Ruby: Test tainted interpolated format arg

hmac · hmac · commit 4249e308247b · 2022-03-21T12:51:18.000+13:00
diff --git a/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll
@@ -29,9 +29,7 @@ module TaintedFormatString {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /** A source of remote user input, considered as a flow source for format injection. */
-  class RemoteSource extends Source {
-    RemoteSource() { this instanceof RemoteFlowSource }
-  }
+  class RemoteSource extends Source instanceof RemoteFlowSource { }
 
   /**
    * A format argument to a printf-like function, considered as a flow sink for format injection.
@@ -59,7 +57,7 @@ module TaintedFormatString {
     /**
      * Gets then `n`th formatted argument of this call.
      */
-    DataFlow::Node getFormatArgument(int n) { result = this.getArgument(n + 1) }
+    DataFlow::Node getFormatArgument(int n) { n > 0 and result = this.getArgument(n) }
   }
 
   /**
diff --git a/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.expected b/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.expected
@@ -8,8 +8,10 @@ edges
 | tainted_format_string.rb:16:27:16:32 | call to params :  | tainted_format_string.rb:16:27:16:41 | ...[...] |
 | tainted_format_string.rb:17:20:17:25 | call to params :  | tainted_format_string.rb:17:20:17:34 | ...[...] |
 | tainted_format_string.rb:23:19:23:24 | call to params :  | tainted_format_string.rb:23:19:23:33 | ...[...] |
-| tainted_format_string.rb:29:32:29:37 | call to params :  | tainted_format_string.rb:29:32:29:46 | ...[...] :  |
-| tainted_format_string.rb:29:32:29:46 | ...[...] :  | tainted_format_string.rb:29:12:29:46 | ... + ... |
+| tainted_format_string.rb:28:32:28:37 | call to params :  | tainted_format_string.rb:28:32:28:46 | ...[...] :  |
+| tainted_format_string.rb:28:32:28:46 | ...[...] :  | tainted_format_string.rb:28:12:28:46 | ... + ... |
+| tainted_format_string.rb:31:30:31:35 | call to params :  | tainted_format_string.rb:31:30:31:44 | ...[...] :  |
+| tainted_format_string.rb:31:30:31:44 | ...[...] :  | tainted_format_string.rb:31:12:31:46 | "A log message: #{...}" |
 nodes
 | tainted_format_string.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
 | tainted_format_string.rb:4:12:4:26 | ...[...] | semmle.label | ...[...] |
@@ -29,9 +31,12 @@ nodes
 | tainted_format_string.rb:17:20:17:34 | ...[...] | semmle.label | ...[...] |
 | tainted_format_string.rb:23:19:23:24 | call to params :  | semmle.label | call to params :  |
 | tainted_format_string.rb:23:19:23:33 | ...[...] | semmle.label | ...[...] |
-| tainted_format_string.rb:29:12:29:46 | ... + ... | semmle.label | ... + ... |
-| tainted_format_string.rb:29:32:29:37 | call to params :  | semmle.label | call to params :  |
-| tainted_format_string.rb:29:32:29:46 | ...[...] :  | semmle.label | ...[...] :  |
+| tainted_format_string.rb:28:12:28:46 | ... + ... | semmle.label | ... + ... |
+| tainted_format_string.rb:28:32:28:37 | call to params :  | semmle.label | call to params :  |
+| tainted_format_string.rb:28:32:28:46 | ...[...] :  | semmle.label | ...[...] :  |
+| tainted_format_string.rb:31:12:31:46 | "A log message: #{...}" | semmle.label | "A log message: #{...}" |
+| tainted_format_string.rb:31:30:31:35 | call to params :  | semmle.label | call to params :  |
+| tainted_format_string.rb:31:30:31:44 | ...[...] :  | semmle.label | ...[...] :  |
 subpaths
 #select
 | tainted_format_string.rb:4:12:4:26 | ...[...] | tainted_format_string.rb:4:12:4:17 | call to params :  | tainted_format_string.rb:4:12:4:26 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:4:12:4:17 | call to params | User-provided value |
@@ -43,4 +48,5 @@ subpaths
 | tainted_format_string.rb:16:27:16:41 | ...[...] | tainted_format_string.rb:16:27:16:32 | call to params :  | tainted_format_string.rb:16:27:16:41 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:16:27:16:32 | call to params | User-provided value |
 | tainted_format_string.rb:17:20:17:34 | ...[...] | tainted_format_string.rb:17:20:17:25 | call to params :  | tainted_format_string.rb:17:20:17:34 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:17:20:17:25 | call to params | User-provided value |
 | tainted_format_string.rb:23:19:23:33 | ...[...] | tainted_format_string.rb:23:19:23:24 | call to params :  | tainted_format_string.rb:23:19:23:33 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:23:19:23:24 | call to params | User-provided value |
-| tainted_format_string.rb:29:12:29:46 | ... + ... | tainted_format_string.rb:29:32:29:37 | call to params :  | tainted_format_string.rb:29:12:29:46 | ... + ... | $@ flows here and is used in a format string. | tainted_format_string.rb:29:32:29:37 | call to params | User-provided value |
+| tainted_format_string.rb:28:12:28:46 | ... + ... | tainted_format_string.rb:28:32:28:37 | call to params :  | tainted_format_string.rb:28:12:28:46 | ... + ... | $@ flows here and is used in a format string. | tainted_format_string.rb:28:32:28:37 | call to params | User-provided value |
+| tainted_format_string.rb:31:12:31:46 | "A log message: #{...}" | tainted_format_string.rb:31:30:31:35 | call to params :  | tainted_format_string.rb:31:12:31:46 | "A log message: #{...}" | $@ flows here and is used in a format string. | tainted_format_string.rb:31:30:31:35 | call to params | User-provided value |
diff --git a/ruby/ql/test/query-tests/security/cwe-134/tainted_format_string.rb b/ruby/ql/test/query-tests/security/cwe-134/tainted_format_string.rb
@@ -25,7 +25,9 @@ def show
     stdout.printf(params[:format]) # GOOD
     
     # Taint via string concatenation
-    
     printf("A log message: " + params[:format], arg) # BAD
+
+    # Taint via string interpolation
+    printf("A log message: #{params[:format]}", arg) # BAD
   end
 end
