Ruby: Model sanitize ActionView helper

hmac · hmac · commit 9f99a3ca1f78 · 2022-09-26T20:56:11.000+13:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionView.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionView.qll
@@ -38,7 +38,7 @@ private class ActionViewHtmlSafeCall extends HtmlSafeCall {
  */
 abstract class HtmlEscapeCall extends MethodCall {
   // "h" is aliased to "html_escape" in ActiveSupport
-  HtmlEscapeCall() { this.getMethodName() = ["html_escape", "html_escape_once", "h"] }
+  HtmlEscapeCall() { this.getMethodName() = ["html_escape", "html_escape_once", "h", "sanitize"] }
 }
 
 /**
diff --git a/ruby/ql/test/query-tests/security/cwe-079/app/views/foo/bars/show.html.erb b/ruby/ql/test/query-tests/security/cwe-079/app/views/foo/bars/show.html.erb
@@ -75,3 +75,6 @@
 
 <%# BAD: javasript_include_tag called with remote input %>
 <%= javascript_include_tag params[:url] %>
+
+<%# GOOD: input is sanitized %>
+<%= sanitize(params[:comment]).html_safe %>

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ private class ActionViewHtmlSafeCall extends HtmlSafeCall {`
`38`	`38`	`*/`
`39`	`39`	`abstract class HtmlEscapeCall extends MethodCall {`
`40`	`40`	`// "h" is aliased to "html_escape" in ActiveSupport`
`41`		`- HtmlEscapeCall() { this.getMethodName() = ["html_escape", "html_escape_once", "h"] }`
	`41`	`+ HtmlEscapeCall() { this.getMethodName() = ["html_escape", "html_escape_once", "h", "sanitize"] }`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`/**`