зеркало из https://github.com/github/codeql.git
Merge pull request #12672 from hvitved/ruby/implicit-array-reads-at-sinks
Ruby: Allow for implicit array reads at all sinks during taint tracking
This commit is contained in:
Tom Hvitved
GitHub
Коммит
c0e600c515
|
|
@ -17,7 +17,10 @@ predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
|
|||
* of `c` at sinks and inputs to additional taint steps.
|
||||
*/
|
||||
bindingset[node]
|
||||
predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
|
||||
predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) {
|
||||
exists(node) and
|
||||
c.isElementOfTypeOrUnknown("int")
|
||||
}
|
||||
|
||||
private CfgNodes::ExprNodes::VariableWriteAccessCfgNode variablesInPattern(
|
||||
CfgNodes::ExprNodes::CasePatternCfgNode p
|
||||
|
|
|
|||
|
|
@ -201,11 +201,8 @@ private predicate sqlFragmentArgumentInner(DataFlow::CallNode call, DataFlow::No
|
|||
}
|
||||
|
||||
private predicate sqlFragmentArgument(DataFlow::CallNode call, DataFlow::Node sink) {
|
||||
exists(DataFlow::Node arg |
|
||||
sqlFragmentArgumentInner(call, arg) and
|
||||
sink = [arg, arg.(DataFlow::ArrayLiteralNode).getElement(0)] and
|
||||
unsafeSqlExpr(sink.asExpr().getExpr())
|
||||
)
|
||||
sqlFragmentArgumentInner(call, sink) and
|
||||
unsafeSqlExpr(sink.asExpr().getExpr())
|
||||
}
|
||||
|
||||
// An expression that, if tainted by unsanitized input, should not be used as
|
||||
|
|
|
|||
|
|
@ -210,9 +210,28 @@ module Array {
|
|||
}
|
||||
}
|
||||
|
||||
private predicate isKnownRange(RangeLiteral rl, int start, int end) {
|
||||
(
|
||||
// Either an explicit, positive beginning index...
|
||||
start = rl.getBegin().getConstantValue().getInt() and start >= 0
|
||||
or
|
||||
// Or a begin-less one, since `..n` is equivalent to `0..n`
|
||||
not exists(rl.getBegin()) and start = 0
|
||||
) and
|
||||
// There must be an explicit end. An end-less range like `2..` is not
|
||||
// treated as a known range, since we don't track the length of the array.
|
||||
exists(int e | e = rl.getEnd().getConstantValue().getInt() and e >= 0 |
|
||||
rl.isInclusive() and end = e
|
||||
or
|
||||
rl.isExclusive() and end = e - 1
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* A call to `[]` with an unknown argument, which could be either an index or
|
||||
* a range.
|
||||
* a range. To avoid spurious flow, we are going to ignore the possibility
|
||||
* that the argument might be a range (unless it is an explicit range literal,
|
||||
* see `ElementReferenceRangeReadUnknownSummary`).
|
||||
*/
|
||||
private class ElementReferenceReadUnknownSummary extends ElementReferenceReadSummary {
|
||||
ElementReferenceReadUnknownSummary() {
|
||||
|
|
@ -223,7 +242,7 @@ module Array {
|
|||
|
||||
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
|
||||
input = "Argument[self].Element[any]" and
|
||||
output = ["ReturnValue", "ReturnValue.Element[?]"] and
|
||||
output = "ReturnValue" and
|
||||
preservesValue = true
|
||||
}
|
||||
}
|
||||
|
|
@ -242,24 +261,8 @@ module Array {
|
|||
)
|
||||
or
|
||||
mc.getNumberOfArguments() = 1 and
|
||||
exists(RangeLiteral rl |
|
||||
rl = mc.getArgument(0) and
|
||||
(
|
||||
// Either an explicit, positive beginning index...
|
||||
start = rl.getBegin().getConstantValue().getInt() and start >= 0
|
||||
or
|
||||
// Or a begin-less one, since `..n` is equivalent to `0..n`
|
||||
not exists(rl.getBegin()) and start = 0
|
||||
) and
|
||||
// There must be an explicit end. An end-less range like `2..` is not
|
||||
// treated as a known range, since we don't track the length of the array.
|
||||
exists(int e | e = rl.getEnd().getConstantValue().getInt() and e >= 0 |
|
||||
rl.isInclusive() and end = e
|
||||
or
|
||||
rl.isExclusive() and end = e - 1
|
||||
) and
|
||||
this = methodName + "(" + start + ".." + end + ")"
|
||||
)
|
||||
isKnownRange(mc.getArgument(0), start, end) and
|
||||
this = methodName + "(" + start + ".." + end + ")"
|
||||
}
|
||||
|
||||
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
|
||||
|
|
@ -291,12 +294,7 @@ module Array {
|
|||
)
|
||||
or
|
||||
mc.getNumberOfArguments() = 1 and
|
||||
exists(RangeLiteral rl | rl = mc.getArgument(0) |
|
||||
exists(rl.getBegin()) and
|
||||
not exists(int b | b = rl.getBegin().getConstantValue().getInt() and b >= 0)
|
||||
or
|
||||
not exists(int e | e = rl.getEnd().getConstantValue().getInt() and e >= 0)
|
||||
)
|
||||
mc.getArgument(0) = any(RangeLiteral range | not isKnownRange(range, _, _))
|
||||
)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -32,12 +32,6 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||
override DataFlow::FlowFeature getAFeature() {
|
||||
result instanceof DataFlow::FeatureHasSourceCallContext
|
||||
}
|
||||
|
||||
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) {
|
||||
// allow implicit reads of array elements
|
||||
this.isSink(node) and
|
||||
set.isElementOfTypeOrUnknown("int")
|
||||
}
|
||||
}
|
||||
|
||||
private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig {
|
||||
|
|
|
|||
|
|
@ -34,12 +34,6 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||
override DataFlow::FlowFeature getAFeature() {
|
||||
result instanceof DataFlow::FeatureHasSourceCallContext
|
||||
}
|
||||
|
||||
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) {
|
||||
// allow implicit reads of array elements
|
||||
this.isSink(node) and
|
||||
set.isElementOfTypeOrUnknown("int")
|
||||
}
|
||||
}
|
||||
|
||||
private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
|
||||
|
|
|
|||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -355,7 +355,7 @@ def m40(i)
|
|||
a = [0, 1, source(40.1), [0, source(40.2)]]
|
||||
sink(a.dig(0))
|
||||
sink(a.dig(2)) # $ hasValueFlow=40.1
|
||||
sink(a.dig(i)) # $ hasValueFlow=40.1
|
||||
sink(a.dig(i)) # $ hasValueFlow=40.1 $ hasTaintFlow=40.2
|
||||
sink(a.dig(3,0))
|
||||
sink(a.dig(3,1)) # $ hasValueFlow=40.2
|
||||
end
|
||||
|
|
@ -1214,8 +1214,9 @@ def m111(i)
|
|||
b = a.slice i
|
||||
# If `i` is an integer:
|
||||
sink b # $ hasValueFlow=111.1 $ hasValueFlow=111.2
|
||||
# If `i` is a range/aseq:
|
||||
sink b[0] # $ hasValueFlow=111.1 $ hasValueFlow=111.2
|
||||
# Could in principle happen if `i` is a range/aseq, but we don't model that
|
||||
# Instead, flow happens because the array read is lifted to a taint step
|
||||
sink b[0] # $ SPURIOUS: hasTaintFlow=111.1 $ SPURIOUS: hasTaintFlow=111.2
|
||||
|
||||
b = a.slice(2, 3)
|
||||
sink b[0] # $ hasValueFlow=111.1
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
failures
|
||||
testFailures
|
||||
| array_flow.rb:107:10:107:13 | ...[...] | Unexpected result: hasValueFlow=11.2 |
|
||||
| array_flow.rb:179:28:179:46 | # $ hasValueFlow=19 | Missing result:hasValueFlow=19 |
|
||||
|
|
@ -109,55 +108,56 @@ testFailures
|
|||
| array_flow.rb:1168:10:1168:13 | ...[...] | Unexpected result: hasValueFlow=108.2 |
|
||||
| array_flow.rb:1170:10:1170:13 | ...[...] | Unexpected result: hasValueFlow=108.1 |
|
||||
| array_flow.rb:1172:10:1172:13 | ...[...] | Unexpected result: hasValueFlow=108.2 |
|
||||
| array_flow.rb:1223:10:1223:13 | ...[...] | Unexpected result: hasValueFlow=111.1 |
|
||||
| array_flow.rb:1232:10:1232:13 | ...[...] | Unexpected result: hasValueFlow=111.1 |
|
||||
| array_flow.rb:1237:10:1237:13 | ...[...] | Unexpected result: hasValueFlow=111.1 |
|
||||
| array_flow.rb:1261:10:1261:10 | b | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1264:10:1264:13 | ...[...] | Unexpected result: hasValueFlow=112.1 |
|
||||
| array_flow.rb:1264:10:1264:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1285:10:1285:13 | ...[...] | Unexpected result: hasValueFlow=112.1 |
|
||||
| array_flow.rb:1287:10:1287:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1291:10:1291:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1296:10:1296:13 | ...[...] | Unexpected result: hasValueFlow=112.1 |
|
||||
| array_flow.rb:1298:10:1298:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1302:10:1302:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1307:10:1307:13 | ...[...] | Unexpected result: hasValueFlow=112.1 |
|
||||
| array_flow.rb:1309:10:1309:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1341:10:1341:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1345:10:1345:13 | ...[...] | Unexpected result: hasValueFlow=112.1 |
|
||||
| array_flow.rb:1448:10:1448:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1224:10:1224:13 | ...[...] | Unexpected result: hasValueFlow=111.1 |
|
||||
| array_flow.rb:1233:10:1233:13 | ...[...] | Unexpected result: hasValueFlow=111.1 |
|
||||
| array_flow.rb:1238:10:1238:13 | ...[...] | Unexpected result: hasValueFlow=111.1 |
|
||||
| array_flow.rb:1262:10:1262:10 | b | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1265:10:1265:13 | ...[...] | Unexpected result: hasValueFlow=112.1 |
|
||||
| array_flow.rb:1265:10:1265:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1286:10:1286:13 | ...[...] | Unexpected result: hasValueFlow=112.1 |
|
||||
| array_flow.rb:1288:10:1288:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1292:10:1292:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1297:10:1297:13 | ...[...] | Unexpected result: hasValueFlow=112.1 |
|
||||
| array_flow.rb:1299:10:1299:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1303:10:1303:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1308:10:1308:13 | ...[...] | Unexpected result: hasValueFlow=112.1 |
|
||||
| array_flow.rb:1310:10:1310:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1342:10:1342:13 | ...[...] | Unexpected result: hasValueFlow=112.2 |
|
||||
| array_flow.rb:1346:10:1346:13 | ...[...] | Unexpected result: hasValueFlow=112.1 |
|
||||
| array_flow.rb:1449:10:1449:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1450:10:1450:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1451:10:1451:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1453:10:1453:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1452:10:1452:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1454:10:1454:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1455:10:1455:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1456:10:1456:13 | ...[...] | Unexpected result: hasValueFlow=121.2 |
|
||||
| array_flow.rb:1456:10:1456:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1457:10:1457:13 | ...[...] | Unexpected result: hasValueFlow=121.2 |
|
||||
| array_flow.rb:1457:10:1457:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1459:10:1459:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1458:10:1458:13 | ...[...] | Unexpected result: hasValueFlow=121.2 |
|
||||
| array_flow.rb:1458:10:1458:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1460:10:1460:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1461:10:1461:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1462:10:1462:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1463:10:1463:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1511:18:1511:39 | # $ hasValueFlow=128.1 | Missing result:hasValueFlow=128.1 |
|
||||
| array_flow.rb:1512:18:1512:39 | # $ hasValueFlow=128.2 | Missing result:hasValueFlow=128.2 |
|
||||
| array_flow.rb:1513:18:1513:39 | # $ hasValueFlow=128.3 | Missing result:hasValueFlow=128.3 |
|
||||
| array_flow.rb:1562:10:1562:13 | ...[...] | Unexpected result: hasValueFlow=132.1 |
|
||||
| array_flow.rb:1562:10:1562:13 | ...[...] | Unexpected result: hasValueFlow=132.2 |
|
||||
| array_flow.rb:1464:10:1464:13 | ...[...] | Unexpected result: hasValueFlow=121.3 |
|
||||
| array_flow.rb:1512:18:1512:39 | # $ hasValueFlow=128.1 | Missing result:hasValueFlow=128.1 |
|
||||
| array_flow.rb:1513:18:1513:39 | # $ hasValueFlow=128.2 | Missing result:hasValueFlow=128.2 |
|
||||
| array_flow.rb:1514:18:1514:39 | # $ hasValueFlow=128.3 | Missing result:hasValueFlow=128.3 |
|
||||
| array_flow.rb:1563:10:1563:13 | ...[...] | Unexpected result: hasValueFlow=132.1 |
|
||||
| array_flow.rb:1563:10:1563:13 | ...[...] | Unexpected result: hasValueFlow=132.2 |
|
||||
| array_flow.rb:1564:10:1564:13 | ...[...] | Unexpected result: hasValueFlow=132.1 |
|
||||
| array_flow.rb:1564:10:1564:13 | ...[...] | Unexpected result: hasValueFlow=132.2 |
|
||||
| array_flow.rb:1565:10:1565:13 | ...[...] | Unexpected result: hasValueFlow=132.1 |
|
||||
| array_flow.rb:1565:10:1565:13 | ...[...] | Unexpected result: hasValueFlow=132.2 |
|
||||
| array_flow.rb:1566:10:1566:13 | ...[...] | Unexpected result: hasValueFlow=132.1 |
|
||||
| array_flow.rb:1566:10:1566:13 | ...[...] | Unexpected result: hasValueFlow=132.2 |
|
||||
| array_flow.rb:1567:10:1567:13 | ...[...] | Unexpected result: hasValueFlow=132.1 |
|
||||
| array_flow.rb:1567:10:1567:13 | ...[...] | Unexpected result: hasValueFlow=132.2 |
|
||||
| array_flow.rb:1600:18:1600:39 | # $ hasValueFlow=134.3 | Missing result:hasValueFlow=134.3 |
|
||||
| array_flow.rb:1601:18:1601:39 | # $ hasValueFlow=134.2 | Missing result:hasValueFlow=134.2 |
|
||||
| array_flow.rb:1602:18:1602:39 | # $ hasValueFlow=134.1 | Missing result:hasValueFlow=134.1 |
|
||||
| array_flow.rb:1622:19:1622:40 | # $ hasValueFlow=136.1 | Missing result:hasValueFlow=136.1 |
|
||||
| array_flow.rb:1625:19:1625:70 | # $ hasValueFlow=136.2 $ SPURIOUS hasValueFlow=136.1 | Missing result:hasValueFlow=136.1 |
|
||||
| array_flow.rb:1625:19:1625:70 | # $ hasValueFlow=136.2 $ SPURIOUS hasValueFlow=136.1 | Missing result:hasValueFlow=136.2 |
|
||||
| array_flow.rb:1626:19:1626:40 | # $ hasValueFlow=136.1 | Missing result:hasValueFlow=136.1 |
|
||||
| array_flow.rb:1568:10:1568:13 | ...[...] | Unexpected result: hasValueFlow=132.2 |
|
||||
| array_flow.rb:1601:18:1601:39 | # $ hasValueFlow=134.3 | Missing result:hasValueFlow=134.3 |
|
||||
| array_flow.rb:1602:18:1602:39 | # $ hasValueFlow=134.2 | Missing result:hasValueFlow=134.2 |
|
||||
| array_flow.rb:1603:18:1603:39 | # $ hasValueFlow=134.1 | Missing result:hasValueFlow=134.1 |
|
||||
| array_flow.rb:1623:19:1623:40 | # $ hasValueFlow=136.1 | Missing result:hasValueFlow=136.1 |
|
||||
| array_flow.rb:1626:19:1626:70 | # $ hasValueFlow=136.2 $ SPURIOUS hasValueFlow=136.1 | Missing result:hasValueFlow=136.1 |
|
||||
| array_flow.rb:1626:19:1626:70 | # $ hasValueFlow=136.2 $ SPURIOUS hasValueFlow=136.1 | Missing result:hasValueFlow=136.2 |
|
||||
| array_flow.rb:1627:19:1627:40 | # $ hasValueFlow=136.1 | Missing result:hasValueFlow=136.1 |
|
||||
failures
|
||||
|
|
|
|||
|
|
@ -74,10 +74,14 @@ edges
|
|||
| semantics.rb:60:5:60:5 | a | semantics.rb:66:14:66:15 | &... |
|
||||
| semantics.rb:60:9:60:18 | call to source | semantics.rb:60:5:60:5 | a |
|
||||
| semantics.rb:60:9:60:18 | call to source | semantics.rb:60:5:60:5 | a |
|
||||
| semantics.rb:61:10:61:15 | call to s10 [element 0] | semantics.rb:61:10:61:15 | call to s10 |
|
||||
| semantics.rb:61:14:61:14 | a | semantics.rb:61:10:61:15 | call to s10 |
|
||||
| semantics.rb:61:14:61:14 | a | semantics.rb:61:10:61:15 | call to s10 |
|
||||
| semantics.rb:61:14:61:14 | a | semantics.rb:61:10:61:15 | call to s10 [element 0] |
|
||||
| semantics.rb:62:10:62:18 | call to s10 [element 1] | semantics.rb:62:10:62:18 | call to s10 |
|
||||
| semantics.rb:62:17:62:17 | a | semantics.rb:62:10:62:18 | call to s10 |
|
||||
| semantics.rb:62:17:62:17 | a | semantics.rb:62:10:62:18 | call to s10 |
|
||||
| semantics.rb:62:17:62:17 | a | semantics.rb:62:10:62:18 | call to s10 [element 1] |
|
||||
| semantics.rb:63:19:63:19 | a | semantics.rb:63:10:63:20 | call to s10 |
|
||||
| semantics.rb:63:19:63:19 | a | semantics.rb:63:10:63:20 | call to s10 |
|
||||
| semantics.rb:64:27:64:27 | a | semantics.rb:64:10:64:28 | call to s10 |
|
||||
|
|
@ -1118,10 +1122,12 @@ nodes
|
|||
| semantics.rb:60:9:60:18 | call to source | semmle.label | call to source |
|
||||
| semantics.rb:61:10:61:15 | call to s10 | semmle.label | call to s10 |
|
||||
| semantics.rb:61:10:61:15 | call to s10 | semmle.label | call to s10 |
|
||||
| semantics.rb:61:10:61:15 | call to s10 [element 0] | semmle.label | call to s10 [element 0] |
|
||||
| semantics.rb:61:14:61:14 | a | semmle.label | a |
|
||||
| semantics.rb:61:14:61:14 | a | semmle.label | a |
|
||||
| semantics.rb:62:10:62:18 | call to s10 | semmle.label | call to s10 |
|
||||
| semantics.rb:62:10:62:18 | call to s10 | semmle.label | call to s10 |
|
||||
| semantics.rb:62:10:62:18 | call to s10 [element 1] | semmle.label | call to s10 [element 1] |
|
||||
| semantics.rb:62:17:62:17 | a | semmle.label | a |
|
||||
| semantics.rb:62:17:62:17 | a | semmle.label | a |
|
||||
| semantics.rb:63:10:63:20 | call to s10 | semmle.label | call to s10 |
|
||||
|
|
|
|||
|
|
@ -216,7 +216,7 @@ def m_partition
|
|||
sink b[0] # $ hasTaintFlow=a
|
||||
sink b[1] # $ hasTaintFlow=a
|
||||
sink b[2] # $ hasTaintFlow=a
|
||||
sink b[3]
|
||||
sink b[3] # $ hasTaintFlow=a (because of the flow summary for Array#partition)
|
||||
end
|
||||
|
||||
def m_replace
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ edges
|
|||
| summaries.rb:1:11:1:36 | call to identity | summaries.rb:128:14:128:20 | tainted |
|
||||
| summaries.rb:1:11:1:36 | call to identity | summaries.rb:131:16:131:22 | tainted |
|
||||
| summaries.rb:1:11:1:36 | call to identity | summaries.rb:131:16:131:22 | tainted |
|
||||
| summaries.rb:1:11:1:36 | call to identity | summaries.rb:131:16:131:22 | tainted |
|
||||
| summaries.rb:1:11:1:36 | call to identity | summaries.rb:132:21:132:27 | tainted |
|
||||
| summaries.rb:1:11:1:36 | call to identity | summaries.rb:132:21:132:27 | tainted |
|
||||
| summaries.rb:1:11:1:36 | call to identity | summaries.rb:135:26:135:32 | tainted |
|
||||
|
|
@ -229,6 +230,7 @@ edges
|
|||
| summaries.rb:112:6:112:6 | x [@value] | summaries.rb:112:6:112:16 | call to get_value |
|
||||
| summaries.rb:122:16:122:22 | [post] tainted | summaries.rb:128:14:128:20 | tainted |
|
||||
| summaries.rb:122:16:122:22 | [post] tainted | summaries.rb:131:16:131:22 | tainted |
|
||||
| summaries.rb:122:16:122:22 | [post] tainted | summaries.rb:131:16:131:22 | tainted |
|
||||
| summaries.rb:122:16:122:22 | [post] tainted | summaries.rb:132:21:132:27 | tainted |
|
||||
| summaries.rb:122:16:122:22 | [post] tainted | summaries.rb:135:26:135:32 | tainted |
|
||||
| summaries.rb:122:16:122:22 | [post] tainted | summaries.rb:137:23:137:29 | tainted |
|
||||
|
|
@ -248,6 +250,7 @@ edges
|
|||
| summaries.rb:122:33:122:33 | [post] z | summaries.rb:125:6:125:6 | z |
|
||||
| summaries.rb:128:1:128:1 | [post] x | summaries.rb:129:6:129:6 | x |
|
||||
| summaries.rb:128:14:128:20 | tainted | summaries.rb:128:1:128:1 | [post] x |
|
||||
| summaries.rb:131:16:131:22 | tainted | summaries.rb:131:1:131:23 | * |
|
||||
| summaries.rb:157:14:160:3 | do ... end [captured tainted] | summaries.rb:158:15:158:21 | tainted |
|
||||
| summaries.rb:157:14:160:3 | do ... end [captured tainted] | summaries.rb:158:15:158:21 | tainted |
|
||||
nodes
|
||||
|
|
@ -466,6 +469,8 @@ nodes
|
|||
| summaries.rb:128:1:128:1 | [post] x | semmle.label | [post] x |
|
||||
| summaries.rb:128:14:128:20 | tainted | semmle.label | tainted |
|
||||
| summaries.rb:129:6:129:6 | x | semmle.label | x |
|
||||
| summaries.rb:131:1:131:23 | * | semmle.label | * |
|
||||
| summaries.rb:131:16:131:22 | tainted | semmle.label | tainted |
|
||||
| summaries.rb:131:16:131:22 | tainted | semmle.label | tainted |
|
||||
| summaries.rb:131:16:131:22 | tainted | semmle.label | tainted |
|
||||
| summaries.rb:132:21:132:27 | tainted | semmle.label | tainted |
|
||||
|
|
@ -579,6 +584,7 @@ invalidSpecComponent
|
|||
| summaries.rb:124:6:124:6 | y | summaries.rb:1:20:1:36 | call to source | summaries.rb:124:6:124:6 | y | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
|
||||
| summaries.rb:125:6:125:6 | z | summaries.rb:1:20:1:36 | call to source | summaries.rb:125:6:125:6 | z | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
|
||||
| summaries.rb:129:6:129:6 | x | summaries.rb:1:20:1:36 | call to source | summaries.rb:129:6:129:6 | x | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
|
||||
| summaries.rb:131:1:131:23 | * | summaries.rb:1:20:1:36 | call to source | summaries.rb:131:1:131:23 | * | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
|
||||
| summaries.rb:131:16:131:22 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:131:16:131:22 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
|
||||
| summaries.rb:131:16:131:22 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:131:16:131:22 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
|
||||
| summaries.rb:132:21:132:27 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:132:21:132:27 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
|
||||
|
|
|
|||
|
|
@ -128,7 +128,7 @@ x = Foo.new
|
|||
x.flowToSelf(tainted)
|
||||
sink(x) # $ hasTaintFlow=tainted
|
||||
|
||||
Foo.sinkAnyArg(tainted) # $ hasValueFlow=tainted
|
||||
Foo.sinkAnyArg(tainted) # $ hasValueFlow=tainted $ hasTaintFlow=tainted
|
||||
Foo.sinkAnyArg(key: tainted) # $ hasValueFlow=tainted
|
||||
|
||||
Foo.sinkAnyNamedArg(tainted)
|
||||
|
|
|
|||
|
|
@ -159,9 +159,7 @@ track
|
|||
| type_tracker.rb:34:18:34:20 | obj | type tracker without call steps | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:34:18:34:20 | obj | type tracker without call steps | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:34:18:34:20 | obj | type tracker without call steps with content element | type_tracker.rb:38:13:38:25 | call to [] |
|
||||
| type_tracker.rb:34:18:34:20 | obj | type tracker without call steps with content element | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:34:18:34:20 | obj | type tracker without call steps with content element | type_tracker.rb:50:14:50:26 | call to [] |
|
||||
| type_tracker.rb:34:18:34:20 | obj | type tracker without call steps with content element | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:34:18:34:20 | obj | type tracker without call steps with content element 0 | type_tracker.rb:35:11:35:15 | * |
|
||||
| type_tracker.rb:34:18:34:20 | obj | type tracker without call steps with content element 0 or unknown | type_tracker.rb:35:11:35:15 | call to [] |
|
||||
| type_tracker.rb:34:18:34:20 | obj | type tracker without call steps with content element 0 or unknown | type_tracker.rb:42:14:42:26 | call to [] |
|
||||
|
|
@ -223,32 +221,26 @@ track
|
|||
| type_tracker.rb:42:14:42:26 | call to [] | type tracker without call steps | type_tracker.rb:42:14:42:26 | call to [] |
|
||||
| type_tracker.rb:42:15:42:15 | 1 | type tracker without call steps | type_tracker.rb:42:15:42:15 | 1 |
|
||||
| type_tracker.rb:42:15:42:15 | 1 | type tracker without call steps | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:42:15:42:15 | 1 | type tracker without call steps with content element | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:42:15:42:15 | 1 | type tracker without call steps with content element 0 | type_tracker.rb:42:14:42:26 | * |
|
||||
| type_tracker.rb:42:15:42:15 | 1 | type tracker without call steps with content element 0 or unknown | type_tracker.rb:42:14:42:26 | call to [] |
|
||||
| type_tracker.rb:42:17:42:17 | 2 | type tracker without call steps | type_tracker.rb:42:17:42:17 | 2 |
|
||||
| type_tracker.rb:42:17:42:17 | 2 | type tracker without call steps | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:42:17:42:17 | 2 | type tracker without call steps with content element | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:42:17:42:17 | 2 | type tracker without call steps with content element 1 | type_tracker.rb:42:14:42:26 | * |
|
||||
| type_tracker.rb:42:17:42:17 | 2 | type tracker without call steps with content element 1 or unknown | type_tracker.rb:42:14:42:26 | call to [] |
|
||||
| type_tracker.rb:42:19:42:19 | 3 | type tracker without call steps | type_tracker.rb:42:19:42:19 | 3 |
|
||||
| type_tracker.rb:42:19:42:19 | 3 | type tracker without call steps | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:42:19:42:19 | 3 | type tracker without call steps with content element | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:42:19:42:19 | 3 | type tracker without call steps with content element 2 | type_tracker.rb:42:14:42:26 | * |
|
||||
| type_tracker.rb:42:19:42:19 | 3 | type tracker without call steps with content element 2 or unknown | type_tracker.rb:42:14:42:26 | call to [] |
|
||||
| type_tracker.rb:42:21:42:21 | 4 | type tracker without call steps | type_tracker.rb:42:21:42:21 | 4 |
|
||||
| type_tracker.rb:42:21:42:21 | 4 | type tracker without call steps | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:42:21:42:21 | 4 | type tracker without call steps with content element | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:42:21:42:21 | 4 | type tracker without call steps with content element 3 | type_tracker.rb:42:14:42:26 | * |
|
||||
| type_tracker.rb:42:21:42:21 | 4 | type tracker without call steps with content element 3 or unknown | type_tracker.rb:42:14:42:26 | call to [] |
|
||||
| type_tracker.rb:42:23:42:23 | 5 | type tracker without call steps | type_tracker.rb:42:23:42:23 | 5 |
|
||||
| type_tracker.rb:42:23:42:23 | 5 | type tracker without call steps | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:42:23:42:23 | 5 | type tracker without call steps with content element | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:42:23:42:23 | 5 | type tracker without call steps with content element 4 | type_tracker.rb:42:14:42:26 | * |
|
||||
| type_tracker.rb:42:23:42:23 | 5 | type tracker without call steps with content element 4 or unknown | type_tracker.rb:42:14:42:26 | call to [] |
|
||||
| type_tracker.rb:42:25:42:25 | 6 | type tracker without call steps | type_tracker.rb:42:25:42:25 | 6 |
|
||||
| type_tracker.rb:42:25:42:25 | 6 | type tracker without call steps | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:42:25:42:25 | 6 | type tracker without call steps with content element | type_tracker.rb:44:5:44:13 | ...[...] |
|
||||
| type_tracker.rb:42:25:42:25 | 6 | type tracker without call steps with content element 5 | type_tracker.rb:42:14:42:26 | * |
|
||||
| type_tracker.rb:42:25:42:25 | 6 | type tracker without call steps with content element 5 or unknown | type_tracker.rb:42:14:42:26 | call to [] |
|
||||
| type_tracker.rb:43:5:43:10 | [post] array2 | type tracker without call steps | type_tracker.rb:43:5:43:10 | [post] array2 |
|
||||
|
|
@ -298,32 +290,26 @@ track
|
|||
| type_tracker.rb:50:14:50:26 | call to [] | type tracker without call steps | type_tracker.rb:50:14:50:26 | call to [] |
|
||||
| type_tracker.rb:50:15:50:15 | 1 | type tracker without call steps | type_tracker.rb:50:15:50:15 | 1 |
|
||||
| type_tracker.rb:50:15:50:15 | 1 | type tracker without call steps | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:50:15:50:15 | 1 | type tracker without call steps with content element | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:50:15:50:15 | 1 | type tracker without call steps with content element 0 | type_tracker.rb:50:14:50:26 | * |
|
||||
| type_tracker.rb:50:15:50:15 | 1 | type tracker without call steps with content element 0 or unknown | type_tracker.rb:50:14:50:26 | call to [] |
|
||||
| type_tracker.rb:50:17:50:17 | 2 | type tracker without call steps | type_tracker.rb:50:17:50:17 | 2 |
|
||||
| type_tracker.rb:50:17:50:17 | 2 | type tracker without call steps | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:50:17:50:17 | 2 | type tracker without call steps with content element | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:50:17:50:17 | 2 | type tracker without call steps with content element 1 | type_tracker.rb:50:14:50:26 | * |
|
||||
| type_tracker.rb:50:17:50:17 | 2 | type tracker without call steps with content element 1 or unknown | type_tracker.rb:50:14:50:26 | call to [] |
|
||||
| type_tracker.rb:50:19:50:19 | 3 | type tracker without call steps | type_tracker.rb:50:19:50:19 | 3 |
|
||||
| type_tracker.rb:50:19:50:19 | 3 | type tracker without call steps | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:50:19:50:19 | 3 | type tracker without call steps with content element | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:50:19:50:19 | 3 | type tracker without call steps with content element 2 | type_tracker.rb:50:14:50:26 | * |
|
||||
| type_tracker.rb:50:19:50:19 | 3 | type tracker without call steps with content element 2 or unknown | type_tracker.rb:50:14:50:26 | call to [] |
|
||||
| type_tracker.rb:50:21:50:21 | 4 | type tracker without call steps | type_tracker.rb:50:21:50:21 | 4 |
|
||||
| type_tracker.rb:50:21:50:21 | 4 | type tracker without call steps | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:50:21:50:21 | 4 | type tracker without call steps with content element | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:50:21:50:21 | 4 | type tracker without call steps with content element 3 | type_tracker.rb:50:14:50:26 | * |
|
||||
| type_tracker.rb:50:21:50:21 | 4 | type tracker without call steps with content element 3 or unknown | type_tracker.rb:50:14:50:26 | call to [] |
|
||||
| type_tracker.rb:50:23:50:23 | 5 | type tracker without call steps | type_tracker.rb:50:23:50:23 | 5 |
|
||||
| type_tracker.rb:50:23:50:23 | 5 | type tracker without call steps | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:50:23:50:23 | 5 | type tracker without call steps with content element | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:50:23:50:23 | 5 | type tracker without call steps with content element 4 | type_tracker.rb:50:14:50:26 | * |
|
||||
| type_tracker.rb:50:23:50:23 | 5 | type tracker without call steps with content element 4 or unknown | type_tracker.rb:50:14:50:26 | call to [] |
|
||||
| type_tracker.rb:50:25:50:25 | 6 | type tracker without call steps | type_tracker.rb:50:25:50:25 | 6 |
|
||||
| type_tracker.rb:50:25:50:25 | 6 | type tracker without call steps | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:50:25:50:25 | 6 | type tracker without call steps with content element | type_tracker.rb:52:5:52:13 | ...[...] |
|
||||
| type_tracker.rb:50:25:50:25 | 6 | type tracker without call steps with content element 5 | type_tracker.rb:50:14:50:26 | * |
|
||||
| type_tracker.rb:50:25:50:25 | 6 | type tracker without call steps with content element 5 or unknown | type_tracker.rb:50:14:50:26 | call to [] |
|
||||
| type_tracker.rb:51:5:51:10 | [post] array4 | type tracker without call steps | type_tracker.rb:51:5:51:10 | [post] array4 |
|
||||
|
|
|
|||
|
|
@ -60,20 +60,32 @@ edges
|
|||
| params_flow.rb:83:10:83:15 | call to params | params_flow.rb:83:10:83:27 | call to to_unsafe_h |
|
||||
| params_flow.rb:87:10:87:15 | call to params | params_flow.rb:87:10:87:30 | call to to_unsafe_hash |
|
||||
| params_flow.rb:91:10:91:15 | call to params | params_flow.rb:91:10:91:40 | call to transform_keys |
|
||||
| params_flow.rb:91:10:91:15 | call to params | params_flow.rb:91:10:91:40 | call to transform_keys [element] |
|
||||
| params_flow.rb:91:10:91:40 | call to transform_keys [element] | params_flow.rb:91:10:91:40 | call to transform_keys |
|
||||
| params_flow.rb:95:10:95:15 | call to params | params_flow.rb:95:10:95:41 | call to transform_keys! |
|
||||
| params_flow.rb:99:10:99:15 | call to params | params_flow.rb:99:10:99:42 | call to transform_values |
|
||||
| params_flow.rb:103:10:103:15 | call to params | params_flow.rb:103:10:103:43 | call to transform_values! |
|
||||
| params_flow.rb:107:10:107:15 | call to params | params_flow.rb:107:10:107:33 | call to values_at |
|
||||
| params_flow.rb:107:10:107:15 | call to params | params_flow.rb:107:10:107:33 | call to values_at [element 0] |
|
||||
| params_flow.rb:107:10:107:15 | call to params | params_flow.rb:107:10:107:33 | call to values_at [element 1] |
|
||||
| params_flow.rb:107:10:107:33 | call to values_at [element 0] | params_flow.rb:107:10:107:33 | call to values_at |
|
||||
| params_flow.rb:107:10:107:33 | call to values_at [element 1] | params_flow.rb:107:10:107:33 | call to values_at |
|
||||
| params_flow.rb:111:10:111:15 | call to params | params_flow.rb:111:10:111:29 | call to merge |
|
||||
| params_flow.rb:112:10:112:29 | call to merge [element 0] | params_flow.rb:112:10:112:29 | call to merge |
|
||||
| params_flow.rb:112:23:112:28 | call to params | params_flow.rb:112:10:112:29 | call to merge |
|
||||
| params_flow.rb:112:23:112:28 | call to params | params_flow.rb:112:10:112:29 | call to merge [element 0] |
|
||||
| params_flow.rb:116:10:116:15 | call to params | params_flow.rb:116:10:116:37 | call to reverse_merge |
|
||||
| params_flow.rb:117:31:117:36 | call to params | params_flow.rb:117:10:117:37 | call to reverse_merge |
|
||||
| params_flow.rb:121:10:121:15 | call to params | params_flow.rb:121:10:121:43 | call to with_defaults |
|
||||
| params_flow.rb:122:31:122:36 | call to params | params_flow.rb:122:10:122:37 | call to with_defaults |
|
||||
| params_flow.rb:126:10:126:15 | call to params | params_flow.rb:126:10:126:30 | call to merge! |
|
||||
| params_flow.rb:127:10:127:30 | call to merge! [element 0] | params_flow.rb:127:10:127:30 | call to merge! |
|
||||
| params_flow.rb:127:24:127:29 | call to params | params_flow.rb:127:10:127:30 | call to merge! |
|
||||
| params_flow.rb:127:24:127:29 | call to params | params_flow.rb:127:10:127:30 | call to merge! [element 0] |
|
||||
| params_flow.rb:130:5:130:5 | [post] p | params_flow.rb:131:10:131:10 | p |
|
||||
| params_flow.rb:130:5:130:5 | [post] p [element 0] | params_flow.rb:131:10:131:10 | p |
|
||||
| params_flow.rb:130:14:130:19 | call to params | params_flow.rb:130:5:130:5 | [post] p |
|
||||
| params_flow.rb:130:14:130:19 | call to params | params_flow.rb:130:5:130:5 | [post] p [element 0] |
|
||||
| params_flow.rb:135:10:135:15 | call to params | params_flow.rb:135:10:135:38 | call to reverse_merge! |
|
||||
| params_flow.rb:136:32:136:37 | call to params | params_flow.rb:136:10:136:38 | call to reverse_merge! |
|
||||
| params_flow.rb:139:5:139:5 | [post] p | params_flow.rb:140:10:140:10 | p |
|
||||
|
|
@ -172,6 +184,7 @@ nodes
|
|||
| params_flow.rb:87:10:87:30 | call to to_unsafe_hash | semmle.label | call to to_unsafe_hash |
|
||||
| params_flow.rb:91:10:91:15 | call to params | semmle.label | call to params |
|
||||
| params_flow.rb:91:10:91:40 | call to transform_keys | semmle.label | call to transform_keys |
|
||||
| params_flow.rb:91:10:91:40 | call to transform_keys [element] | semmle.label | call to transform_keys [element] |
|
||||
| params_flow.rb:95:10:95:15 | call to params | semmle.label | call to params |
|
||||
| params_flow.rb:95:10:95:41 | call to transform_keys! | semmle.label | call to transform_keys! |
|
||||
| params_flow.rb:99:10:99:15 | call to params | semmle.label | call to params |
|
||||
|
|
@ -180,9 +193,12 @@ nodes
|
|||
| params_flow.rb:103:10:103:43 | call to transform_values! | semmle.label | call to transform_values! |
|
||||
| params_flow.rb:107:10:107:15 | call to params | semmle.label | call to params |
|
||||
| params_flow.rb:107:10:107:33 | call to values_at | semmle.label | call to values_at |
|
||||
| params_flow.rb:107:10:107:33 | call to values_at [element 0] | semmle.label | call to values_at [element 0] |
|
||||
| params_flow.rb:107:10:107:33 | call to values_at [element 1] | semmle.label | call to values_at [element 1] |
|
||||
| params_flow.rb:111:10:111:15 | call to params | semmle.label | call to params |
|
||||
| params_flow.rb:111:10:111:29 | call to merge | semmle.label | call to merge |
|
||||
| params_flow.rb:112:10:112:29 | call to merge | semmle.label | call to merge |
|
||||
| params_flow.rb:112:10:112:29 | call to merge [element 0] | semmle.label | call to merge [element 0] |
|
||||
| params_flow.rb:112:23:112:28 | call to params | semmle.label | call to params |
|
||||
| params_flow.rb:116:10:116:15 | call to params | semmle.label | call to params |
|
||||
| params_flow.rb:116:10:116:37 | call to reverse_merge | semmle.label | call to reverse_merge |
|
||||
|
|
@ -195,8 +211,10 @@ nodes
|
|||
| params_flow.rb:126:10:126:15 | call to params | semmle.label | call to params |
|
||||
| params_flow.rb:126:10:126:30 | call to merge! | semmle.label | call to merge! |
|
||||
| params_flow.rb:127:10:127:30 | call to merge! | semmle.label | call to merge! |
|
||||
| params_flow.rb:127:10:127:30 | call to merge! [element 0] | semmle.label | call to merge! [element 0] |
|
||||
| params_flow.rb:127:24:127:29 | call to params | semmle.label | call to params |
|
||||
| params_flow.rb:130:5:130:5 | [post] p | semmle.label | [post] p |
|
||||
| params_flow.rb:130:5:130:5 | [post] p [element 0] | semmle.label | [post] p [element 0] |
|
||||
| params_flow.rb:130:14:130:19 | call to params | semmle.label | call to params |
|
||||
| params_flow.rb:131:10:131:10 | p | semmle.label | p |
|
||||
| params_flow.rb:135:10:135:15 | call to params | semmle.label | call to params |
|
||||
|
|
|
|||
|
|
@ -109,7 +109,6 @@ activeRecordSqlExecutionRanges
|
|||
| ActiveRecord.rb:28:30:28:44 | ...[...] |
|
||||
| ActiveRecord.rb:29:20:29:42 | "id = '#{...}'" |
|
||||
| ActiveRecord.rb:30:21:30:45 | call to [] |
|
||||
| ActiveRecord.rb:30:22:30:44 | "id = '#{...}'" |
|
||||
| ActiveRecord.rb:31:16:31:21 | <<-SQL |
|
||||
| ActiveRecord.rb:34:20:34:47 | "user.id = '#{...}'" |
|
||||
| ActiveRecord.rb:46:20:46:32 | ... + ... |
|
||||
|
|
|
|||
|
|
@ -244,7 +244,7 @@ def m_safe_buffer_insert
|
|||
b = source "b"
|
||||
x = ActionView::SafeBuffer.new(a)
|
||||
y = x.insert(i, b)
|
||||
sink y # $hasTaintFlow=a
|
||||
sink y # $hasTaintFlow=a $hasTaintFlow=b
|
||||
end
|
||||
|
||||
def m_safe_buffer_prepend
|
||||
|
|
|
|||
|
|
@ -24,13 +24,19 @@ edges
|
|||
| app/controllers/foo/bars_controller.rb:30:5:30:7 | str | app/controllers/foo/bars_controller.rb:31:5:31:7 | str |
|
||||
| app/controllers/foo/bars_controller.rb:30:11:30:16 | call to params | app/controllers/foo/bars_controller.rb:30:11:30:28 | ...[...] |
|
||||
| app/controllers/foo/bars_controller.rb:30:11:30:28 | ...[...] | app/controllers/foo/bars_controller.rb:30:5:30:7 | str |
|
||||
| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text [element] | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text, element] | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] [element] |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text] | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] [element] | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] |
|
||||
| app/views/foo/bars/show.html.erb:8:9:8:21 | call to local_assigns [element :display_text] | app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] |
|
||||
| app/views/foo/bars/show.html.erb:12:9:12:21 | call to local_assigns [element :display_text] | app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] |
|
||||
| app/views/foo/bars/show.html.erb:17:15:17:27 | call to local_assigns [element :display_text] | app/views/foo/bars/show.html.erb:17:15:17:32 | ...[...] |
|
||||
| app/views/foo/bars/show.html.erb:43:64:43:87 | ... + ... | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text |
|
||||
| app/views/foo/bars/show.html.erb:43:64:43:87 | ... + ... | app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text] |
|
||||
| app/views/foo/bars/show.html.erb:43:64:43:87 | ... + ... [element] | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text [element] |
|
||||
| app/views/foo/bars/show.html.erb:43:64:43:87 | ... + ... [element] | app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text, element] |
|
||||
| app/views/foo/bars/show.html.erb:43:76:43:87 | call to display_text | app/views/foo/bars/show.html.erb:43:64:43:87 | ... + ... |
|
||||
| app/views/foo/bars/show.html.erb:43:76:43:87 | call to display_text | app/views/foo/bars/show.html.erb:43:64:43:87 | ... + ... [element] |
|
||||
| app/views/foo/bars/show.html.erb:53:29:53:34 | call to params | app/views/foo/bars/show.html.erb:53:29:53:44 | ...[...] |
|
||||
| app/views/foo/bars/show.html.erb:56:13:56:18 | call to params | app/views/foo/bars/show.html.erb:56:13:56:28 | ...[...] |
|
||||
| app/views/foo/bars/show.html.erb:73:19:73:24 | call to params | app/views/foo/bars/show.html.erb:73:19:73:34 | ...[...] |
|
||||
|
|
@ -56,8 +62,11 @@ nodes
|
|||
| app/controllers/foo/bars_controller.rb:30:11:30:28 | ...[...] | semmle.label | ...[...] |
|
||||
| app/controllers/foo/bars_controller.rb:31:5:31:7 | str | semmle.label | str |
|
||||
| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | semmle.label | call to display_text |
|
||||
| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text [element] | semmle.label | call to display_text [element] |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text, element] | semmle.label | call to local_assigns [element :display_text, element] |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text] | semmle.label | call to local_assigns [element :display_text] |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | semmle.label | ...[...] |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] [element] | semmle.label | ...[...] [element] |
|
||||
| app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website | semmle.label | @user_website |
|
||||
| app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text | semmle.label | call to display_text |
|
||||
| app/views/foo/bars/show.html.erb:8:9:8:21 | call to local_assigns [element :display_text] | semmle.label | call to local_assigns [element :display_text] |
|
||||
|
|
@ -69,6 +78,7 @@ nodes
|
|||
| app/views/foo/bars/show.html.erb:35:3:35:14 | call to display_text | semmle.label | call to display_text |
|
||||
| app/views/foo/bars/show.html.erb:40:3:40:16 | @instance_text | semmle.label | @instance_text |
|
||||
| app/views/foo/bars/show.html.erb:43:64:43:87 | ... + ... | semmle.label | ... + ... |
|
||||
| app/views/foo/bars/show.html.erb:43:64:43:87 | ... + ... [element] | semmle.label | ... + ... [element] |
|
||||
| app/views/foo/bars/show.html.erb:43:76:43:87 | call to display_text | semmle.label | call to display_text |
|
||||
| app/views/foo/bars/show.html.erb:46:5:46:13 | call to user_name | semmle.label | call to user_name |
|
||||
| app/views/foo/bars/show.html.erb:50:5:50:18 | call to user_name_memo | semmle.label | call to user_name_memo |
|
||||
|
|
|
|||
|
|
@ -9,13 +9,19 @@ edges
|
|||
| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt | app/views/foo/stores/show.html.erb:14:15:14:27 | call to local_assigns [element :display_text] |
|
||||
| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt | app/views/foo/stores/show.html.erb:32:3:32:14 | call to display_text |
|
||||
| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt | app/views/foo/stores/show.html.erb:40:76:40:87 | call to display_text |
|
||||
| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text [element] | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text, element] | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] [element] |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text] | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] [element] | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] |
|
||||
| app/views/foo/stores/show.html.erb:5:9:5:21 | call to local_assigns [element :display_text] | app/views/foo/stores/show.html.erb:5:9:5:36 | ...[...] |
|
||||
| app/views/foo/stores/show.html.erb:9:9:9:21 | call to local_assigns [element :display_text] | app/views/foo/stores/show.html.erb:9:9:9:26 | ...[...] |
|
||||
| app/views/foo/stores/show.html.erb:14:15:14:27 | call to local_assigns [element :display_text] | app/views/foo/stores/show.html.erb:14:15:14:32 | ...[...] |
|
||||
| app/views/foo/stores/show.html.erb:40:64:40:87 | ... + ... | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text |
|
||||
| app/views/foo/stores/show.html.erb:40:64:40:87 | ... + ... | app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text] |
|
||||
| app/views/foo/stores/show.html.erb:40:64:40:87 | ... + ... [element] | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text [element] |
|
||||
| app/views/foo/stores/show.html.erb:40:64:40:87 | ... + ... [element] | app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text, element] |
|
||||
| app/views/foo/stores/show.html.erb:40:76:40:87 | call to display_text | app/views/foo/stores/show.html.erb:40:64:40:87 | ... + ... |
|
||||
| app/views/foo/stores/show.html.erb:40:76:40:87 | call to display_text | app/views/foo/stores/show.html.erb:40:64:40:87 | ... + ... [element] |
|
||||
| app/views/foo/stores/show.html.erb:86:17:86:28 | call to handle | app/views/foo/stores/show.html.erb:86:3:86:29 | call to sprintf |
|
||||
nodes
|
||||
| app/controllers/foo/stores_controller.rb:8:5:8:6 | dt | semmle.label | dt |
|
||||
|
|
@ -23,8 +29,11 @@ nodes
|
|||
| app/controllers/foo/stores_controller.rb:9:22:9:23 | dt | semmle.label | dt |
|
||||
| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt | semmle.label | dt |
|
||||
| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | semmle.label | call to display_text |
|
||||
| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text [element] | semmle.label | call to display_text [element] |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text, element] | semmle.label | call to local_assigns [element :display_text, element] |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text] | semmle.label | call to local_assigns [element :display_text] |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | semmle.label | ...[...] |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] [element] | semmle.label | ...[...] [element] |
|
||||
| app/views/foo/stores/show.html.erb:2:9:2:20 | call to display_text | semmle.label | call to display_text |
|
||||
| app/views/foo/stores/show.html.erb:5:9:5:21 | call to local_assigns [element :display_text] | semmle.label | call to local_assigns [element :display_text] |
|
||||
| app/views/foo/stores/show.html.erb:5:9:5:36 | ...[...] | semmle.label | ...[...] |
|
||||
|
|
@ -35,6 +44,7 @@ nodes
|
|||
| app/views/foo/stores/show.html.erb:32:3:32:14 | call to display_text | semmle.label | call to display_text |
|
||||
| app/views/foo/stores/show.html.erb:37:3:37:16 | @instance_text | semmle.label | @instance_text |
|
||||
| app/views/foo/stores/show.html.erb:40:64:40:87 | ... + ... | semmle.label | ... + ... |
|
||||
| app/views/foo/stores/show.html.erb:40:64:40:87 | ... + ... [element] | semmle.label | ... + ... [element] |
|
||||
| app/views/foo/stores/show.html.erb:40:76:40:87 | call to display_text | semmle.label | call to display_text |
|
||||
| app/views/foo/stores/show.html.erb:46:5:46:16 | call to handle | semmle.label | call to handle |
|
||||
| app/views/foo/stores/show.html.erb:63:3:63:18 | call to handle | semmle.label | call to handle |
|
||||
|
|
|
|||
|
|
@ -8,8 +8,10 @@ edges
|
|||
| ActiveRecordInjection.rb:43:29:43:39 | ...[...] | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:48:30:48:35 | call to params | ActiveRecordInjection.rb:48:30:48:40 | ...[...] |
|
||||
| ActiveRecordInjection.rb:48:30:48:40 | ...[...] | ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | ActiveRecordInjection.rb:52:21:52:45 | call to [] |
|
||||
| ActiveRecordInjection.rb:52:31:52:36 | call to params | ActiveRecordInjection.rb:52:31:52:41 | ...[...] |
|
||||
| ActiveRecordInjection.rb:52:31:52:41 | ...[...] | ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" | ActiveRecordInjection.rb:57:22:57:46 | call to [] |
|
||||
| ActiveRecordInjection.rb:57:32:57:37 | call to params | ActiveRecordInjection.rb:57:32:57:42 | ...[...] |
|
||||
| ActiveRecordInjection.rb:57:32:57:42 | ...[...] | ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:62:21:62:26 | call to params | ActiveRecordInjection.rb:62:21:62:35 | ...[...] |
|
||||
|
|
@ -35,6 +37,9 @@ edges
|
|||
| ActiveRecordInjection.rb:103:11:103:12 | ps | ActiveRecordInjection.rb:103:11:103:17 | ...[...] |
|
||||
| ActiveRecordInjection.rb:103:11:103:17 | ...[...] | ActiveRecordInjection.rb:103:5:103:7 | uid |
|
||||
| ActiveRecordInjection.rb:104:5:104:9 | uidEq | ActiveRecordInjection.rb:108:20:108:32 | ... + ... |
|
||||
| ActiveRecordInjection.rb:104:5:104:9 | uidEq | ActiveRecordInjection.rb:108:28:108:32 | uidEq |
|
||||
| ActiveRecordInjection.rb:108:20:108:32 | ... + ... [element] | ActiveRecordInjection.rb:108:20:108:32 | ... + ... |
|
||||
| ActiveRecordInjection.rb:108:28:108:32 | uidEq | ActiveRecordInjection.rb:108:20:108:32 | ... + ... [element] |
|
||||
| ActiveRecordInjection.rb:141:21:141:26 | call to params | ActiveRecordInjection.rb:141:21:141:44 | ...[...] |
|
||||
| ActiveRecordInjection.rb:141:21:141:26 | call to params | ActiveRecordInjection.rb:141:21:141:44 | ...[...] |
|
||||
| ActiveRecordInjection.rb:141:21:141:44 | ...[...] | ActiveRecordInjection.rb:20:22:20:30 | condition |
|
||||
|
|
@ -85,9 +90,11 @@ nodes
|
|||
| ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:48:30:48:35 | call to params | semmle.label | call to params |
|
||||
| ActiveRecordInjection.rb:48:30:48:40 | ...[...] | semmle.label | ...[...] |
|
||||
| ActiveRecordInjection.rb:52:21:52:45 | call to [] | semmle.label | call to [] |
|
||||
| ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:52:31:52:36 | call to params | semmle.label | call to params |
|
||||
| ActiveRecordInjection.rb:52:31:52:41 | ...[...] | semmle.label | ...[...] |
|
||||
| ActiveRecordInjection.rb:57:22:57:46 | call to [] | semmle.label | call to [] |
|
||||
| ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:57:32:57:37 | call to params | semmle.label | call to params |
|
||||
| ActiveRecordInjection.rb:57:32:57:42 | ...[...] | semmle.label | ...[...] |
|
||||
|
|
@ -125,6 +132,8 @@ nodes
|
|||
| ActiveRecordInjection.rb:103:11:103:17 | ...[...] | semmle.label | ...[...] |
|
||||
| ActiveRecordInjection.rb:104:5:104:9 | uidEq | semmle.label | uidEq |
|
||||
| ActiveRecordInjection.rb:108:20:108:32 | ... + ... | semmle.label | ... + ... |
|
||||
| ActiveRecordInjection.rb:108:20:108:32 | ... + ... [element] | semmle.label | ... + ... [element] |
|
||||
| ActiveRecordInjection.rb:108:28:108:32 | uidEq | semmle.label | uidEq |
|
||||
| ActiveRecordInjection.rb:141:21:141:26 | call to params | semmle.label | call to params |
|
||||
| ActiveRecordInjection.rb:141:21:141:44 | ...[...] | semmle.label | ...[...] |
|
||||
| ActiveRecordInjection.rb:141:21:141:44 | ...[...] | semmle.label | ...[...] |
|
||||
|
|
@ -172,8 +181,8 @@ subpaths
|
|||
| ActiveRecordInjection.rb:39:18:39:32 | ...[...] | ActiveRecordInjection.rb:39:18:39:23 | call to params | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:39:18:39:23 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | ActiveRecordInjection.rb:43:29:43:34 | call to params | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:43:29:43:34 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" | ActiveRecordInjection.rb:48:30:48:35 | call to params | ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:48:30:48:35 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | ActiveRecordInjection.rb:52:31:52:36 | call to params | ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:52:31:52:36 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" | ActiveRecordInjection.rb:57:32:57:37 | call to params | ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:57:32:57:37 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:52:21:52:45 | call to [] | ActiveRecordInjection.rb:52:31:52:36 | call to params | ActiveRecordInjection.rb:52:21:52:45 | call to [] | This SQL query depends on a $@. | ActiveRecordInjection.rb:52:31:52:36 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:57:22:57:46 | call to [] | ActiveRecordInjection.rb:57:32:57:37 | call to params | ActiveRecordInjection.rb:57:22:57:46 | call to [] | This SQL query depends on a $@. | ActiveRecordInjection.rb:57:32:57:37 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:61:16:61:21 | <<-SQL | ActiveRecordInjection.rb:62:21:62:26 | call to params | ActiveRecordInjection.rb:61:16:61:21 | <<-SQL | This SQL query depends on a $@. | ActiveRecordInjection.rb:62:21:62:26 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:68:34:68:39 | call to params | ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:68:34:68:39 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" | ActiveRecordInjection.rb:74:41:74:46 | call to params | ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:74:41:74:46 | call to params | user-provided value |
|
||||
|
|
|
|||
|
|
@ -17,7 +17,9 @@ edges
|
|||
| CodeInjection.rb:38:24:38:27 | code | CodeInjection.rb:38:10:38:28 | call to escape |
|
||||
| CodeInjection.rb:38:24:38:27 | code | CodeInjection.rb:38:10:38:28 | call to escape |
|
||||
| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:80:16:80:19 | code |
|
||||
| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:86:10:86:25 | ... + ... |
|
||||
| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:86:10:86:37 | ... + ... |
|
||||
| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:86:22:86:25 | code |
|
||||
| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:88:10:88:32 | "prefix_#{...}_suffix" |
|
||||
| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:90:10:90:13 | code |
|
||||
| CodeInjection.rb:78:5:78:8 | code | CodeInjection.rb:90:10:90:13 | code |
|
||||
|
|
@ -25,6 +27,10 @@ edges
|
|||
| CodeInjection.rb:78:12:78:17 | call to params | CodeInjection.rb:78:12:78:24 | ...[...] |
|
||||
| CodeInjection.rb:78:12:78:24 | ...[...] | CodeInjection.rb:78:5:78:8 | code |
|
||||
| CodeInjection.rb:78:12:78:24 | ...[...] | CodeInjection.rb:78:5:78:8 | code |
|
||||
| CodeInjection.rb:86:10:86:25 | ... + ... | CodeInjection.rb:86:10:86:37 | ... + ... |
|
||||
| CodeInjection.rb:86:10:86:25 | ... + ... [element] | CodeInjection.rb:86:10:86:37 | ... + ... [element] |
|
||||
| CodeInjection.rb:86:10:86:37 | ... + ... [element] | CodeInjection.rb:86:10:86:37 | ... + ... |
|
||||
| CodeInjection.rb:86:22:86:25 | code | CodeInjection.rb:86:10:86:25 | ... + ... [element] |
|
||||
| CodeInjection.rb:101:3:102:5 | self in index [@foo] | CodeInjection.rb:111:3:113:5 | self in baz [@foo] |
|
||||
| CodeInjection.rb:101:3:102:5 | self in index [@foo] | CodeInjection.rb:111:3:113:5 | self in baz [@foo] |
|
||||
| CodeInjection.rb:105:5:105:8 | [post] self [@foo] | CodeInjection.rb:108:3:109:5 | self in bar [@foo] |
|
||||
|
|
@ -68,7 +74,11 @@ nodes
|
|||
| CodeInjection.rb:78:12:78:24 | ...[...] | semmle.label | ...[...] |
|
||||
| CodeInjection.rb:78:12:78:24 | ...[...] | semmle.label | ...[...] |
|
||||
| CodeInjection.rb:80:16:80:19 | code | semmle.label | code |
|
||||
| CodeInjection.rb:86:10:86:25 | ... + ... | semmle.label | ... + ... |
|
||||
| CodeInjection.rb:86:10:86:25 | ... + ... [element] | semmle.label | ... + ... [element] |
|
||||
| CodeInjection.rb:86:10:86:37 | ... + ... | semmle.label | ... + ... |
|
||||
| CodeInjection.rb:86:10:86:37 | ... + ... [element] | semmle.label | ... + ... [element] |
|
||||
| CodeInjection.rb:86:22:86:25 | code | semmle.label | code |
|
||||
| CodeInjection.rb:88:10:88:32 | "prefix_#{...}_suffix" | semmle.label | "prefix_#{...}_suffix" |
|
||||
| CodeInjection.rb:90:10:90:13 | code | semmle.label | code |
|
||||
| CodeInjection.rb:90:10:90:13 | code | semmle.label | code |
|
||||
|
|
|
|||
|
|
@ -1,19 +1,27 @@
|
|||
edges
|
||||
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized | app/controllers/users_controller.rb:16:19:16:29 | unsanitized |
|
||||
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized | app/controllers/users_controller.rb:17:19:17:41 | ... + ... |
|
||||
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized | app/controllers/users_controller.rb:17:31:17:41 | unsanitized |
|
||||
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized | app/controllers/users_controller.rb:23:20:23:30 | unsanitized |
|
||||
| app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:15:19:15:30 | ...[...] |
|
||||
| app/controllers/users_controller.rb:15:19:15:30 | ...[...] | app/controllers/users_controller.rb:15:5:15:15 | unsanitized |
|
||||
| app/controllers/users_controller.rb:17:19:17:41 | ... + ... [element] | app/controllers/users_controller.rb:17:19:17:41 | ... + ... |
|
||||
| app/controllers/users_controller.rb:17:31:17:41 | unsanitized | app/controllers/users_controller.rb:17:19:17:41 | ... + ... [element] |
|
||||
| app/controllers/users_controller.rb:23:20:23:30 | unsanitized | app/controllers/users_controller.rb:23:20:23:44 | call to sub |
|
||||
| app/controllers/users_controller.rb:23:20:23:44 | call to sub | app/controllers/users_controller.rb:24:18:26:7 | do ... end [captured unsanitized2] |
|
||||
| app/controllers/users_controller.rb:23:20:23:44 | call to sub | app/controllers/users_controller.rb:27:16:27:39 | ... + ... |
|
||||
| app/controllers/users_controller.rb:23:20:23:44 | call to sub | app/controllers/users_controller.rb:27:28:27:39 | unsanitized2 |
|
||||
| app/controllers/users_controller.rb:24:18:26:7 | do ... end [captured unsanitized2] | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 |
|
||||
| app/controllers/users_controller.rb:27:16:27:39 | ... + ... [element] | app/controllers/users_controller.rb:27:16:27:39 | ... + ... |
|
||||
| app/controllers/users_controller.rb:27:28:27:39 | unsanitized2 | app/controllers/users_controller.rb:27:16:27:39 | ... + ... [element] |
|
||||
| app/controllers/users_controller.rb:33:19:33:25 | call to cookies | app/controllers/users_controller.rb:33:19:33:31 | ...[...] |
|
||||
| app/controllers/users_controller.rb:33:19:33:31 | ...[...] | app/controllers/users_controller.rb:34:31:34:45 | { ... } [captured unsanitized] |
|
||||
| app/controllers/users_controller.rb:33:19:33:31 | ...[...] | app/controllers/users_controller.rb:35:31:35:57 | { ... } [captured unsanitized] |
|
||||
| app/controllers/users_controller.rb:34:31:34:45 | { ... } [captured unsanitized] | app/controllers/users_controller.rb:34:33:34:43 | unsanitized |
|
||||
| app/controllers/users_controller.rb:35:31:35:57 | { ... } [captured unsanitized] | app/controllers/users_controller.rb:35:45:35:55 | unsanitized |
|
||||
| app/controllers/users_controller.rb:35:33:35:55 | ... + ... [element] | app/controllers/users_controller.rb:35:33:35:55 | ... + ... |
|
||||
| app/controllers/users_controller.rb:35:45:35:55 | unsanitized | app/controllers/users_controller.rb:35:33:35:55 | ... + ... |
|
||||
| app/controllers/users_controller.rb:35:45:35:55 | unsanitized | app/controllers/users_controller.rb:35:33:35:55 | ... + ... [element] |
|
||||
| app/controllers/users_controller.rb:49:19:49:24 | call to params | app/controllers/users_controller.rb:49:19:49:30 | ...[...] |
|
||||
nodes
|
||||
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized | semmle.label | unsanitized |
|
||||
|
|
@ -21,17 +29,22 @@ nodes
|
|||
| app/controllers/users_controller.rb:15:19:15:30 | ...[...] | semmle.label | ...[...] |
|
||||
| app/controllers/users_controller.rb:16:19:16:29 | unsanitized | semmle.label | unsanitized |
|
||||
| app/controllers/users_controller.rb:17:19:17:41 | ... + ... | semmle.label | ... + ... |
|
||||
| app/controllers/users_controller.rb:17:19:17:41 | ... + ... [element] | semmle.label | ... + ... [element] |
|
||||
| app/controllers/users_controller.rb:17:31:17:41 | unsanitized | semmle.label | unsanitized |
|
||||
| app/controllers/users_controller.rb:23:20:23:30 | unsanitized | semmle.label | unsanitized |
|
||||
| app/controllers/users_controller.rb:23:20:23:44 | call to sub | semmle.label | call to sub |
|
||||
| app/controllers/users_controller.rb:24:18:26:7 | do ... end [captured unsanitized2] | semmle.label | do ... end [captured unsanitized2] |
|
||||
| app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | semmle.label | unsanitized2 |
|
||||
| app/controllers/users_controller.rb:27:16:27:39 | ... + ... | semmle.label | ... + ... |
|
||||
| app/controllers/users_controller.rb:27:16:27:39 | ... + ... [element] | semmle.label | ... + ... [element] |
|
||||
| app/controllers/users_controller.rb:27:28:27:39 | unsanitized2 | semmle.label | unsanitized2 |
|
||||
| app/controllers/users_controller.rb:33:19:33:25 | call to cookies | semmle.label | call to cookies |
|
||||
| app/controllers/users_controller.rb:33:19:33:31 | ...[...] | semmle.label | ...[...] |
|
||||
| app/controllers/users_controller.rb:34:31:34:45 | { ... } [captured unsanitized] | semmle.label | { ... } [captured unsanitized] |
|
||||
| app/controllers/users_controller.rb:34:33:34:43 | unsanitized | semmle.label | unsanitized |
|
||||
| app/controllers/users_controller.rb:35:31:35:57 | { ... } [captured unsanitized] | semmle.label | { ... } [captured unsanitized] |
|
||||
| app/controllers/users_controller.rb:35:33:35:55 | ... + ... | semmle.label | ... + ... |
|
||||
| app/controllers/users_controller.rb:35:33:35:55 | ... + ... [element] | semmle.label | ... + ... [element] |
|
||||
| app/controllers/users_controller.rb:35:45:35:55 | unsanitized | semmle.label | unsanitized |
|
||||
| app/controllers/users_controller.rb:49:19:49:24 | call to params | semmle.label | call to params |
|
||||
| app/controllers/users_controller.rb:49:19:49:30 | ...[...] | semmle.label | ...[...] |
|
||||
|
|
|
|||
|
|
@ -9,11 +9,17 @@ edges
|
|||
| RegExpInjection.rb:16:12:16:17 | call to params | RegExpInjection.rb:16:12:16:24 | ...[...] |
|
||||
| RegExpInjection.rb:16:12:16:24 | ...[...] | RegExpInjection.rb:16:5:16:8 | name |
|
||||
| RegExpInjection.rb:22:5:22:8 | name | RegExpInjection.rb:23:24:23:33 | ... + ... |
|
||||
| RegExpInjection.rb:22:5:22:8 | name | RegExpInjection.rb:23:30:23:33 | name |
|
||||
| RegExpInjection.rb:22:12:22:17 | call to params | RegExpInjection.rb:22:12:22:24 | ...[...] |
|
||||
| RegExpInjection.rb:22:12:22:24 | ...[...] | RegExpInjection.rb:22:5:22:8 | name |
|
||||
| RegExpInjection.rb:23:24:23:33 | ... + ... [element] | RegExpInjection.rb:23:24:23:33 | ... + ... |
|
||||
| RegExpInjection.rb:23:30:23:33 | name | RegExpInjection.rb:23:24:23:33 | ... + ... [element] |
|
||||
| RegExpInjection.rb:54:5:54:8 | name | RegExpInjection.rb:55:28:55:37 | ... + ... |
|
||||
| RegExpInjection.rb:54:5:54:8 | name | RegExpInjection.rb:55:34:55:37 | name |
|
||||
| RegExpInjection.rb:54:12:54:17 | call to params | RegExpInjection.rb:54:12:54:24 | ...[...] |
|
||||
| RegExpInjection.rb:54:12:54:24 | ...[...] | RegExpInjection.rb:54:5:54:8 | name |
|
||||
| RegExpInjection.rb:55:28:55:37 | ... + ... [element] | RegExpInjection.rb:55:28:55:37 | ... + ... |
|
||||
| RegExpInjection.rb:55:34:55:37 | name | RegExpInjection.rb:55:28:55:37 | ... + ... [element] |
|
||||
nodes
|
||||
| RegExpInjection.rb:4:5:4:8 | name | semmle.label | name |
|
||||
| RegExpInjection.rb:4:12:4:17 | call to params | semmle.label | call to params |
|
||||
|
|
@ -31,10 +37,14 @@ nodes
|
|||
| RegExpInjection.rb:22:12:22:17 | call to params | semmle.label | call to params |
|
||||
| RegExpInjection.rb:22:12:22:24 | ...[...] | semmle.label | ...[...] |
|
||||
| RegExpInjection.rb:23:24:23:33 | ... + ... | semmle.label | ... + ... |
|
||||
| RegExpInjection.rb:23:24:23:33 | ... + ... [element] | semmle.label | ... + ... [element] |
|
||||
| RegExpInjection.rb:23:30:23:33 | name | semmle.label | name |
|
||||
| RegExpInjection.rb:54:5:54:8 | name | semmle.label | name |
|
||||
| RegExpInjection.rb:54:12:54:17 | call to params | semmle.label | call to params |
|
||||
| RegExpInjection.rb:54:12:54:24 | ...[...] | semmle.label | ...[...] |
|
||||
| RegExpInjection.rb:55:28:55:37 | ... + ... | semmle.label | ... + ... |
|
||||
| RegExpInjection.rb:55:28:55:37 | ... + ... [element] | semmle.label | ... + ... [element] |
|
||||
| RegExpInjection.rb:55:34:55:37 | name | semmle.label | name |
|
||||
subpaths
|
||||
#select
|
||||
| RegExpInjection.rb:5:13:5:21 | /#{...}/ | RegExpInjection.rb:4:12:4:17 | call to params | RegExpInjection.rb:5:13:5:21 | /#{...}/ | This regular expression depends on a $@. | RegExpInjection.rb:4:12:4:17 | call to params | user-provided value |
|
||||
|
|
|
|||
|
|
@ -8,8 +8,10 @@ edges
|
|||
| tainted_format_string.rb:21:27:21:32 | call to params | tainted_format_string.rb:21:27:21:41 | ...[...] |
|
||||
| tainted_format_string.rb:22:20:22:25 | call to params | tainted_format_string.rb:22:20:22:34 | ...[...] |
|
||||
| tainted_format_string.rb:28:19:28:24 | call to params | tainted_format_string.rb:28:19:28:33 | ...[...] |
|
||||
| tainted_format_string.rb:33:12:33:46 | ... + ... [element] | tainted_format_string.rb:33:12:33:46 | ... + ... |
|
||||
| tainted_format_string.rb:33:32:33:37 | call to params | tainted_format_string.rb:33:32:33:46 | ...[...] |
|
||||
| tainted_format_string.rb:33:32:33:46 | ...[...] | tainted_format_string.rb:33:12:33:46 | ... + ... |
|
||||
| tainted_format_string.rb:33:32:33:46 | ...[...] | tainted_format_string.rb:33:12:33:46 | ... + ... [element] |
|
||||
| tainted_format_string.rb:36:30:36:35 | call to params | tainted_format_string.rb:36:30:36:44 | ...[...] |
|
||||
| tainted_format_string.rb:36:30:36:44 | ...[...] | tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" |
|
||||
| tainted_format_string.rb:39:22:39:27 | call to params | tainted_format_string.rb:39:22:39:36 | ...[...] |
|
||||
|
|
@ -36,6 +38,7 @@ nodes
|
|||
| tainted_format_string.rb:28:19:28:24 | call to params | semmle.label | call to params |
|
||||
| tainted_format_string.rb:28:19:28:33 | ...[...] | semmle.label | ...[...] |
|
||||
| tainted_format_string.rb:33:12:33:46 | ... + ... | semmle.label | ... + ... |
|
||||
| tainted_format_string.rb:33:12:33:46 | ... + ... [element] | semmle.label | ... + ... [element] |
|
||||
| tainted_format_string.rb:33:32:33:37 | call to params | semmle.label | call to params |
|
||||
| tainted_format_string.rb:33:32:33:46 | ...[...] | semmle.label | ...[...] |
|
||||
| tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | semmle.label | "A log message: #{...}" |
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче