controllers/comments_controller.rb:11:5:11:17 | call to body= | action_controller/controllers/comments_controller.rb:11:21:11:34 | ... = ... | text/http |
| action_controller/controllers/comments_controller.rb:21:5:21:37 | call to send_file | action_controller/controllers/comments_controller.rb:21:24:21:36 | "my-file.ext" | application/octet-stream |
| action_controller/controllers/comments_controller.rb:47:5:47:20 | call to send_data | action_controller/controllers/comments_controller.rb:47:15:47:20 | @photo | application/octet-stream |
| action_controller/controllers/foo/bars_controller.rb:15:16:15:97 | call to render_to_string | action_controller/controllers/foo/bars_controller.rb:15:33:15:47 | "foo/bars/show" | text/html |
| action_controller/controllers/foo/bars_controller.rb:23:5:23:76 | call to render | action_controller/controllers/foo/bars_controller.rb:23:12:23:26 | "foo/bars/show" | text/html |
| action_controller/controllers/foo/bars_controller.rb:35:5:35:33 | call to render | action_controller/controllers/foo/bars_controller.rb:35:18:35:33 | call to [] | application/json |
| action_controller/controllers/foo/bars_controller.rb:36:12:36:67 | call to render_to_string | action_controller/controllers/foo/bars_controller.rb:36:29:36:33 | @user | application/json |
| action_controller/controllers/foo/bars_controller.rb:38:5:38:50 | call to render | action_controller/controllers/foo/bars_controller.rb:38:12:38:22 | call to backtrace | text/plain |
| action_controller/controllers/foo/bars_controller.rb:44:5:44:17 | call to render | action_controller/controllers/foo/bars_controller.rb:44:12:44:17 | "show" | text/html |
| app/controllers/comments_controller.rb:11:5:11:17 | call to body= | app/controllers/comments_controller.rb:11:21:11:34 | ... = ... | text/http |
| app/controllers/comments_controller.rb:21:5:21:37 | call to send_file | app/controllers/comments_controller.rb:21:24:21:36 | "my-file.ext" | application/octet-stream |
| app/controllers/foo/bars_controller.rb:15:16:15:97 | call to render_to_string | app/controllers/foo/bars_controller.rb:15:33:15:47 | "foo/bars/show" | text/html |

322
ruby/ql/test/library-tests/frameworks/action_controller/ActionController.expected Normal file
Просмотреть файл

@ -0,0 +1,322 @@
actionControllerControllerClasses
| controllers/comments_controller.rb:1:1:53:3 | CommentsController |
| controllers/foo/bars_controller.rb:3:1:46:3 | BarsController |
| controllers/photos_controller.rb:1:1:4:3 | PhotosController |
| controllers/posts_controller.rb:1:1:10:3 | PostsController |
| controllers/tags_controller.rb:1:1:2:3 | TagsController |
| controllers/users/notifications_controller.rb:2:3:5:5 | Users::NotificationsController |
| input_access.rb:1:1:50:3 | UsersController |
| params_flow.rb:1:1:162:3 | MyController |
| params_flow.rb:170:1:178:3 | Subclass |
actionControllerActionMethods
| controllers/comments_controller.rb:2:3:36:5 | index |
| controllers/comments_controller.rb:38:3:44:5 | show |
| controllers/comments_controller.rb:46:3:48:5 | photo |
| controllers/comments_controller.rb:50:3:52:5 | destroy |
| controllers/foo/bars_controller.rb:5:3:7:5 | index |
| controllers/foo/bars_controller.rb:9:3:18:5 | show_debug |
| controllers/foo/bars_controller.rb:20:3:24:5 | show |
| controllers/foo/bars_controller.rb:26:3:28:5 | go_back |
| controllers/foo/bars_controller.rb:30:3:32:5 | go_back_2 |
| controllers/foo/bars_controller.rb:34:3:39:5 | show_2 |
| controllers/photos_controller.rb:2:3:3:5 | show |
| controllers/posts_controller.rb:2:3:3:5 | index |
| controllers/posts_controller.rb:5:3:6:5 | show |
| controllers/posts_controller.rb:8:3:9:5 | upvote |
| controllers/users/notifications_controller.rb:3:5:4:7 | mark_as_read |
| input_access.rb:2:3:49:5 | index |
| logging.rb:2:5:8:7 | index |
| params_flow.rb:2:3:4:5 | m1 |
| params_flow.rb:6:3:8:5 | m2 |
| params_flow.rb:10:3:12:5 | m2 |
| params_flow.rb:14:3:16:5 | m3 |
| params_flow.rb:18:3:20:5 | m4 |
| params_flow.rb:22:3:24:5 | m5 |
| params_flow.rb:26:3:28:5 | m6 |
| params_flow.rb:30:3:32:5 | m7 |
| params_flow.rb:34:3:36:5 | m8 |
| params_flow.rb:38:3:40:5 | m9 |
| params_flow.rb:42:3:44:5 | m10 |
| params_flow.rb:46:3:48:5 | m11 |
| params_flow.rb:50:3:52:5 | m12 |
| params_flow.rb:54:3:56:5 | m13 |
| params_flow.rb:58:3:60:5 | m14 |
| params_flow.rb:62:3:64:5 | m15 |
| params_flow.rb:66:3:68:5 | m16 |
| params_flow.rb:70:3:72:5 | m17 |
| params_flow.rb:74:3:76:5 | m18 |
| params_flow.rb:78:3:80:5 | m19 |
| params_flow.rb:82:3:84:5 | m20 |
| params_flow.rb:86:3:88:5 | m21 |
| params_flow.rb:90:3:92:5 | m22 |
| params_flow.rb:94:3:96:5 | m23 |
| params_flow.rb:98:3:100:5 | m24 |
| params_flow.rb:102:3:104:5 | m25 |
| params_flow.rb:106:3:108:5 | m26 |
| params_flow.rb:110:3:113:5 | m27 |
| params_flow.rb:115:3:118:5 | m28 |
| params_flow.rb:120:3:123:5 | m29 |
| params_flow.rb:125:3:132:5 | m30 |
| params_flow.rb:134:3:141:5 | m31 |
| params_flow.rb:143:3:150:5 | m32 |
| params_flow.rb:152:3:159:5 | m33 |
| params_flow.rb:165:3:167:5 | m34 |
| params_flow.rb:171:3:173:5 | m35 |
paramsCalls
| controllers/foo/bars_controller.rb:13:21:13:26 | call to params |
| controllers/foo/bars_controller.rb:14:10:14:15 | call to params |
| controllers/foo/bars_controller.rb:21:21:21:26 | call to params |
| controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
| params_flow.rb:3:10:3:15 | call to params |
| params_flow.rb:7:10:7:15 | call to params |
| params_flow.rb:11:10:11:15 | call to params |
| params_flow.rb:15:10:15:15 | call to params |
| params_flow.rb:19:10:19:15 | call to params |
| params_flow.rb:23:10:23:15 | call to params |
| params_flow.rb:27:10:27:15 | call to params |
| params_flow.rb:31:10:31:15 | call to params |
| params_flow.rb:35:10:35:15 | call to params |
| params_flow.rb:39:10:39:15 | call to params |
| params_flow.rb:43:10:43:15 | call to params |
| params_flow.rb:47:10:47:15 | call to params |
| params_flow.rb:51:10:51:15 | call to params |
| params_flow.rb:55:10:55:15 | call to params |
| params_flow.rb:59:10:59:15 | call to params |
| params_flow.rb:63:10:63:15 | call to params |
| params_flow.rb:67:10:67:15 | call to params |
| params_flow.rb:71:10:71:15 | call to params |
| params_flow.rb:75:10:75:15 | call to params |
| params_flow.rb:79:10:79:15 | call to params |
| params_flow.rb:83:10:83:15 | call to params |
| params_flow.rb:87:10:87:15 | call to params |
| params_flow.rb:91:10:91:15 | call to params |
| params_flow.rb:95:10:95:15 | call to params |
| params_flow.rb:99:10:99:15 | call to params |
| params_flow.rb:103:10:103:15 | call to params |
| params_flow.rb:107:10:107:15 | call to params |
| params_flow.rb:111:10:111:15 | call to params |
| params_flow.rb:112:23:112:28 | call to params |
| params_flow.rb:116:10:116:15 | call to params |
| params_flow.rb:117:31:117:36 | call to params |
| params_flow.rb:121:10:121:15 | call to params |
| params_flow.rb:122:31:122:36 | call to params |
| params_flow.rb:126:10:126:15 | call to params |
| params_flow.rb:127:24:127:29 | call to params |
| params_flow.rb:130:14:130:19 | call to params |
| params_flow.rb:135:10:135:15 | call to params |
| params_flow.rb:136:32:136:37 | call to params |
| params_flow.rb:139:22:139:27 | call to params |
| params_flow.rb:144:10:144:15 | call to params |
| params_flow.rb:145:32:145:37 | call to params |
| params_flow.rb:148:22:148:27 | call to params |
| params_flow.rb:153:10:153:15 | call to params |
| params_flow.rb:154:32:154:37 | call to params |
| params_flow.rb:157:22:157:27 | call to params |
| params_flow.rb:166:10:166:15 | call to params |
| params_flow.rb:172:10:172:15 | call to params |
| params_flow.rb:176:10:176:15 | call to params |
paramsSources
| controllers/foo/bars_controller.rb:13:21:13:26 | call to params |
| controllers/foo/bars_controller.rb:14:10:14:15 | call to params |
| controllers/foo/bars_controller.rb:21:21:21:26 | call to params |
| controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
| params_flow.rb:3:10:3:15 | call to params |
| params_flow.rb:7:10:7:15 | call to params |
| params_flow.rb:11:10:11:15 | call to params |
| params_flow.rb:15:10:15:15 | call to params |
| params_flow.rb:19:10:19:15 | call to params |
| params_flow.rb:23:10:23:15 | call to params |
| params_flow.rb:27:10:27:15 | call to params |
| params_flow.rb:31:10:31:15 | call to params |
| params_flow.rb:35:10:35:15 | call to params |
| params_flow.rb:39:10:39:15 | call to params |
| params_flow.rb:43:10:43:15 | call to params |
| params_flow.rb:47:10:47:15 | call to params |
| params_flow.rb:51:10:51:15 | call to params |
| params_flow.rb:55:10:55:15 | call to params |
| params_flow.rb:59:10:59:15 | call to params |
| params_flow.rb:63:10:63:15 | call to params |
| params_flow.rb:67:10:67:15 | call to params |
| params_flow.rb:71:10:71:15 | call to params |
| params_flow.rb:75:10:75:15 | call to params |
| params_flow.rb:79:10:79:15 | call to params |
| params_flow.rb:83:10:83:15 | call to params |
| params_flow.rb:87:10:87:15 | call to params |
| params_flow.rb:91:10:91:15 | call to params |
| params_flow.rb:95:10:95:15 | call to params |
| params_flow.rb:99:10:99:15 | call to params |
| params_flow.rb:103:10:103:15 | call to params |
| params_flow.rb:107:10:107:15 | call to params |
| params_flow.rb:111:10:111:15 | call to params |
| params_flow.rb:112:23:112:28 | call to params |
| params_flow.rb:116:10:116:15 | call to params |
| params_flow.rb:117:31:117:36 | call to params |
| params_flow.rb:121:10:121:15 | call to params |
| params_flow.rb:122:31:122:36 | call to params |
| params_flow.rb:126:10:126:15 | call to params |
| params_flow.rb:127:24:127:29 | call to params |
| params_flow.rb:130:14:130:19 | call to params |
| params_flow.rb:135:10:135:15 | call to params |
| params_flow.rb:136:32:136:37 | call to params |
| params_flow.rb:139:22:139:27 | call to params |
| params_flow.rb:144:10:144:15 | call to params |
| params_flow.rb:145:32:145:37 | call to params |
| params_flow.rb:148:22:148:27 | call to params |
| params_flow.rb:153:10:153:15 | call to params |
| params_flow.rb:154:32:154:37 | call to params |
| params_flow.rb:157:22:157:27 | call to params |
| params_flow.rb:166:10:166:15 | call to params |
| params_flow.rb:172:10:172:15 | call to params |
| params_flow.rb:176:10:176:15 | call to params |
httpInputAccesses
| controllers/comments_controller.rb:3:5:3:18 | call to params | ActionDispatch::Request#params |
| controllers/comments_controller.rb:4:5:4:22 | call to parameters | ActionDispatch::Request#parameters |
| controllers/comments_controller.rb:5:5:5:15 | call to GET | ActionDispatch::Request#GET |
| controllers/comments_controller.rb:6:5:6:16 | call to POST | ActionDispatch::Request#POST |
| controllers/comments_controller.rb:7:5:7:28 | call to query_parameters | ActionDispatch::Request#query_parameters |
| controllers/comments_controller.rb:8:5:8:30 | call to request_parameters | ActionDispatch::Request#request_parameters |
| controllers/comments_controller.rb:9:5:9:31 | call to filtered_parameters | ActionDispatch::Request#filtered_parameters |
| controllers/comments_controller.rb:51:12:51:30 | call to body_stream | ActionDispatch::Request#body_stream |
| controllers/foo/bars_controller.rb:10:27:10:33 | call to cookies | ActionController::Metal#cookies |
| controllers/foo/bars_controller.rb:13:21:13:26 | call to params | ActionController::Metal#params |
| controllers/foo/bars_controller.rb:14:10:14:15 | call to params | ActionController::Metal#params |
| controllers/foo/bars_controller.rb:21:21:21:26 | call to params | ActionController::Metal#params |
| controllers/foo/bars_controller.rb:22:10:22:15 | call to params | ActionController::Metal#params |
| input_access.rb:3:5:3:18 | call to params | ActionDispatch::Request#params |
| input_access.rb:4:5:4:22 | call to parameters | ActionDispatch::Request#parameters |
| input_access.rb:5:5:5:15 | call to GET | ActionDispatch::Request#GET |
| input_access.rb:6:5:6:16 | call to POST | ActionDispatch::Request#POST |
| input_access.rb:7:5:7:28 | call to query_parameters | ActionDispatch::Request#query_parameters |
| input_access.rb:8:5:8:30 | call to request_parameters | ActionDispatch::Request#request_parameters |
| input_access.rb:9:5:9:31 | call to filtered_parameters | ActionDispatch::Request#filtered_parameters |
| input_access.rb:11:5:11:25 | call to authorization | ActionDispatch::Request#authorization |
| input_access.rb:12:5:12:23 | call to script_name | ActionDispatch::Request#script_name |
| input_access.rb:13:5:13:21 | call to path_info | ActionDispatch::Request#path_info |
| input_access.rb:14:5:14:22 | call to user_agent | ActionDispatch::Request#user_agent |
| input_access.rb:15:5:15:19 | call to referer | ActionDispatch::Request#referer |
| input_access.rb:16:5:16:20 | call to referrer | ActionDispatch::Request#referrer |
| input_access.rb:17:5:17:26 | call to host_authority | ActionDispatch::Request#host_authority |
| input_access.rb:18:5:18:24 | call to content_type | ActionDispatch::Request#content_type |
| input_access.rb:19:5:19:16 | call to host | ActionDispatch::Request#host |
| input_access.rb:20:5:20:20 | call to hostname | ActionDispatch::Request#hostname |
| input_access.rb:21:5:21:27 | call to accept_encoding | ActionDispatch::Request#accept_encoding |
| input_access.rb:22:5:22:27 | call to accept_language | ActionDispatch::Request#accept_language |
| input_access.rb:23:5:23:25 | call to if_none_match | ActionDispatch::Request#if_none_match |
| input_access.rb:24:5:24:31 | call to if_none_match_etags | ActionDispatch::Request#if_none_match_etags |
| input_access.rb:25:5:25:29 | call to content_mime_type | ActionDispatch::Request#content_mime_type |
| input_access.rb:27:5:27:21 | call to authority | ActionDispatch::Request#authority |
| input_access.rb:28:5:28:16 | call to host | ActionDispatch::Request#host |
| input_access.rb:29:5:29:26 | call to host_authority | ActionDispatch::Request#host_authority |
| input_access.rb:30:5:30:26 | call to host_with_port | ActionDispatch::Request#host_with_port |
| input_access.rb:31:5:31:20 | call to hostname | ActionDispatch::Request#hostname |
| input_access.rb:32:5:32:25 | call to forwarded_for | ActionDispatch::Request#forwarded_for |
| input_access.rb:33:5:33:26 | call to forwarded_host | ActionDispatch::Request#forwarded_host |
| input_access.rb:34:5:34:16 | call to port | ActionDispatch::Request#port |
| input_access.rb:35:5:35:26 | call to forwarded_port | ActionDispatch::Request#forwarded_port |
| input_access.rb:37:5:37:22 | call to media_type | ActionDispatch::Request#media_type |
| input_access.rb:38:5:38:29 | call to media_type_params | ActionDispatch::Request#media_type_params |
| input_access.rb:39:5:39:27 | call to content_charset | ActionDispatch::Request#content_charset |
| input_access.rb:40:5:40:20 | call to base_url | ActionDispatch::Request#base_url |
| input_access.rb:42:5:42:16 | call to body | ActionDispatch::Request#body |
| input_access.rb:43:5:43:20 | call to raw_post | ActionDispatch::Request#raw_post |
| input_access.rb:45:5:45:30 | ...[...] | ActionDispatch::Request#env[] |
| input_access.rb:47:5:47:39 | ...[...] | ActionDispatch::Request#env[] |
| logging.rb:5:22:5:35 | call to params | ActionDispatch::Request#params |
| params_flow.rb:3:10:3:15 | call to params | ActionController::Metal#params |
| params_flow.rb:7:10:7:15 | call to params | ActionController::Metal#params |
| params_flow.rb:11:10:11:15 | call to params | ActionController::Metal#params |
| params_flow.rb:15:10:15:15 | call to params | ActionController::Metal#params |
| params_flow.rb:19:10:19:15 | call to params | ActionController::Metal#params |
| params_flow.rb:23:10:23:15 | call to params | ActionController::Metal#params |
| params_flow.rb:27:10:27:15 | call to params | ActionController::Metal#params |
| params_flow.rb:31:10:31:15 | call to params | ActionController::Metal#params |
| params_flow.rb:35:10:35:15 | call to params | ActionController::Metal#params |
| params_flow.rb:39:10:39:15 | call to params | ActionController::Metal#params |
| params_flow.rb:43:10:43:15 | call to params | ActionController::Metal#params |
| params_flow.rb:47:10:47:15 | call to params | ActionController::Metal#params |
| params_flow.rb:51:10:51:15 | call to params | ActionController::Metal#params |
| params_flow.rb:55:10:55:15 | call to params | ActionController::Metal#params |
| params_flow.rb:59:10:59:15 | call to params | ActionController::Metal#params |
| params_flow.rb:63:10:63:15 | call to params | ActionController::Metal#params |
| params_flow.rb:67:10:67:15 | call to params | ActionController::Metal#params |
| params_flow.rb:71:10:71:15 | call to params | ActionController::Metal#params |
| params_flow.rb:75:10:75:15 | call to params | ActionController::Metal#params |
| params_flow.rb:79:10:79:15 | call to params | ActionController::Metal#params |
| params_flow.rb:83:10:83:15 | call to params | ActionController::Metal#params |
| params_flow.rb:87:10:87:15 | call to params | ActionController::Metal#params |
| params_flow.rb:91:10:91:15 | call to params | ActionController::Metal#params |
| params_flow.rb:95:10:95:15 | call to params | ActionController::Metal#params |
| params_flow.rb:99:10:99:15 | call to params | ActionController::Metal#params |
| params_flow.rb:103:10:103:15 | call to params | ActionController::Metal#params |
| params_flow.rb:107:10:107:15 | call to params | ActionController::Metal#params |
| params_flow.rb:111:10:111:15 | call to params | ActionController::Metal#params |
| params_flow.rb:112:23:112:28 | call to params | ActionController::Metal#params |
| params_flow.rb:116:10:116:15 | call to params | ActionController::Metal#params |
| params_flow.rb:117:31:117:36 | call to params | ActionController::Metal#params |
| params_flow.rb:121:10:121:15 | call to params | ActionController::Metal#params |
| params_flow.rb:122:31:122:36 | call to params | ActionController::Metal#params |
| params_flow.rb:126:10:126:15 | call to params | ActionController::Metal#params |
| params_flow.rb:127:24:127:29 | call to params | ActionController::Metal#params |
| params_flow.rb:130:14:130:19 | call to params | ActionController::Metal#params |
| params_flow.rb:135:10:135:15 | call to params | ActionController::Metal#params |
| params_flow.rb:136:32:136:37 | call to params | ActionController::Metal#params |
| params_flow.rb:139:22:139:27 | call to params | ActionController::Metal#params |
| params_flow.rb:144:10:144:15 | call to params | ActionController::Metal#params |
| params_flow.rb:145:32:145:37 | call to params | ActionController::Metal#params |
| params_flow.rb:148:22:148:27 | call to params | ActionController::Metal#params |
| params_flow.rb:153:10:153:15 | call to params | ActionController::Metal#params |
| params_flow.rb:154:32:154:37 | call to params | ActionController::Metal#params |
| params_flow.rb:157:22:157:27 | call to params | ActionController::Metal#params |
| params_flow.rb:166:10:166:15 | call to params | ActionController::Metal#params |
| params_flow.rb:172:10:172:15 | call to params | ActionController::Metal#params |
| params_flow.rb:176:10:176:15 | call to params | ActionController::Metal#params |
cookiesCalls
| controllers/foo/bars_controller.rb:10:27:10:33 | call to cookies |
cookiesSources
| controllers/foo/bars_controller.rb:10:27:10:33 | call to cookies |
redirectToCalls
| controllers/comments_controller.rb:40:21:40:49 | call to redirect_to |
| controllers/foo/bars_controller.rb:17:5:17:30 | call to redirect_to |
| controllers/foo/bars_controller.rb:27:5:27:39 | call to redirect_back_or_to |
| controllers/foo/bars_controller.rb:31:5:31:56 | call to redirect_back |
renderCalls
| controllers/comments_controller.rb:42:21:42:64 | call to render |
| controllers/foo/bars_controller.rb:6:5:6:37 | call to render |
| controllers/foo/bars_controller.rb:23:5:23:76 | call to render |
| controllers/foo/bars_controller.rb:35:5:35:33 | call to render |
| controllers/foo/bars_controller.rb:38:5:38:50 | call to render |
| controllers/foo/bars_controller.rb:44:5:44:17 | call to render |
httpResponses
| controllers/comments_controller.rb:11:5:11:17 | call to body= | controllers/comments_controller.rb:11:21:11:34 | ... = ... |
| controllers/comments_controller.rb:21:5:21:37 | call to send_file | controllers/comments_controller.rb:21:24:21:36 | "my-file.ext" |
| controllers/comments_controller.rb:47:5:47:20 | call to send_data | controllers/comments_controller.rb:47:15:47:20 | @photo |
| controllers/foo/bars_controller.rb:15:16:15:97 | call to render_to_string | controllers/foo/bars_controller.rb:15:33:15:47 | "foo/bars/show" |
| controllers/foo/bars_controller.rb:23:5:23:76 | call to render | controllers/foo/bars_controller.rb:23:12:23:26 | "foo/bars/show" |
| controllers/foo/bars_controller.rb:35:5:35:33 | call to render | controllers/foo/bars_controller.rb:35:18:35:33 | call to [] |
| controllers/foo/bars_controller.rb:36:12:36:67 | call to render_to_string | controllers/foo/bars_controller.rb:36:29:36:33 | @user |
| controllers/foo/bars_controller.rb:38:5:38:50 | call to render | controllers/foo/bars_controller.rb:38:12:38:22 | call to backtrace |
| controllers/foo/bars_controller.rb:44:5:44:17 | call to render | controllers/foo/bars_controller.rb:44:12:44:17 | "show" |
actionControllerHelperMethods
getAssociatedControllerClasses
controllerTemplateFiles
headerWriteAccesses
| controllers/comments_controller.rb:15:5:15:35 | call to []= | content-type | controllers/comments_controller.rb:15:39:15:49 | ... = ... |
| controllers/comments_controller.rb:16:5:16:46 | call to set_header | content-length | controllers/comments_controller.rb:16:43:16:45 | 100 |
| controllers/comments_controller.rb:17:5:17:39 | call to []= | x-custom-header | controllers/comments_controller.rb:17:43:17:46 | ... = ... |
| controllers/comments_controller.rb:18:5:18:39 | call to []= | x-another-custom-header | controllers/comments_controller.rb:18:43:18:47 | ... = ... |
| controllers/comments_controller.rb:19:5:19:49 | call to add_header | x-yet-another | controllers/comments_controller.rb:19:42:19:49 | "indeed" |
| controllers/comments_controller.rb:25:5:25:21 | call to location= | location | controllers/comments_controller.rb:25:25:25:36 | ... = ... |
| controllers/comments_controller.rb:26:5:26:26 | call to cache_control= | cache-control | controllers/comments_controller.rb:26:30:26:36 | ... = ... |
| controllers/comments_controller.rb:27:5:27:27 | call to _cache_control= | cache-control | controllers/comments_controller.rb:27:31:27:37 | ... = ... |
| controllers/comments_controller.rb:28:5:28:17 | call to etag= | etag | controllers/comments_controller.rb:28:21:28:27 | ... = ... |
| controllers/comments_controller.rb:29:5:29:20 | call to charset= | content-type | controllers/comments_controller.rb:29:24:29:30 | ... = ... |
| controllers/comments_controller.rb:30:5:30:25 | call to content_type= | content-type | controllers/comments_controller.rb:30:29:30:35 | ... = ... |
| controllers/comments_controller.rb:32:5:32:17 | call to date= | date | controllers/comments_controller.rb:32:21:32:30 | ... = ... |
| controllers/comments_controller.rb:33:5:33:26 | call to last_modified= | last-modified | controllers/comments_controller.rb:33:30:33:43 | ... = ... |
| controllers/comments_controller.rb:34:5:34:22 | call to weak_etag= | etag | controllers/comments_controller.rb:34:26:34:32 | ... = ... |
| controllers/comments_controller.rb:35:5:35:24 | call to strong_etag= | etag | controllers/comments_controller.rb:35:28:35:34 | ... = ... |
loggingCalls
| logging.rb:3:9:3:31 | call to info | logging.rb:3:21:3:31 | "some info" |
| logging.rb:4:9:4:31 | call to warn | logging.rb:4:21:4:31 | "a warning" |
| logging.rb:5:9:5:35 | call to debug | logging.rb:5:22:5:35 | call to params |
| logging.rb:7:9:7:26 | call to info | logging.rb:7:16:7:26 | "more info" |

8
ruby/ql/test/library-tests/frameworks/ActionController.ql → ruby/ql/test/library-tests/frameworks/action_controller/ActionController.ql
Просмотреть файл

@ -23,6 +23,12 @@ query predicate cookiesSources(CookiesSource src) { any() }
query predicate redirectToCalls(RedirectToCall c) { any() }
query predicate renderCalls(Rails::RenderCall c) { any() }
query predicate httpResponses(Http::Server::HttpResponse r, DataFlow::Node body) {
body = r.getBody()
}
query predicate actionControllerHelperMethods(ActionControllerHelperMethod m) { any() }
query predicate getAssociatedControllerClasses(ActionControllerClass cls, ErbFile f) {
@ -38,3 +44,5 @@ query predicate headerWriteAccesses(
) {
name = a.getName() and value = a.getValue()
}
query predicate loggingCalls(Logging c, DataFlow::Node input) { input = c.getAnInput() }

53
ruby/ql/test/library-tests/frameworks/action_controller/controllers/comments_controller.rb Normal file
Просмотреть файл

@ -0,0 +1,53 @@
class CommentsController < ApplicationController
def index
request.params
request.parameters
request.GET
request.POST
request.query_parameters
request.request_parameters
request.filtered_parameters
response.body = "some content"
response.status = 200
response.header["Content-Type"] = "text/html"
response.set_header("Content-Length", 100)
response.headers["X-Custom-Header"] = "hi"
response["X-Another-Custom-Header"] = "yes"
response.add_header "X-Yet-Another", "indeed"
response.send_file("my-file.ext")
response.request
response.location = "http://..." # relevant for url redirect query
response.cache_control = "value"
response._cache_control = "value"
response.etag = "value"
response.charset = "value" # sets the charset part of the content-type header
response.content_type = "value" # sets the main part of the content-type header
response.date = Date.today
response.last_modified = Date.yesterday
response.weak_etag = "value"
response.strong_etag = "value"
end
def show
respond_to do |format|
format.html { redirect_to(comment_view_url) }
format.json
format.xml { render xml: @comment.to_xml(include: @photo) }
end
end
def photo
send_data @photo
end
def destroy
body = request.body_stream
end
end

46
ruby/ql/test/library-tests/frameworks/action_controller/controllers/foo/bars_controller.rb Normal file
Просмотреть файл

@ -0,0 +1,46 @@
require 'json'
class BarsController < ApplicationController
def index
render template: "foo/bars/index"
end
def show_debug
user_info = JSON.load cookies[:user_info]
puts "User: #{user_info['name']}"
@user_website = params[:website]
dt = params[:text]
rendered = render_to_string "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }
puts rendered
redirect_to action: "show"
end
def show
@user_website = params[:website]
dt = params[:text]
render "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }
end
def go_back
redirect_back_or_to action: "index"
end
def go_back_2
redirect_back fallback_location: { action: "index" }
end
def show_2
render json: { some: "data" }
body = render_to_string @user, content_type: "application/json"
rescue => e
render e.backtrace, content_type: "text/plain"
end
private
def unreachable_action
render "show"
end
end

4
ruby/ql/test/library-tests/frameworks/action_controller/controllers/photos_controller.rb Normal file
Просмотреть файл

@ -0,0 +1,4 @@
class PhotosController < ApplicationController
def show
end
end

10
ruby/ql/test/library-tests/frameworks/action_controller/controllers/posts_controller.rb Normal file
Просмотреть файл

@ -0,0 +1,10 @@
class PostsController < ApplicationController
def index
end
def show
end
def upvote
end
end

2
ruby/ql/test/library-tests/frameworks/action_controller/controllers/tags_controller.rb Normal file
Просмотреть файл

@ -0,0 +1,2 @@
class TagsController < ActionController::Metal
end

6
ruby/ql/test/library-tests/frameworks/action_controller/controllers/users/notifications_controller.rb Normal file
Просмотреть файл

@ -0,0 +1,6 @@
module Users
class NotificationsController < ApplicationController
def mark_as_read
end
end
end

9
ruby/ql/test/library-tests/frameworks/action_controller/logging.rb Normal file
Просмотреть файл

@ -0,0 +1,9 @@
class UsersController < ActionController::Base
def index
logger.info "some info"
logger.warn "a warning"
logger.debug request.params
l = logger
l.info "more info"
end
end

4
ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected
Просмотреть файл

@ -11,6 +11,7 @@ edges
| app/controllers/users_controller.rb:33:5:33:31 | ... = ... : | app/controllers/users_controller.rb:35:33:35:55 | ... + ... |
| app/controllers/users_controller.rb:33:19:33:25 | call to cookies : | app/controllers/users_controller.rb:33:19:33:31 | ...[...] : |
| app/controllers/users_controller.rb:33:19:33:31 | ...[...] : | app/controllers/users_controller.rb:33:5:33:31 | ... = ... : |
| app/controllers/users_controller.rb:49:19:49:24 | call to params : | app/controllers/users_controller.rb:49:19:49:30 | ...[...] |
nodes
| app/controllers/users_controller.rb:15:19:15:24 | call to params : | semmle.label | call to params : |
| app/controllers/users_controller.rb:15:19:15:30 | ...[...] : | semmle.label | ...[...] : |
@ -26,6 +27,8 @@ nodes
| app/controllers/users_controller.rb:33:19:33:31 | ...[...] : | semmle.label | ...[...] : |
| app/controllers/users_controller.rb:34:33:34:43 | unsanitized | semmle.label | unsanitized |
| app/controllers/users_controller.rb:35:33:35:55 | ... + ... | semmle.label | ... + ... |
| app/controllers/users_controller.rb:49:19:49:24 | call to params : | semmle.label | call to params : |
| app/controllers/users_controller.rb:49:19:49:30 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| app/controllers/users_controller.rb:16:19:16:29 | unsanitized | app/controllers/users_controller.rb:15:19:15:24 | call to params : | app/controllers/users_controller.rb:16:19:16:29 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value |
@ -34,3 +37,4 @@ subpaths
| app/controllers/users_controller.rb:27:16:27:39 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params : | app/controllers/users_controller.rb:27:16:27:39 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value |
| app/controllers/users_controller.rb:34:33:34:43 | unsanitized | app/controllers/users_controller.rb:33:19:33:25 | call to cookies : | app/controllers/users_controller.rb:34:33:34:43 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value |
| app/controllers/users_controller.rb:35:33:35:55 | ... + ... | app/controllers/users_controller.rb:33:19:33:25 | call to cookies : | app/controllers/users_controller.rb:35:33:35:55 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value |
| app/controllers/users_controller.rb:49:19:49:30 | ...[...] | app/controllers/users_controller.rb:49:19:49:24 | call to params : | app/controllers/users_controller.rb:49:19:49:30 | ...[...] | Log entry depends on a $@. | app/controllers/users_controller.rb:49:19:49:24 | call to params | user-provided value |

11
ruby/ql/test/query-tests/security/cwe-117/app/controllers/users_controller.rb
Просмотреть файл

@ -39,7 +39,14 @@ class UsersController < ApplicationController
init_logger
sanitized = html_escape params[:baz]
@logger.debug unsanitized # GOOD: sanitized user input
@logger.debug "input: " + unsanitized # GOOD: sanitized user input
@logger.debug sanitized # GOOD: sanitized user input
@logger.debug "input: " + sanitized # GOOD: sanitized user input
end
def inspect_sanitization
init_logger
@logger.debug params[:foo] # BAD: unsanitized user input
@logger.debug params[:foo].inspect # GOOD: sanitized user input
end
end