Ruby: trim some SQLi related comments from ActiveRecord.rb

Author: alexrford

ruby/ql/test/library-tests/frameworks/ActionController.expected

@@ -1,17 +1,17 @@
 actionControllerControllerClasses
-| ActiveRecord.rb:27:1:58:3 | FooController |
-| ActiveRecord.rb:60:1:90:3 | BarController |
-| ActiveRecord.rb:92:1:96:3 | BazController |
+| ActiveRecord.rb:23:1:37:3 | FooController |
+| ActiveRecord.rb:39:1:62:3 | BarController |
+| ActiveRecord.rb:64:1:68:3 | BazController |
 | app/controllers/comments_controller.rb:1:1:7:3 | CommentsController |
 | app/controllers/foo/bars_controller.rb:3:1:31:3 | BarsController |
 | app/controllers/photos_controller.rb:1:1:4:3 | PhotosController |
 | app/controllers/posts_controller.rb:1:1:10:3 | PostsController |
 | app/controllers/users/notifications_controller.rb:2:3:5:5 | NotificationsController |
 actionControllerActionMethods
-| ActiveRecord.rb:32:3:57:5 | some_request_handler |
-| ActiveRecord.rb:61:3:69:5 | some_other_request_handler |
-| ActiveRecord.rb:71:3:89:5 | safe_paths |
-| ActiveRecord.rb:93:3:95:5 | yet_another_handler |
+| ActiveRecord.rb:27:3:36:5 | some_request_handler |
+| ActiveRecord.rb:40:3:45:5 | some_other_request_handler |
+| ActiveRecord.rb:47:3:61:5 | safe_paths |
+| ActiveRecord.rb:65:3:67:5 | yet_another_handler |
 | app/controllers/comments_controller.rb:2:3:3:5 | index |
 | app/controllers/comments_controller.rb:5:3:6:5 | show |
 | app/controllers/foo/bars_controller.rb:5:3:7:5 | index |
@@ -23,38 +23,38 @@ actionControllerActionMethods
 | app/controllers/posts_controller.rb:8:3:9:5 | upvote |
 | app/controllers/users/notifications_controller.rb:3:5:4:7 | mark_as_read |
 paramsCalls
-| ActiveRecord.rb:35:30:35:35 | call to params |
-| ActiveRecord.rb:39:29:39:34 | call to params |
-| ActiveRecord.rb:43:31:43:36 | call to params |
-| ActiveRecord.rb:48:21:48:26 | call to params |
-| ActiveRecord.rb:54:34:54:39 | call to params |
-| ActiveRecord.rb:56:23:56:28 | call to params |
-| ActiveRecord.rb:56:38:56:43 | call to params |
-| ActiveRecord.rb:62:10:62:15 | call to params |
-| ActiveRecord.rb:72:11:72:16 | call to params |
-| ActiveRecord.rb:77:12:77:17 | call to params |
-| ActiveRecord.rb:83:12:83:17 | call to params |
-| ActiveRecord.rb:88:15:88:20 | call to params |
-| ActiveRecord.rb:94:21:94:26 | call to params |
+| ActiveRecord.rb:28:30:28:35 | call to params |
+| ActiveRecord.rb:29:29:29:34 | call to params |
+| ActiveRecord.rb:30:31:30:36 | call to params |
+| ActiveRecord.rb:32:21:32:26 | call to params |
+| ActiveRecord.rb:34:34:34:39 | call to params |
+| ActiveRecord.rb:35:23:35:28 | call to params |
+| ActiveRecord.rb:35:38:35:43 | call to params |
+| ActiveRecord.rb:41:10:41:15 | call to params |
+| ActiveRecord.rb:48:11:48:16 | call to params |
+| ActiveRecord.rb:52:12:52:17 | call to params |
+| ActiveRecord.rb:57:12:57:17 | call to params |
+| ActiveRecord.rb:60:15:60:20 | call to params |
+| ActiveRecord.rb:66:21:66:26 | call to params |
 | app/controllers/foo/bars_controller.rb:13:21:13:26 | call to params |
 | app/controllers/foo/bars_controller.rb:14:10:14:15 | call to params |
 | app/controllers/foo/bars_controller.rb:21:21:21:26 | call to params |
 | app/controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
 | app/views/foo/bars/show.html.erb:5:9:5:14 | call to params |
 paramsSources
-| ActiveRecord.rb:35:30:35:35 | call to params |
-| ActiveRecord.rb:39:29:39:34 | call to params |
-| ActiveRecord.rb:43:31:43:36 | call to params |
-| ActiveRecord.rb:48:21:48:26 | call to params |
-| ActiveRecord.rb:54:34:54:39 | call to params |
-| ActiveRecord.rb:56:23:56:28 | call to params |
-| ActiveRecord.rb:56:38:56:43 | call to params |
-| ActiveRecord.rb:62:10:62:15 | call to params |
-| ActiveRecord.rb:72:11:72:16 | call to params |
-| ActiveRecord.rb:77:12:77:17 | call to params |
-| ActiveRecord.rb:83:12:83:17 | call to params |
-| ActiveRecord.rb:88:15:88:20 | call to params |
-| ActiveRecord.rb:94:21:94:26 | call to params |
+| ActiveRecord.rb:28:30:28:35 | call to params |
+| ActiveRecord.rb:29:29:29:34 | call to params |
+| ActiveRecord.rb:30:31:30:36 | call to params |
+| ActiveRecord.rb:32:21:32:26 | call to params |
+| ActiveRecord.rb:34:34:34:39 | call to params |
+| ActiveRecord.rb:35:23:35:28 | call to params |
+| ActiveRecord.rb:35:38:35:43 | call to params |
+| ActiveRecord.rb:41:10:41:15 | call to params |
+| ActiveRecord.rb:48:11:48:16 | call to params |
+| ActiveRecord.rb:52:12:52:17 | call to params |
+| ActiveRecord.rb:57:12:57:17 | call to params |
+| ActiveRecord.rb:60:15:60:20 | call to params |
+| ActiveRecord.rb:66:21:66:26 | call to params |
 | app/controllers/foo/bars_controller.rb:13:21:13:26 | call to params |
 | app/controllers/foo/bars_controller.rb:14:10:14:15 | call to params |
 | app/controllers/foo/bars_controller.rb:21:21:21:26 | call to params |

ruby/ql/test/library-tests/frameworks/ActiveRecord.expected

@@ -1,60 +1,60 @@
 activeRecordModelClasses
 | ActiveRecord.rb:1:1:3:3 | UserGroup |
-| ActiveRecord.rb:5:1:17:3 | User |
-| ActiveRecord.rb:19:1:25:3 | Admin |
+| ActiveRecord.rb:5:1:15:3 | User |
+| ActiveRecord.rb:17:1:21:3 | Admin |
 activeRecordInstances
-| ActiveRecord.rb:10:5:10:68 | call to find |
-| ActiveRecord.rb:15:5:15:40 | call to find_by |
-| ActiveRecord.rb:79:5:81:7 | if ... |
-| ActiveRecord.rb:79:43:80:40 | then ... |
-| ActiveRecord.rb:80:7:80:40 | call to find_by |
-| ActiveRecord.rb:85:5:85:33 | call to find_by |
-| ActiveRecord.rb:88:5:88:34 | call to find |
+| ActiveRecord.rb:9:5:9:68 | call to find |
+| ActiveRecord.rb:13:5:13:40 | call to find_by |
+| ActiveRecord.rb:53:5:55:7 | if ... |
+| ActiveRecord.rb:53:43:54:40 | then ... |
+| ActiveRecord.rb:54:7:54:40 | call to find_by |
+| ActiveRecord.rb:58:5:58:33 | call to find_by |
+| ActiveRecord.rb:60:5:60:34 | call to find |
 activeRecordSqlExecutionRanges
-| ActiveRecord.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" |
-| ActiveRecord.rb:23:16:23:24 | condition |
-| ActiveRecord.rb:35:30:35:44 | ...[...] |
-| ActiveRecord.rb:39:20:39:42 | "id = '#{...}'" |
-| ActiveRecord.rb:43:22:43:44 | "id = '#{...}'" |
-| ActiveRecord.rb:47:16:47:21 | <<-SQL |
-| ActiveRecord.rb:54:20:54:47 | "user.id = '#{...}'" |
-| ActiveRecord.rb:68:20:68:32 | ... + ... |
-| ActiveRecord.rb:75:16:75:28 | "name #{...}" |
-| ActiveRecord.rb:80:20:80:39 | "username = #{...}" |
+| ActiveRecord.rb:9:33:9:67 | "name='#{...}' and pass='#{...}'" |
+| ActiveRecord.rb:19:16:19:24 | condition |
+| ActiveRecord.rb:28:30:28:44 | ...[...] |
+| ActiveRecord.rb:29:20:29:42 | "id = '#{...}'" |
+| ActiveRecord.rb:30:22:30:44 | "id = '#{...}'" |
+| ActiveRecord.rb:31:16:31:21 | <<-SQL |
+| ActiveRecord.rb:34:20:34:47 | "user.id = '#{...}'" |
+| ActiveRecord.rb:44:20:44:32 | ... + ... |
+| ActiveRecord.rb:50:16:50:28 | "name #{...}" |
+| ActiveRecord.rb:54:20:54:39 | "username = #{...}" |
 activeRecordModelClassMethodCalls
 | ActiveRecord.rb:2:3:2:17 | call to has_many |
 | ActiveRecord.rb:6:3:6:24 | call to belongs_to |
-| ActiveRecord.rb:10:5:10:68 | call to find |
-| ActiveRecord.rb:15:5:15:40 | call to find_by |
-| ActiveRecord.rb:15:5:15:46 | call to users |
-| ActiveRecord.rb:23:5:23:25 | call to destroy_by |
-| ActiveRecord.rb:35:5:35:45 | call to calculate |
-| ActiveRecord.rb:39:5:39:43 | call to delete_by |
-| ActiveRecord.rb:43:5:43:46 | call to destroy_by |
-| ActiveRecord.rb:47:5:47:35 | call to where |
-| ActiveRecord.rb:54:5:54:14 | call to where |
-| ActiveRecord.rb:54:5:54:48 | call to not |
-| ActiveRecord.rb:56:5:56:51 | call to authenticate |
-| ActiveRecord.rb:68:5:68:33 | call to delete_by |
-| ActiveRecord.rb:75:5:75:29 | call to order |
-| ActiveRecord.rb:80:7:80:40 | call to find_by |
-| ActiveRecord.rb:85:5:85:33 | call to find_by |
-| ActiveRecord.rb:88:5:88:34 | call to find |
-| ActiveRecord.rb:94:5:94:45 | call to delete_by |
+| ActiveRecord.rb:9:5:9:68 | call to find |
+| ActiveRecord.rb:13:5:13:40 | call to find_by |
+| ActiveRecord.rb:13:5:13:46 | call to users |
+| ActiveRecord.rb:19:5:19:25 | call to destroy_by |
+| ActiveRecord.rb:28:5:28:45 | call to calculate |
+| ActiveRecord.rb:29:5:29:43 | call to delete_by |
+| ActiveRecord.rb:30:5:30:46 | call to destroy_by |
+| ActiveRecord.rb:31:5:31:35 | call to where |
+| ActiveRecord.rb:34:5:34:14 | call to where |
+| ActiveRecord.rb:34:5:34:48 | call to not |
+| ActiveRecord.rb:35:5:35:51 | call to authenticate |
+| ActiveRecord.rb:44:5:44:33 | call to delete_by |
+| ActiveRecord.rb:50:5:50:29 | call to order |
+| ActiveRecord.rb:54:7:54:40 | call to find_by |
+| ActiveRecord.rb:58:5:58:33 | call to find_by |
+| ActiveRecord.rb:60:5:60:34 | call to find |
+| ActiveRecord.rb:66:5:66:45 | call to delete_by |
 potentiallyUnsafeSqlExecutingMethodCall
-| ActiveRecord.rb:10:5:10:68 | call to find |
-| ActiveRecord.rb:23:5:23:25 | call to destroy_by |
-| ActiveRecord.rb:35:5:35:45 | call to calculate |
-| ActiveRecord.rb:39:5:39:43 | call to delete_by |
-| ActiveRecord.rb:43:5:43:46 | call to destroy_by |
-| ActiveRecord.rb:47:5:47:35 | call to where |
-| ActiveRecord.rb:54:5:54:48 | call to not |
-| ActiveRecord.rb:68:5:68:33 | call to delete_by |
-| ActiveRecord.rb:75:5:75:29 | call to order |
-| ActiveRecord.rb:80:7:80:40 | call to find_by |
+| ActiveRecord.rb:9:5:9:68 | call to find |
+| ActiveRecord.rb:19:5:19:25 | call to destroy_by |
+| ActiveRecord.rb:28:5:28:45 | call to calculate |
+| ActiveRecord.rb:29:5:29:43 | call to delete_by |
+| ActiveRecord.rb:30:5:30:46 | call to destroy_by |
+| ActiveRecord.rb:31:5:31:35 | call to where |
+| ActiveRecord.rb:34:5:34:48 | call to not |
+| ActiveRecord.rb:44:5:44:33 | call to delete_by |
+| ActiveRecord.rb:50:5:50:29 | call to order |
+| ActiveRecord.rb:54:7:54:40 | call to find_by |
 activeRecordModelInstantiations
-| ActiveRecord.rb:10:5:10:68 | call to find | ActiveRecord.rb:5:1:17:3 | User |
-| ActiveRecord.rb:15:5:15:40 | call to find_by | ActiveRecord.rb:1:1:3:3 | UserGroup |
-| ActiveRecord.rb:80:7:80:40 | call to find_by | ActiveRecord.rb:5:1:17:3 | User |
-| ActiveRecord.rb:85:5:85:33 | call to find_by | ActiveRecord.rb:5:1:17:3 | User |
-| ActiveRecord.rb:88:5:88:34 | call to find | ActiveRecord.rb:5:1:17:3 | User |
+| ActiveRecord.rb:9:5:9:68 | call to find | ActiveRecord.rb:5:1:15:3 | User |
+| ActiveRecord.rb:13:5:13:40 | call to find_by | ActiveRecord.rb:1:1:3:3 | UserGroup |
+| ActiveRecord.rb:54:7:54:40 | call to find_by | ActiveRecord.rb:5:1:15:3 | User |
+| ActiveRecord.rb:58:5:58:33 | call to find_by | ActiveRecord.rb:5:1:15:3 | User |
+| ActiveRecord.rb:60:5:60:34 | call to find | ActiveRecord.rb:5:1:15:3 | User |

ruby/ql/test/library-tests/frameworks/ActiveRecord.rb

@@ -6,20 +6,16 @@ class User < ApplicationRecord
   belongs_to :user_group
 
   def self.authenticate(name, pass)
-    # BAD: possible untrusted input interpolated into SQL fragment
     find(:first, :conditions => "name='#{name}' and pass='#{pass}'")
   end
 
   def self.from(user_group_id)
-    # GOOD: `find_by` with hash argument
     UserGroup.find_by(id: user_group_id).users
   end
 end
 
 class Admin < User
   def self.delete_by(condition = nil)
-    # BAD: `delete_by` overrides an ActiveRecord method, but doesn't perform
-    # any validation before passing its arguments on to another ActiveRecord method
     destroy_by(condition)
   end
 end
@@ -28,31 +24,14 @@ class FooController < ActionController::Base
 
   MAX_USER_ID = 100_000
 
-  # A string tainted by user input is inserted into an SQL query
   def some_request_handler
-    # BAD: executes `SELECT AVG(#{params[:column]}) FROM "users"`
-    # where `params[:column]` is unsanitized
     User.calculate(:average, params[:column])
-
-    # BAD: executes `DELETE FROM "users" WHERE (id = '#{params[:id]}')`
-    # where `params[:id]` is unsanitized
     User.delete_by("id = '#{params[:id]}'")
-
-    # BAD: executes `SELECT "users".* FROM "users" WHERE (id = '#{params[:id]}')`
-    # where `params[:id]` is unsanitized
     User.destroy_by(["id = '#{params[:id]}'"])
-
-    # BAD: executes `SELECT "users".* FROM "users" WHERE id BETWEEN '#{params[:min_id]}' AND 100000`
-    # where `params[:min_id]` is unsanitized
     User.where(<<-SQL, MAX_USER_ID)
       id BETWEEN '#{params[:min_id]}' AND ?
     SQL
-
-    # BAD: chained method case
-    # executes `SELECT "users".* FROM "users" WHERE (NOT (user_id = 'params[:id]'))`
-    # where `params[:id]` is unsanitized
     User.where.not("user.id = '#{params[:id]}'")
-
     User.authenticate(params[:name], params[:pass])
   end
 end
@@ -62,29 +41,22 @@ def some_other_request_handler
     ps = params
     uid = ps[:id]
     uidEq = "= '#{uid}'"
-
-    # BAD: executes `DELETE FROM "users" WHERE (id = #{uid})`
-    # where `uid` is unsantized
     User.delete_by("id " + uidEq)
   end
 
   def safe_paths
     dir = params[:order]
-    # GOOD: barrier guard prevents taint flow
     dir = "DESC" unless dir == "ASC"
     User.order("name #{dir}")
 
     name = params[:user_name]
-    # GOOD: barrier guard prevents taint flow
     if %w(alice bob charlie).include? name
       User.find_by("username = #{name}")
     end
 
     name = params[:user_name]
-    # GOOD: hash arguments are sanitized by ActiveRecord
     User.find_by(user_name: name)
 
-    # OK: `find` method is overridden in `User`
     User.find(params[:user_group])
   end
 end