Skip to content

Commit 47c9c5b

Browse files
RasmusWLRasmusWL
committed
Ruby: Update RequestWithoutValidation.ql to match Python version
No library modeling currently has support for the new disablesCertificateValidation/2, so only the alert text has changed (removed an import from Python so the queries would ACTUALLY match)
1 parent 4a82025 commit 47c9c5b

File tree

3 files changed

+36
-30
lines changed

3 files changed

+36
-30
lines changed

python/ql/src/Security/CWE-295/RequestWithoutValidation.ql

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@
1313
import python
1414
private import semmle.python.dataflow.new.DataFlow
1515
private import semmle.python.Concepts
16-
private import semmle.python.ApiGraphs
1716

1817
from
1918
HTTP::Client::Request request, DataFlow::Node disablingNode, DataFlow::Node origin, string ending

ruby/ql/src/queries/security/cwe-295/RequestWithoutValidation.ql

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,14 @@ import ruby
1515
import codeql.ruby.Concepts
1616
import codeql.ruby.DataFlow
1717

18-
from HTTP::Client::Request request, DataFlow::Node disablingNode
19-
where request.disablesCertificateValidation(disablingNode)
20-
select request, "This request may run with $@.", disablingNode, "certificate validation disabled"
18+
from
19+
HTTP::Client::Request request, DataFlow::Node disablingNode, DataFlow::Node origin, string ending
20+
where
21+
request.disablesCertificateValidation(disablingNode, origin) and
22+
// Showing the origin is only useful when it's a different node than the one disabling
23+
// certificate validation, for example in `requests.get(..., verify=arg)`, `arg` would
24+
// be the `disablingNode`, and the `origin` would be the place were `arg` got its
25+
// value from.
26+
if disablingNode = origin then ending = "." else ending = " by the value from $@."
27+
select request, "This request may run without certificate validation because it is $@" + ending,
28+
disablingNode, "disabled here", origin, "here"

ruby/ql/test/query-tests/security/cwe-295/RequestWithoutValidation.expected

Lines changed: 25 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -1,26 +1,25 @@
1-
WARNING: Predicate disablesCertificateValidation has been deprecated and may be removed in future (/home/rasmus/work/code/ql/ruby/ql/src/queries/security/cwe-295/RequestWithoutValidation.ql:19,15-44)
2-
| Excon.rb:6:3:6:34 | call to get | This request may run with $@. | Excon.rb:5:3:5:34 | call to []= | certificate validation disabled |
3-
| Excon.rb:12:3:12:34 | call to get | This request may run with $@. | Excon.rb:11:3:11:23 | call to ssl_verify_peer= | certificate validation disabled |
4-
| Excon.rb:18:3:18:34 | call to get | This request may run with $@. | Excon.rb:17:3:17:34 | call to []= | certificate validation disabled |
5-
| Excon.rb:24:3:24:10 | call to get | This request may run with $@. | Excon.rb:23:55:23:76 | Pair | certificate validation disabled |
6-
| Excon.rb:30:3:30:62 | call to get | This request may run with $@. | Excon.rb:30:36:30:57 | Pair | certificate validation disabled |
7-
| Faraday.rb:5:12:5:30 | call to get | This request may run with $@. | Faraday.rb:4:48:4:69 | Pair | certificate validation disabled |
8-
| Faraday.rb:9:12:9:30 | call to get | This request may run with $@. | Faraday.rb:8:48:8:94 | Pair | certificate validation disabled |
9-
| HttpClient.rb:6:1:6:33 | call to get | This request may run with $@. | HttpClient.rb:5:1:5:29 | call to verify_mode= | certificate validation disabled |
10-
| Httparty.rb:4:1:4:50 | call to get | This request may run with $@. | Httparty.rb:4:37:4:49 | Pair | certificate validation disabled |
11-
| Httparty.rb:7:1:7:55 | call to get | This request may run with $@. | Httparty.rb:7:37:7:54 | Pair | certificate validation disabled |
12-
| Httparty.rb:10:1:10:59 | call to get | This request may run with $@. | Httparty.rb:10:39:10:56 | Pair | certificate validation disabled |
13-
| Httparty.rb:13:1:13:70 | call to post | This request may run with $@. | Httparty.rb:13:57:13:69 | Pair | certificate validation disabled |
14-
| Httparty.rb:16:1:16:74 | call to post | This request may run with $@. | Httparty.rb:16:59:16:71 | Pair | certificate validation disabled |
15-
| NetHttp.rb:9:12:9:31 | call to request | This request may run with $@. | NetHttp.rb:7:20:7:44 | ... = ... | certificate validation disabled |
16-
| OpenURI.rb:4:1:4:78 | call to open | This request may run with $@. | OpenURI.rb:4:36:4:77 | Pair | certificate validation disabled |
17-
| OpenURI.rb:7:1:7:82 | call to open | This request may run with $@. | OpenURI.rb:7:38:7:79 | Pair | certificate validation disabled |
18-
| OpenURI.rb:11:1:11:43 | call to open | This request may run with $@. | OpenURI.rb:10:13:10:54 | Pair | certificate validation disabled |
19-
| OpenURI.rb:14:1:14:81 | call to open | This request may run with $@. | OpenURI.rb:14:39:14:80 | Pair | certificate validation disabled |
20-
| OpenURI.rb:17:1:17:85 | call to open | This request may run with $@. | OpenURI.rb:17:41:17:82 | Pair | certificate validation disabled |
21-
| OpenURI.rb:21:1:21:46 | call to open | This request may run with $@. | OpenURI.rb:20:13:20:54 | Pair | certificate validation disabled |
22-
| RestClient.rb:5:12:5:23 | call to get | This request may run with $@. | RestClient.rb:4:60:4:96 | Pair | certificate validation disabled |
23-
| RestClient.rb:9:12:9:23 | call to get | This request may run with $@. | RestClient.rb:8:62:8:98 | Pair | certificate validation disabled |
24-
| RestClient.rb:14:12:14:23 | call to get | This request may run with $@. | RestClient.rb:12:13:12:49 | Pair | certificate validation disabled |
25-
| Typhoeus.rb:4:1:4:62 | call to get | This request may run with $@. | Typhoeus.rb:4:41:4:61 | Pair | certificate validation disabled |
26-
| Typhoeus.rb:8:1:8:54 | call to post | This request may run with $@. | Typhoeus.rb:7:37:7:57 | Pair | certificate validation disabled |
1+
| Excon.rb:6:3:6:34 | call to get | This request may run without certificate validation because it is $@. | Excon.rb:5:3:5:34 | call to []= | disabled here | Excon.rb:5:3:5:34 | call to []= | here |
2+
| Excon.rb:12:3:12:34 | call to get | This request may run without certificate validation because it is $@. | Excon.rb:11:3:11:23 | call to ssl_verify_peer= | disabled here | Excon.rb:11:3:11:23 | call to ssl_verify_peer= | here |
3+
| Excon.rb:18:3:18:34 | call to get | This request may run without certificate validation because it is $@. | Excon.rb:17:3:17:34 | call to []= | disabled here | Excon.rb:17:3:17:34 | call to []= | here |
4+
| Excon.rb:24:3:24:10 | call to get | This request may run without certificate validation because it is $@. | Excon.rb:23:55:23:76 | Pair | disabled here | Excon.rb:23:55:23:76 | Pair | here |
5+
| Excon.rb:30:3:30:62 | call to get | This request may run without certificate validation because it is $@. | Excon.rb:30:36:30:57 | Pair | disabled here | Excon.rb:30:36:30:57 | Pair | here |
6+
| Faraday.rb:5:12:5:30 | call to get | This request may run without certificate validation because it is $@. | Faraday.rb:4:48:4:69 | Pair | disabled here | Faraday.rb:4:48:4:69 | Pair | here |
7+
| Faraday.rb:9:12:9:30 | call to get | This request may run without certificate validation because it is $@. | Faraday.rb:8:48:8:94 | Pair | disabled here | Faraday.rb:8:48:8:94 | Pair | here |
8+
| HttpClient.rb:6:1:6:33 | call to get | This request may run without certificate validation because it is $@. | HttpClient.rb:5:1:5:29 | call to verify_mode= | disabled here | HttpClient.rb:5:1:5:29 | call to verify_mode= | here |
9+
| Httparty.rb:4:1:4:50 | call to get | This request may run without certificate validation because it is $@. | Httparty.rb:4:37:4:49 | Pair | disabled here | Httparty.rb:4:37:4:49 | Pair | here |
10+
| Httparty.rb:7:1:7:55 | call to get | This request may run without certificate validation because it is $@. | Httparty.rb:7:37:7:54 | Pair | disabled here | Httparty.rb:7:37:7:54 | Pair | here |
11+
| Httparty.rb:10:1:10:59 | call to get | This request may run without certificate validation because it is $@. | Httparty.rb:10:39:10:56 | Pair | disabled here | Httparty.rb:10:39:10:56 | Pair | here |
12+
| Httparty.rb:13:1:13:70 | call to post | This request may run without certificate validation because it is $@. | Httparty.rb:13:57:13:69 | Pair | disabled here | Httparty.rb:13:57:13:69 | Pair | here |
13+
| Httparty.rb:16:1:16:74 | call to post | This request may run without certificate validation because it is $@. | Httparty.rb:16:59:16:71 | Pair | disabled here | Httparty.rb:16:59:16:71 | Pair | here |
14+
| NetHttp.rb:9:12:9:31 | call to request | This request may run without certificate validation because it is $@. | NetHttp.rb:7:20:7:44 | ... = ... | disabled here | NetHttp.rb:7:20:7:44 | ... = ... | here |
15+
| OpenURI.rb:4:1:4:78 | call to open | This request may run without certificate validation because it is $@. | OpenURI.rb:4:36:4:77 | Pair | disabled here | OpenURI.rb:4:36:4:77 | Pair | here |
16+
| OpenURI.rb:7:1:7:82 | call to open | This request may run without certificate validation because it is $@. | OpenURI.rb:7:38:7:79 | Pair | disabled here | OpenURI.rb:7:38:7:79 | Pair | here |
17+
| OpenURI.rb:11:1:11:43 | call to open | This request may run without certificate validation because it is $@. | OpenURI.rb:10:13:10:54 | Pair | disabled here | OpenURI.rb:10:13:10:54 | Pair | here |
18+
| OpenURI.rb:14:1:14:81 | call to open | This request may run without certificate validation because it is $@. | OpenURI.rb:14:39:14:80 | Pair | disabled here | OpenURI.rb:14:39:14:80 | Pair | here |
19+
| OpenURI.rb:17:1:17:85 | call to open | This request may run without certificate validation because it is $@. | OpenURI.rb:17:41:17:82 | Pair | disabled here | OpenURI.rb:17:41:17:82 | Pair | here |
20+
| OpenURI.rb:21:1:21:46 | call to open | This request may run without certificate validation because it is $@. | OpenURI.rb:20:13:20:54 | Pair | disabled here | OpenURI.rb:20:13:20:54 | Pair | here |
21+
| RestClient.rb:5:12:5:23 | call to get | This request may run without certificate validation because it is $@. | RestClient.rb:4:60:4:96 | Pair | disabled here | RestClient.rb:4:60:4:96 | Pair | here |
22+
| RestClient.rb:9:12:9:23 | call to get | This request may run without certificate validation because it is $@. | RestClient.rb:8:62:8:98 | Pair | disabled here | RestClient.rb:8:62:8:98 | Pair | here |
23+
| RestClient.rb:14:12:14:23 | call to get | This request may run without certificate validation because it is $@. | RestClient.rb:12:13:12:49 | Pair | disabled here | RestClient.rb:12:13:12:49 | Pair | here |
24+
| Typhoeus.rb:4:1:4:62 | call to get | This request may run without certificate validation because it is $@. | Typhoeus.rb:4:41:4:61 | Pair | disabled here | Typhoeus.rb:4:41:4:61 | Pair | here |
25+
| Typhoeus.rb:8:1:8:54 | call to post | This request may run without certificate validation because it is $@. | Typhoeus.rb:7:37:7:57 | Pair | disabled here | Typhoeus.rb:7:37:7:57 | Pair | here |

0 commit comments

Comments
 (0)