Skip to content

Commit 7c9100c

Browse files
asgerfasgerf
authored
Merge pull request github#12730 from asgerf/rb/net-http
Ruby: Minor fix in NetHttpRequest
2 parents 1df3b01 + c699afd commit 7c9100c

File tree

4 files changed

+307
-92
lines changed

4 files changed

+307
-92
lines changed

ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,8 @@ private import codeql.ruby.dataflow.internal.DataFlowImplForHttpClientLibraries
2121
*/
2222
class NetHttpRequest extends Http::Client::Request::Range, DataFlow::CallNode {
2323
private DataFlow::CallNode request;
24-
private DataFlow::Node responseBody;
2524
private API::Node requestNode;
25+
private boolean returnsResponseBody;
2626

2727
NetHttpRequest() {
2828
exists(string method |
@@ -32,20 +32,20 @@ class NetHttpRequest extends Http::Client::Request::Range, DataFlow::CallNode {
3232
// Net::HTTP.get(...)
3333
method = "get" and
3434
requestNode = API::getTopLevelMember("Net").getMember("HTTP").getReturn(method) and
35-
responseBody = request
35+
returnsResponseBody = true
3636
or
3737
// Net::HTTP.post(...).body
3838
method in ["post", "post_form"] and
3939
requestNode = API::getTopLevelMember("Net").getMember("HTTP").getReturn(method) and
40-
responseBody = requestNode.getAMethodCall(["body", "read_body", "entity"])
40+
returnsResponseBody = false
4141
or
4242
// Net::HTTP.new(..).get(..).body
4343
method in [
4444
"get", "get2", "request_get", "head", "head2", "request_head", "delete", "put", "patch",
4545
"post", "post2", "request_post", "request"
4646
] and
4747
requestNode = API::getTopLevelMember("Net").getMember("HTTP").getInstance().getReturn(method) and
48-
responseBody = requestNode.getAMethodCall(["body", "read_body", "entity"])
48+
returnsResponseBody = false
4949
)
5050
}
5151

@@ -64,7 +64,11 @@ class NetHttpRequest extends Http::Client::Request::Range, DataFlow::CallNode {
6464
)
6565
}
6666

67-
override DataFlow::Node getResponseBody() { result = responseBody }
67+
override DataFlow::Node getResponseBody() {
68+
if returnsResponseBody = true
69+
then result = this
70+
else result = requestNode.getAMethodCall(["body", "read_body", "entity"])
71+
}
6872

6973
/** Gets the value that controls certificate validation, if any. */
7074
DataFlow::Node getCertificateValidationControllingValue() {

0 commit comments

Comments
 (0)