Update ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql

thiggy1342 · hmac · web-flow · commit cc958dc1711e · 2022-07-21T17:19:33.000-04:00
Co-authored-by: Harry Maclean &lt;hmac@github.com&gt;
diff --git a/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql b/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql
@@ -91,6 +91,6 @@ class HttpVerbConfig extends TaintTracking::Configuration {
 }
 
 from HttpVerbConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlow(source.getNode(), sink.getNode())
+where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mappting resources and verbs to specific methods."

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,6 @@ class HttpVerbConfig extends TaintTracking::Configuration {`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	`from HttpVerbConfig config, DataFlow::PathNode source, DataFlow::PathNode sink`
`94`		`-where config.hasFlow(source.getNode(), sink.getNode())`
	`94`	`+where config.hasFlowPath(source, sink)`
`95`	`95`	`select sink.getNode(), source, sink,`
`96`	`96`	`"Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mappting resources and verbs to specific methods."`