Skip to content

Commit 25203d9

Browse files
alexrfordalexrford
committed
Ruby: use new dataflow api in OpenURI.qll
1 parent 0978229 commit 25203d9

File tree

1 file changed

+8
-13
lines changed
  • ruby/ql/lib/codeql/ruby/frameworks/http_clients

1 file changed

+8
-13
lines changed

ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll

Lines changed: 8 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ private import codeql.ruby.Concepts
88
private import codeql.ruby.ApiGraphs
99
private import codeql.ruby.DataFlow
1010
private import codeql.ruby.frameworks.Core
11-
private import codeql.ruby.dataflow.internal.DataFlowImplForHttpClientLibraries as DataFlowImplForHttpClientLibraries
1211

1312
/**
1413
* A call that makes an HTTP request using `OpenURI` via `URI.open` or
@@ -46,8 +45,7 @@ class OpenUriRequest extends Http::Client::Request::Range, DataFlow::CallNode {
4645
override predicate disablesCertificateValidation(
4746
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
4847
) {
49-
any(OpenUriDisablesCertificateValidationConfiguration config)
50-
.hasFlow(argumentOrigin, disablingNode) and
48+
OpenUriDisablesCertificateValidationFlow::flow(argumentOrigin, disablingNode) and
5149
disablingNode = this.getCertificateValidationControllingValue()
5250
}
5351

@@ -94,28 +92,25 @@ class OpenUriKernelOpenRequest extends Http::Client::Request::Range, DataFlow::C
9492
override predicate disablesCertificateValidation(
9593
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
9694
) {
97-
any(OpenUriDisablesCertificateValidationConfiguration config)
98-
.hasFlow(argumentOrigin, disablingNode) and
95+
OpenUriDisablesCertificateValidationFlow::flow(argumentOrigin, disablingNode) and
9996
disablingNode = this.getCertificateValidationControllingValue()
10097
}
10198

10299
override string getFramework() { result = "OpenURI" }
103100
}
104101

105102
/** A configuration to track values that can disable certificate validation for OpenURI. */
106-
private class OpenUriDisablesCertificateValidationConfiguration extends DataFlowImplForHttpClientLibraries::Configuration
107-
{
108-
OpenUriDisablesCertificateValidationConfiguration() {
109-
this = "OpenUriDisablesCertificateValidationConfiguration"
110-
}
111-
112-
override predicate isSource(DataFlow::Node source) {
103+
private module OpenUriDisablesCertificateValidationConfig implements DataFlow::ConfigSig {
104+
predicate isSource(DataFlow::Node source) {
113105
source = API::getTopLevelMember("OpenSSL").getMember("SSL").getMember("VERIFY_NONE").asSource()
114106
}
115107

116-
override predicate isSink(DataFlow::Node sink) {
108+
predicate isSink(DataFlow::Node sink) {
117109
sink = any(OpenUriRequest req).getCertificateValidationControllingValue()
118110
or
119111
sink = any(OpenUriKernelOpenRequest req).getCertificateValidationControllingValue()
120112
}
121113
}
114+
115+
private module OpenUriDisablesCertificateValidationFlow =
116+
DataFlow::Global<OpenUriDisablesCertificateValidationConfig>;

0 commit comments

Comments
 (0)