Ruby: remove YAML.load_file arg0 as an unsafe deserialization sink

alexrford · alexrford · commit 06e435fd84be · 2022-09-26T11:26:30.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
@@ -48,16 +48,13 @@ module UnsafeDeserialization {
   }
 
   /**
-   * An argument in a call to `YAML.load` or `YAML.load_file`, considered a sink
+   * An argument in a call to `YAML.load`, considered a sink
    * for unsafe deserialization. The `YAML` module is an alias of `Psych` in
    * recent versions of Ruby.
    */
   class YamlLoadArgument extends Sink {
     YamlLoadArgument() {
-      this =
-        API::getTopLevelMember(["YAML", "Psych"])
-            .getAMethodCall(["load", "load_file"])
-            .getArgument(0)
+      this = API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall("load").getArgument(0)
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -48,16 +48,13 @@ module UnsafeDeserialization {`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`/**`
`51`		- * An argument in a call to `YAML.load` or `YAML.load_file`, considered a sink
	`51`	+ * An argument in a call to `YAML.load`, considered a sink
`52`	`52`	* for unsafe deserialization. The `YAML` module is an alias of `Psych` in
`53`	`53`	`* recent versions of Ruby.`
`54`	`54`	`*/`
`55`	`55`	`class YamlLoadArgument extends Sink {`
`56`	`56`	`YamlLoadArgument() {`
`57`		`- this =`
`58`		`- API::getTopLevelMember(["YAML", "Psych"])`
`59`		`- .getAMethodCall(["load", "load_file"])`
`60`		`- .getArgument(0)`
	`57`	`+ this = API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall("load").getArgument(0)`
`61`	`58`	`}`
`62`	`59`	`}`
`63`	`60`