Ruby: treat Faraday#run_request as remote source

aibaars · aibaars · commit 9abd599024f9 · 2022-10-13T15:44:21.000+02:00
diff --git a/ruby/ql/lib/change-notes/2022-10-13-faraday-run-request.md b/ruby/ql/lib/change-notes/2022-10-13-faraday-run-request.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The response value returned by the `Faraday#run_request` method is now also considered a source of remote input.
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll
@@ -37,7 +37,8 @@ class FaradayHttpRequest extends Http::Client::Request::Range, DataFlow::CallNod
         API::getTopLevelMember("Faraday").getInstance()
       ] and
     requestNode =
-      connectionNode.getReturn(["get", "head", "delete", "post", "put", "patch", "trace"]) and
+      connectionNode
+          .getReturn(["get", "head", "delete", "post", "put", "patch", "trace", "run_request"]) and
     this = requestNode.asSource() and
     connectionUse = connectionNode.asSource()
   }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The response value returned by the `Faraday#run_request` method is now also considered a source of remote input.