Skip to content

Commit ef29a37

Browse files
alexrfordalexrford
committed
Ruby: Cleartext storage tests
1 parent 0070e30 commit ef29a37

File tree

4 files changed

+119
-0
lines changed

4 files changed

+119
-0
lines changed

ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.expected

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
edges
2+
| app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:5:39:5:50 | new_password |
3+
| app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:7:41:7:52 | new_password |
4+
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:13:42:13:53 | new_password |
5+
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:15:49:15:60 | new_password |
6+
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:15:87:15:98 | new_password |
7+
| app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | app/controllers/users_controller.rb:21:45:21:56 | new_password |
8+
| app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | app/controllers/users_controller.rb:21:83:21:94 | new_password |
9+
| app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | app/controllers/users_controller.rb:28:27:28:38 | new_password |
10+
| app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | app/controllers/users_controller.rb:30:28:30:39 | new_password |
11+
| app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : | app/controllers/users_controller.rb:37:39:37:50 | new_password |
12+
| app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : | app/controllers/users_controller.rb:44:21:44:32 | new_password |
13+
| app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" |
14+
| app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" |
15+
nodes
16+
| app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | semmle.label | "043697b96909e03ca907599d6420555f" : |
17+
| app/controllers/users_controller.rb:5:39:5:50 | new_password | semmle.label | new_password |
18+
| app/controllers/users_controller.rb:7:41:7:52 | new_password | semmle.label | new_password |
19+
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | semmle.label | "083c9e1da4cc0c2f5480bb4dbe6ff141" : |
20+
| app/controllers/users_controller.rb:13:42:13:53 | new_password | semmle.label | new_password |
21+
| app/controllers/users_controller.rb:15:49:15:60 | new_password | semmle.label | new_password |
22+
| app/controllers/users_controller.rb:15:87:15:98 | new_password | semmle.label | new_password |
23+
| app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | semmle.label | "504d224a806cf8073cd14ef08242d422" : |
24+
| app/controllers/users_controller.rb:21:45:21:56 | new_password | semmle.label | new_password |
25+
| app/controllers/users_controller.rb:21:83:21:94 | new_password | semmle.label | new_password |
26+
| app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | semmle.label | "7d6ae08394c3f284506dca70f05995f6" : |
27+
| app/controllers/users_controller.rb:28:27:28:38 | new_password | semmle.label | new_password |
28+
| app/controllers/users_controller.rb:30:28:30:39 | new_password | semmle.label | new_password |
29+
| app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : | semmle.label | "ff295f8648a406c37fbe378377320e4c" : |
30+
| app/controllers/users_controller.rb:37:39:37:50 | new_password | semmle.label | new_password |
31+
| app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : | semmle.label | "78ffbec583b546bd073efd898f833184" : |
32+
| app/controllers/users_controller.rb:44:21:44:32 | new_password | semmle.label | new_password |
33+
| app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | semmle.label | "0157af7c38cbdd24f1616de4e5321861" : |
34+
| app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | semmle.label | "password: #{...}\\n" |
35+
| app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | semmle.label | "password: #{...}" |
36+
subpaths
37+
#select
38+
| app/controllers/users_controller.rb:5:39:5:50 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:5:39:5:50 | new_password | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password |
39+
| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:7:41:7:52 | new_password | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password |
40+
| app/controllers/users_controller.rb:13:42:13:53 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:13:42:13:53 | new_password | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password |
41+
| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:15:49:15:60 | new_password | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password |
42+
| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:15:87:15:98 | new_password | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password |
43+
| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | app/controllers/users_controller.rb:21:45:21:56 | new_password | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password |
44+
| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | app/controllers/users_controller.rb:21:83:21:94 | new_password | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password |
45+
| app/controllers/users_controller.rb:28:27:28:38 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | app/controllers/users_controller.rb:28:27:28:38 | new_password | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password |
46+
| app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | app/controllers/users_controller.rb:30:28:30:39 | new_password | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password |
47+
| app/controllers/users_controller.rb:37:39:37:50 | new_password | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : | app/controllers/users_controller.rb:37:39:37:50 | new_password | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" | an assignment to new_password |
48+
| app/controllers/users_controller.rb:44:21:44:32 | new_password | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : | app/controllers/users_controller.rb:44:21:44:32 | new_password | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" | an assignment to new_password |
49+
| app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password |
50+
| app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | Sensitive data returned by $@ is stored here. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password |

ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
queries/security/cwe-312/CleartextStorage.ql

ruby/ql/test/query-tests/security/cwe-312/app/controllers/users_controller.rb

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
class UsersController < ApplicationController
2+
def createLikeCall
3+
new_password = "043697b96909e03ca907599d6420555f"
4+
# BAD: plaintext password stored to database
5+
User.create(name: "U1", password: new_password)
6+
# BAD: plaintext password stored to database
7+
User.create({ name: "U1", password: new_password })
8+
end
9+
10+
def updateLikeClassMethodCall
11+
new_password = "083c9e1da4cc0c2f5480bb4dbe6ff141"
12+
# BAD: plaintext password stored to database
13+
User.update(1, name: "U1", password: new_password)
14+
# BAD: plaintext password stored to database
15+
User.update([1, 2], [{name: "U1", password: new_password}, {name: "U2", password: new_password}])
16+
end
17+
18+
def insertAllLikeCall
19+
new_password = "504d224a806cf8073cd14ef08242d422"
20+
# BAD: plaintext password stored to database
21+
User.insert_all([{name: "U1", password: new_password}, {name: "U2", password: new_password}])
22+
end
23+
24+
def updateLikeInstanceMethodCall
25+
user = User.find(1)
26+
new_password = "7d6ae08394c3f284506dca70f05995f6"
27+
# BAD: plaintext password stored to database
28+
user.update(password: new_password)
29+
# BAD: plaintext password stored to database
30+
user.update({password: new_password})
31+
end
32+
33+
def updateAttributeCall
34+
user = User.find(1)
35+
new_password = "ff295f8648a406c37fbe378377320e4c"
36+
# BAD: plaintext password stored to database
37+
user.update_attribute("password", new_password)
38+
end
39+
40+
def assignAttributeCall
41+
user = User.find(1)
42+
new_password = "78ffbec583b546bd073efd898f833184"
43+
# BAD: plaintext password assigned to database field
44+
user.password = new_password
45+
user.save
46+
end
47+
48+
def hashedPasswordAssign
49+
user = User.find(1)
50+
new_password = "3746e149bfe3d6ccc665c3620d81cd2e"
51+
hashed_password = hash_password(new_password)
52+
53+
# GOOD: assigned value is hashed
54+
user.password = hashed_password
55+
end
56+
57+
def fileWrites
58+
new_password = "0157af7c38cbdd24f1616de4e5321861"
59+
60+
# BAD: plaintext password stored to disk
61+
IO.write("foo.txt", "password: #{new_password}\n")
62+
63+
# BAD: plaintext password stored to disk
64+
File.new("bar.txt", "a").puts("password: #{new_password}")
65+
end
66+
end

ruby/ql/test/query-tests/security/cwe-312/app/models/user.rb

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
class User < ActiveRecord::Base
2+
end

0 commit comments

Comments
 (0)