Ruby: switch rb/sensitive-get-query back to using local flow

Author: alexrford

ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryCustomizations.qll

@@ -2,7 +2,7 @@
  * @name Sensitive data read from GET request
  * @description Placing sensitive data in a GET request increases the risk of
  *              the data being exposed to an attacker.
- * @kind path-problem
+ * @kind problem
  * @problem.severity warning
  * @security-severity 6.5
  * @precision high
@@ -12,12 +12,30 @@
  */
 
 import ruby
-import DataFlow::PathGraph
-import codeql.ruby.security.SensitiveGetQueryQuery
+import codeql.ruby.Concepts
 import codeql.ruby.security.SensitiveActions
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveGetQuery::Configuration config
-where config.hasFlowPath(source, sink)
-select source.getNode(), source, sink,
-  "$@ for GET requests uses query parameter as sensitive data.",
-  source.getNode().(SensitiveGetQuery::Source).getHandler(), "Route handler"
+// Local flow augmented with flow through element references
+private predicate localFlowWithElementReference(DataFlow::LocalSourceNode src, DataFlow::Node to) {
+  src.flowsTo(to)
+  or
+  exists(DataFlow::Node midRecv, DataFlow::LocalSourceNode mid, Ast::ElementReference ref |
+    src.flowsTo(midRecv) and
+    midRecv.asExpr().getExpr() = ref.getReceiver() and
+    mid.asExpr().getExpr() = ref
+  |
+    localFlowWithElementReference(mid, to)
+  )
+}
+
+from
+  Http::Server::RequestHandler handler, Http::Server::RequestInputAccess input,
+  SensitiveNode sensitive
+where
+  handler.getAnHttpMethod() = "get" and
+  input.asExpr().getExpr().getEnclosingMethod() = handler and
+  input.getKind() = "parameter" and
+  localFlowWithElementReference(input, sensitive) and
+  not sensitive.getClassification() = SensitiveDataClassification::id()
+select input, "$@ for GET requests uses query parameter as sensitive data.", handler,
+  "Route handler"

ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll

@@ -1,13 +1 @@
-edges
-| app/controllers/users_controller.rb:4:16:4:21 | call to params :  | app/controllers/users_controller.rb:4:16:4:32 | ...[...] |
-| app/controllers/users_controller.rb:4:16:4:21 | call to params :  | app/controllers/users_controller.rb:4:16:4:32 | ...[...] :  |
-| app/controllers/users_controller.rb:4:16:4:32 | ...[...] :  | app/controllers/users_controller.rb:5:42:5:49 | password |
-nodes
-| app/controllers/users_controller.rb:4:16:4:21 | call to params :  | semmle.label | call to params :  |
-| app/controllers/users_controller.rb:4:16:4:32 | ...[...] | semmle.label | ...[...] |
-| app/controllers/users_controller.rb:4:16:4:32 | ...[...] :  | semmle.label | ...[...] :  |
-| app/controllers/users_controller.rb:5:42:5:49 | password | semmle.label | password |
-subpaths
-#select
-| app/controllers/users_controller.rb:4:16:4:21 | call to params | app/controllers/users_controller.rb:4:16:4:21 | call to params :  | app/controllers/users_controller.rb:4:16:4:32 | ...[...] | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get | Route handler |
-| app/controllers/users_controller.rb:4:16:4:21 | call to params | app/controllers/users_controller.rb:4:16:4:21 | call to params :  | app/controllers/users_controller.rb:5:42:5:49 | password | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get | Route handler |
+| app/controllers/users_controller.rb:4:16:4:21 | call to params | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get | Route handler |