remove parameters named "code" as source

erik-krogh · erik-krogh · commit 2033dd2dcc96 · 2022-11-25T10:25:31.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll
@@ -19,7 +19,10 @@ module UnsafeCodeConstruction {
 
   /** An input parameter to a gem seen as a source. */
   private class LibraryInputAsSource extends Source instanceof DataFlow::ParameterNode {
-    LibraryInputAsSource() { this = Gem::getALibraryInput() }
+    LibraryInputAsSource() {
+      this = Gem::getALibraryInput() and
+      not this.getName() = "code"
+    }
   }
 
   /** A sink for code constructed from library input vulnerabilities. */
diff --git a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb
@@ -20,4 +20,8 @@ def indirect_eval(x)
   def send_stuff(x)
     foo.send("foo_#{x}") # OK - attacker cannot control entire string.
   end
+
+  def named_code(code)
+    foo.send("def \n #{code} \n end") # OK - parameter is named code
+  end
 end
