Ruby: add rb/log-injection test cases

alexrford · alexrford · commit 44c4b9ba5cef · 2022-08-10T16:17:37.000+01:00
diff --git a/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected b/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected
@@ -0,0 +1,36 @@
+edges
+| app/controllers/users_controller.rb:15:19:15:24 | call to params :  | app/controllers/users_controller.rb:15:19:15:30 | ...[...] :  |
+| app/controllers/users_controller.rb:15:19:15:30 | ...[...] :  | app/controllers/users_controller.rb:16:19:16:29 | unsanitized |
+| app/controllers/users_controller.rb:15:19:15:30 | ...[...] :  | app/controllers/users_controller.rb:17:19:17:41 | ... + ... |
+| app/controllers/users_controller.rb:15:19:15:30 | ...[...] :  | app/controllers/users_controller.rb:23:20:23:30 | unsanitized :  |
+| app/controllers/users_controller.rb:23:5:23:44 | ... = ... :  | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 |
+| app/controllers/users_controller.rb:23:20:23:30 | unsanitized :  | app/controllers/users_controller.rb:23:20:23:44 | call to sub :  |
+| app/controllers/users_controller.rb:23:20:23:44 | call to sub :  | app/controllers/users_controller.rb:23:5:23:44 | ... = ... :  |
+| app/controllers/users_controller.rb:23:20:23:44 | call to sub :  | app/controllers/users_controller.rb:27:16:27:39 | ... + ... |
+| app/controllers/users_controller.rb:33:5:33:31 | ... = ... :  | app/controllers/users_controller.rb:34:33:34:43 | unsanitized |
+| app/controllers/users_controller.rb:33:5:33:31 | ... = ... :  | app/controllers/users_controller.rb:35:33:35:55 | ... + ... |
+| app/controllers/users_controller.rb:33:19:33:25 | call to cookies :  | app/controllers/users_controller.rb:33:19:33:31 | ...[...] :  |
+| app/controllers/users_controller.rb:33:19:33:31 | ...[...] :  | app/controllers/users_controller.rb:33:5:33:31 | ... = ... :  |
+nodes
+| app/controllers/users_controller.rb:15:19:15:24 | call to params :  | semmle.label | call to params :  |
+| app/controllers/users_controller.rb:15:19:15:30 | ...[...] :  | semmle.label | ...[...] :  |
+| app/controllers/users_controller.rb:16:19:16:29 | unsanitized | semmle.label | unsanitized |
+| app/controllers/users_controller.rb:17:19:17:41 | ... + ... | semmle.label | ... + ... |
+| app/controllers/users_controller.rb:23:5:23:44 | ... = ... :  | semmle.label | ... = ... :  |
+| app/controllers/users_controller.rb:23:20:23:30 | unsanitized :  | semmle.label | unsanitized :  |
+| app/controllers/users_controller.rb:23:20:23:44 | call to sub :  | semmle.label | call to sub :  |
+| app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | semmle.label | unsanitized2 |
+| app/controllers/users_controller.rb:27:16:27:39 | ... + ... | semmle.label | ... + ... |
+| app/controllers/users_controller.rb:33:5:33:31 | ... = ... :  | semmle.label | ... = ... :  |
+| app/controllers/users_controller.rb:33:19:33:25 | call to cookies :  | semmle.label | call to cookies :  |
+| app/controllers/users_controller.rb:33:19:33:31 | ...[...] :  | semmle.label | ...[...] :  |
+| app/controllers/users_controller.rb:34:33:34:43 | unsanitized | semmle.label | unsanitized |
+| app/controllers/users_controller.rb:35:33:35:55 | ... + ... | semmle.label | ... + ... |
+subpaths
+#select
+| app/controllers/users_controller.rb:16:19:16:29 | unsanitized | app/controllers/users_controller.rb:15:19:15:24 | call to params :  | app/controllers/users_controller.rb:16:19:16:29 | unsanitized | $@ flows to log entry. | app/controllers/users_controller.rb:15:19:15:24 | call to params | User-provided value |
+| app/controllers/users_controller.rb:17:19:17:41 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params :  | app/controllers/users_controller.rb:17:19:17:41 | ... + ... | $@ flows to log entry. | app/controllers/users_controller.rb:15:19:15:24 | call to params | User-provided value |
+| app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | app/controllers/users_controller.rb:15:19:15:24 | call to params :  | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | $@ flows to log entry. | app/controllers/users_controller.rb:15:19:15:24 | call to params | User-provided value |
+| app/controllers/users_controller.rb:27:16:27:39 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params :  | app/controllers/users_controller.rb:27:16:27:39 | ... + ... | $@ flows to log entry. | app/controllers/users_controller.rb:15:19:15:24 | call to params | User-provided value |
+| app/controllers/users_controller.rb:34:33:34:43 | unsanitized | app/controllers/users_controller.rb:33:19:33:25 | call to cookies :  | app/controllers/users_controller.rb:34:33:34:43 | unsanitized | $@ flows to log entry. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | User-provided value |
+| app/controllers/users_controller.rb:35:33:35:55 | ... + ... | app/controllers/users_controller.rb:33:19:33:25 | call to cookies :  | app/controllers/users_controller.rb:35:33:35:55 | ... + ... | $@ flows to log entry. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | User-provided value |
diff --git a/ruby/ql/test/query-tests/security/cwe-117/LogInjection.qlref b/ruby/ql/test/query-tests/security/cwe-117/LogInjection.qlref
@@ -0,0 +1 @@
+queries/security/cwe-117/LogInjection.ql
diff --git a/ruby/ql/test/query-tests/security/cwe-117/app/controllers/users_controller.rb b/ruby/ql/test/query-tests/security/cwe-117/app/controllers/users_controller.rb
@@ -0,0 +1,45 @@
+require 'logger'
+
+class UsersController < ApplicationController
+  include ERB::Util
+
+  def init_logger
+    if @logger == nil
+      @logger = Logger.new STDOUT
+    end
+  end
+
+  def read_from_params
+    init_logger
+
+    unsanitized = params[:foo]
+    @logger.debug unsanitized             # BAD: unsanitized user input
+    @logger.error "input: " + unsanitized # BAD: unsanitized user input
+
+    sanitized = unsanitized.gsub("\n", "")
+    @logger.fatal sanitized            # GOOD: sanitized user input
+    @logger.warn "input: " + sanitized # GOOD: sanitized user input
+
+    unsanitized2 = unsanitized.sub("\n", "")
+    @logger.info do
+      unsanitized2                      # BAD: partially sanitized user input
+    end
+    @logger << "input: " + unsanitized2 # BAD: partially sanitized user input
+  end
+
+  def read_from_cookies
+    init_logger
+
+    unsanitized = cookies[:bar]
+    @logger.add(Logger::INFO) { unsanitized }             # BAD: unsanitized user input
+    @logger.log(Logger::WARN) { "input: " + unsanitized } # BAD: unsanitized user input
+  end
+
+  def html_sanitization
+    init_logger
+
+    sanitized = html_escape params[:baz]
+    @logger.debug unsanitized             # GOOD: sanitized user input
+    @logger.debug "input: " + unsanitized # GOOD: sanitized user input
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+queries/security/cwe-117/LogInjection.ql`