Skip to content

Commit 4249e30

Browse files
committed
Ruby: Test tainted interpolated format arg
1 parent 6319902 commit 4249e30

File tree

3 files changed

+17
-11
lines changed

3 files changed

+17
-11
lines changed

ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,7 @@ module TaintedFormatString {
2929
abstract class Sanitizer extends DataFlow::Node { }
3030

3131
/** A source of remote user input, considered as a flow source for format injection. */
32-
class RemoteSource extends Source {
33-
RemoteSource() { this instanceof RemoteFlowSource }
34-
}
32+
class RemoteSource extends Source instanceof RemoteFlowSource { }
3533

3634
/**
3735
* A format argument to a printf-like function, considered as a flow sink for format injection.
@@ -59,7 +57,7 @@ module TaintedFormatString {
5957
/**
6058
* Gets then `n`th formatted argument of this call.
6159
*/
62-
DataFlow::Node getFormatArgument(int n) { result = this.getArgument(n + 1) }
60+
DataFlow::Node getFormatArgument(int n) { n > 0 and result = this.getArgument(n) }
6361
}
6462

6563
/**

ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.expected

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,10 @@ edges
88
| tainted_format_string.rb:16:27:16:32 | call to params : | tainted_format_string.rb:16:27:16:41 | ...[...] |
99
| tainted_format_string.rb:17:20:17:25 | call to params : | tainted_format_string.rb:17:20:17:34 | ...[...] |
1010
| tainted_format_string.rb:23:19:23:24 | call to params : | tainted_format_string.rb:23:19:23:33 | ...[...] |
11-
| tainted_format_string.rb:29:32:29:37 | call to params : | tainted_format_string.rb:29:32:29:46 | ...[...] : |
12-
| tainted_format_string.rb:29:32:29:46 | ...[...] : | tainted_format_string.rb:29:12:29:46 | ... + ... |
11+
| tainted_format_string.rb:28:32:28:37 | call to params : | tainted_format_string.rb:28:32:28:46 | ...[...] : |
12+
| tainted_format_string.rb:28:32:28:46 | ...[...] : | tainted_format_string.rb:28:12:28:46 | ... + ... |
13+
| tainted_format_string.rb:31:30:31:35 | call to params : | tainted_format_string.rb:31:30:31:44 | ...[...] : |
14+
| tainted_format_string.rb:31:30:31:44 | ...[...] : | tainted_format_string.rb:31:12:31:46 | "A log message: #{...}" |
1315
nodes
1416
| tainted_format_string.rb:4:12:4:17 | call to params : | semmle.label | call to params : |
1517
| tainted_format_string.rb:4:12:4:26 | ...[...] | semmle.label | ...[...] |
@@ -29,9 +31,12 @@ nodes
2931
| tainted_format_string.rb:17:20:17:34 | ...[...] | semmle.label | ...[...] |
3032
| tainted_format_string.rb:23:19:23:24 | call to params : | semmle.label | call to params : |
3133
| tainted_format_string.rb:23:19:23:33 | ...[...] | semmle.label | ...[...] |
32-
| tainted_format_string.rb:29:12:29:46 | ... + ... | semmle.label | ... + ... |
33-
| tainted_format_string.rb:29:32:29:37 | call to params : | semmle.label | call to params : |
34-
| tainted_format_string.rb:29:32:29:46 | ...[...] : | semmle.label | ...[...] : |
34+
| tainted_format_string.rb:28:12:28:46 | ... + ... | semmle.label | ... + ... |
35+
| tainted_format_string.rb:28:32:28:37 | call to params : | semmle.label | call to params : |
36+
| tainted_format_string.rb:28:32:28:46 | ...[...] : | semmle.label | ...[...] : |
37+
| tainted_format_string.rb:31:12:31:46 | "A log message: #{...}" | semmle.label | "A log message: #{...}" |
38+
| tainted_format_string.rb:31:30:31:35 | call to params : | semmle.label | call to params : |
39+
| tainted_format_string.rb:31:30:31:44 | ...[...] : | semmle.label | ...[...] : |
3540
subpaths
3641
#select
3742
| tainted_format_string.rb:4:12:4:26 | ...[...] | tainted_format_string.rb:4:12:4:17 | call to params : | tainted_format_string.rb:4:12:4:26 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:4:12:4:17 | call to params | User-provided value |
@@ -43,4 +48,5 @@ subpaths
4348
| tainted_format_string.rb:16:27:16:41 | ...[...] | tainted_format_string.rb:16:27:16:32 | call to params : | tainted_format_string.rb:16:27:16:41 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:16:27:16:32 | call to params | User-provided value |
4449
| tainted_format_string.rb:17:20:17:34 | ...[...] | tainted_format_string.rb:17:20:17:25 | call to params : | tainted_format_string.rb:17:20:17:34 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:17:20:17:25 | call to params | User-provided value |
4550
| tainted_format_string.rb:23:19:23:33 | ...[...] | tainted_format_string.rb:23:19:23:24 | call to params : | tainted_format_string.rb:23:19:23:33 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:23:19:23:24 | call to params | User-provided value |
46-
| tainted_format_string.rb:29:12:29:46 | ... + ... | tainted_format_string.rb:29:32:29:37 | call to params : | tainted_format_string.rb:29:12:29:46 | ... + ... | $@ flows here and is used in a format string. | tainted_format_string.rb:29:32:29:37 | call to params | User-provided value |
51+
| tainted_format_string.rb:28:12:28:46 | ... + ... | tainted_format_string.rb:28:32:28:37 | call to params : | tainted_format_string.rb:28:12:28:46 | ... + ... | $@ flows here and is used in a format string. | tainted_format_string.rb:28:32:28:37 | call to params | User-provided value |
52+
| tainted_format_string.rb:31:12:31:46 | "A log message: #{...}" | tainted_format_string.rb:31:30:31:35 | call to params : | tainted_format_string.rb:31:12:31:46 | "A log message: #{...}" | $@ flows here and is used in a format string. | tainted_format_string.rb:31:30:31:35 | call to params | User-provided value |

ruby/ql/test/query-tests/security/cwe-134/tainted_format_string.rb

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,9 @@ def show
2525
stdout.printf(params[:format]) # GOOD
2626

2727
# Taint via string concatenation
28-
2928
printf("A log message: " + params[:format], arg) # BAD
29+
30+
# Taint via string interpolation
31+
printf("A log message: #{params[:format]}", arg) # BAD
3032
end
3133
end

0 commit comments

Comments
 (0)