Add test cases

joefarebrother · joefarebrother · commit b74145349b96 · 2024-03-22T14:07:11.000Z
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
@@ -811,9 +811,9 @@ private module MassAssignmentSinks {
           name =
             [
               "build", "create", "create!", "create_with", "create_or_find_by",
-              "create_or_find_by!", "find_or_create_by", "find_or_create_by!", "insert", "insert!",
-              "insert_all", "insert_all!", "instantiate", "new", "update", "update!", "upsert",
-              "upsert_all"
+              "create_or_find_by!", "find_or_create_by", "find_or_create_by!",
+              "find_or_initialize_by", "insert", "insert!", "insert_all", "insert_all!",
+              "instantiate", "new", "update", "update!", "upsert", "upsert_all"
             ] and
           this = call.getArgument(0)
           or
diff --git a/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected b/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected
@@ -1,12 +1,81 @@
 edges
-| test.rb:17:9:17:14 | call to params | test.rb:17:9:17:29 | call to require | provenance |  |
-| test.rb:17:9:17:29 | call to require | test.rb:17:9:17:37 | call to permit! | provenance |  |
-| test.rb:17:9:17:37 | call to permit! | test.rb:8:18:8:28 | call to user_params | provenance |  |
+| test.rb:23:25:23:37 | call to [] [element 0] | test.rb:23:25:23:37 | call to [] | provenance |  |
+| test.rb:23:26:23:36 | call to user_params | test.rb:23:25:23:37 | call to [] [element 0] | provenance |  |
+| test.rb:24:26:24:38 | call to [] [element 0] | test.rb:24:26:24:38 | call to [] | provenance |  |
+| test.rb:24:27:24:37 | call to user_params | test.rb:24:26:24:38 | call to [] [element 0] | provenance |  |
+| test.rb:30:21:30:33 | call to [] [element 0] | test.rb:30:21:30:33 | call to [] | provenance |  |
+| test.rb:30:22:30:32 | call to user_params | test.rb:30:21:30:33 | call to [] [element 0] | provenance |  |
+| test.rb:43:9:43:14 | call to params | test.rb:43:9:43:29 | call to require | provenance |  |
+| test.rb:43:9:43:29 | call to require | test.rb:43:9:43:37 | call to permit! | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:8:18:8:28 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:18:20:18:30 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:19:21:19:31 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:20:22:20:32 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:21:21:21:31 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:22:22:22:32 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:23:26:23:36 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:24:27:24:37 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:25:21:25:31 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:26:24:26:34 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:27:22:27:32 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:28:25:28:35 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:29:21:29:31 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:30:22:30:32 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:31:32:31:42 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:32:33:32:43 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:33:36:33:46 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:34:32:34:42 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:35:33:35:43 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:36:26:36:36 | call to user_params | provenance |  |
 nodes
 | test.rb:8:18:8:28 | call to user_params | semmle.label | call to user_params |
-| test.rb:17:9:17:14 | call to params | semmle.label | call to params |
-| test.rb:17:9:17:29 | call to require | semmle.label | call to require |
-| test.rb:17:9:17:37 | call to permit! | semmle.label | call to permit! |
+| test.rb:18:20:18:30 | call to user_params | semmle.label | call to user_params |
+| test.rb:19:21:19:31 | call to user_params | semmle.label | call to user_params |
+| test.rb:20:22:20:32 | call to user_params | semmle.label | call to user_params |
+| test.rb:21:21:21:31 | call to user_params | semmle.label | call to user_params |
+| test.rb:22:22:22:32 | call to user_params | semmle.label | call to user_params |
+| test.rb:23:25:23:37 | call to [] | semmle.label | call to [] |
+| test.rb:23:25:23:37 | call to [] [element 0] | semmle.label | call to [] [element 0] |
+| test.rb:23:26:23:36 | call to user_params | semmle.label | call to user_params |
+| test.rb:24:26:24:38 | call to [] | semmle.label | call to [] |
+| test.rb:24:26:24:38 | call to [] [element 0] | semmle.label | call to [] [element 0] |
+| test.rb:24:27:24:37 | call to user_params | semmle.label | call to user_params |
+| test.rb:25:21:25:31 | call to user_params | semmle.label | call to user_params |
+| test.rb:26:24:26:34 | call to user_params | semmle.label | call to user_params |
+| test.rb:27:22:27:32 | call to user_params | semmle.label | call to user_params |
+| test.rb:28:25:28:35 | call to user_params | semmle.label | call to user_params |
+| test.rb:29:21:29:31 | call to user_params | semmle.label | call to user_params |
+| test.rb:30:21:30:33 | call to [] | semmle.label | call to [] |
+| test.rb:30:21:30:33 | call to [] [element 0] | semmle.label | call to [] [element 0] |
+| test.rb:30:22:30:32 | call to user_params | semmle.label | call to user_params |
+| test.rb:31:32:31:42 | call to user_params | semmle.label | call to user_params |
+| test.rb:32:33:32:43 | call to user_params | semmle.label | call to user_params |
+| test.rb:33:36:33:46 | call to user_params | semmle.label | call to user_params |
+| test.rb:34:32:34:42 | call to user_params | semmle.label | call to user_params |
+| test.rb:35:33:35:43 | call to user_params | semmle.label | call to user_params |
+| test.rb:36:26:36:36 | call to user_params | semmle.label | call to user_params |
+| test.rb:43:9:43:14 | call to params | semmle.label | call to params |
+| test.rb:43:9:43:29 | call to require | semmle.label | call to require |
+| test.rb:43:9:43:37 | call to permit! | semmle.label | call to permit! |
 subpaths
 #select
-| test.rb:8:18:8:28 | call to user_params | test.rb:17:9:17:14 | call to params | test.rb:8:18:8:28 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:17:9:17:14 | call to params | this remote flow source |
+| test.rb:8:18:8:28 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:8:18:8:28 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:18:20:18:30 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:18:20:18:30 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:19:21:19:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:19:21:19:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:20:22:20:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:20:22:20:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:21:21:21:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:21:21:21:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:22:22:22:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:22:22:22:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:23:25:23:37 | call to [] | test.rb:43:9:43:14 | call to params | test.rb:23:25:23:37 | call to [] | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:24:26:24:38 | call to [] | test.rb:43:9:43:14 | call to params | test.rb:24:26:24:38 | call to [] | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:25:21:25:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:25:21:25:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:26:24:26:34 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:26:24:26:34 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:27:22:27:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:27:22:27:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:28:25:28:35 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:28:25:28:35 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:29:21:29:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:29:21:29:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:30:21:30:33 | call to [] | test.rb:43:9:43:14 | call to params | test.rb:30:21:30:33 | call to [] | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:31:32:31:42 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:31:32:31:42 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:32:33:32:43 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:32:33:32:43 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:33:36:33:46 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:33:36:33:46 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:34:32:34:42 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:34:32:34:42 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:35:33:35:43 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:35:33:35:43 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:36:26:36:36 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:36:26:36:36 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
diff --git a/ruby/ql/test/query-tests/security/cwe-915/test.rb b/ruby/ql/test/query-tests/security/cwe-915/test.rb
@@ -13,6 +13,32 @@ def create2
         User.new(params[:user].permit(:name,:address))
     end
 
+    def create3
+        # each BAD
+        User.build(user_params)
+        User.create(user_params)
+        User.create!(user_params)
+        User.insert(user_params)
+        User.insert!(user_params)
+        User.insert_all([user_params])
+        User.insert_all!([user_params])
+        User.update(user_params)
+        User.update(7, user_params)
+        User.update!(user_params)
+        User.update!(7, user_params)
+        User.upsert(user_params)
+        User.upsert([user_params])
+        User.find_or_create_by(user_params)
+        User.find_or_create_by!(user_params)
+        User.find_or_initialize_by(user_params)
+        User.create_or_find_by(user_params)
+        User.create_or_find_by!(user_params)
+        User.create_with(user_params)
+
+        user = User.where(name:"abc")
+        user.update(user_params)
+    end
+
     def user_params
         params.require(:user).permit!
     end
