Ruby: Fix bug in rb/insecure-dependency query

hmac · nickrolfe · web-flow · commit 5814db19d58f · 2022-04-01T15:35:21.000+13:00
Only look at the first component of strings for the prefix.

Co-authored-by: Nick Rolfe &lt;nickrolfe@github.com&gt;
diff --git a/ruby/ql/lib/codeql/ruby/security/InsecureDependencyQuery.qll b/ruby/ql/lib/codeql/ruby/security/InsecureDependencyQuery.qll
@@ -59,7 +59,7 @@ private predicate hasInsecureProtocol(string s, string proto) {
 private predicate containsInsecureUrl(Expr e, string proto) {
   // Handle cases where the string as a whole has no constant value (due to interpolations)
   // but has a known prefix. E.g. "http://#{foo}"
-  exists(StringComponent c | c = e.(StringlikeLiteral).getComponent(_) |
+  exists(StringComponent c | c = e.(StringlikeLiteral).getComponent(0) |
     hasInsecureProtocol(c.getConstantValue().getString(), proto)
   )
   or

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ private predicate hasInsecureProtocol(string s, string proto) {`
`59`	`59`	`private predicate containsInsecureUrl(Expr e, string proto) {`
`60`	`60`	`// Handle cases where the string as a whole has no constant value (due to interpolations)`
`61`	`61`	`// but has a known prefix. E.g. "http://#{foo}"`
`62`		`- exists(StringComponent c \| c = e.(StringlikeLiteral).getComponent(_) \|`
	`62`	`+ exists(StringComponent c \| c = e.(StringlikeLiteral).getComponent(0) \|`
`63`	`63`	`hasInsecureProtocol(c.getConstantValue().getString(), proto)`
`64`	`64`	`)`
`65`	`65`	`or`