Identify more vulnerable ActiveRecord methods

`find_by!`, `find_or_create_by`, `find_or_create_by!` and
`find_or_initialize_by` act similarly to `find_by`.

Author: hmac

ql/lib/codeql/ruby/frameworks/ActiveRecord.qll

@@ -68,7 +68,8 @@ private Expr sqlFragmentArgument(MethodCall call) {
     (
       methodName =
         [
-          "delete_by", "destroy_by", "exists?", "find_by", "find_by_sql", "from", "group", "having",
+          "delete_by", "destroy_by", "exists?", "find_by", "find_by!", "find_or_create_by",
+          "find_or_create_by!", "find_or_initialize_by", "find_by_sql", "from", "group", "having",
           "joins", "lock", "not", "order", "pluck", "where"
         ] and
       result = call.getArgument(0)

ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb

@@ -58,6 +58,10 @@ def some_request_handler
     User.where.not("user.id = '#{params[:id]}'")
 
     User.authenticate(params[:name], params[:pass])
+
+    # BAD: executes `SELECT "users".* FROM "users" WHERE (id = '#{params[:id]}')` LIMIT 1
+    # where `params[:id]` is unsanitized
+    User.find_or_initialize_by("id = '#{params[:id]}'")
   end
 end
 

ql/test/query-tests/security/cwe-089/SqlInjection.expected

@@ -12,9 +12,10 @@ edges
 | ActiveRecordInjection.rb:60:23:60:35 | ...[...] :  | ActiveRecordInjection.rb:8:25:8:28 | name :  |
 | ActiveRecordInjection.rb:60:38:60:43 | call to params :  | ActiveRecordInjection.rb:60:38:60:50 | ...[...] :  |
 | ActiveRecordInjection.rb:60:38:60:50 | ...[...] :  | ActiveRecordInjection.rb:8:31:8:34 | pass :  |
-| ActiveRecordInjection.rb:66:10:66:15 | call to params :  | ActiveRecordInjection.rb:72:20:72:32 | ... + ... |
-| ActiveRecordInjection.rb:105:21:105:26 | call to params :  | ActiveRecordInjection.rb:105:21:105:44 | ...[...] :  |
-| ActiveRecordInjection.rb:105:21:105:44 | ...[...] :  | ActiveRecordInjection.rb:20:22:20:30 | condition :  |
+| ActiveRecordInjection.rb:64:41:64:46 | call to params :  | ActiveRecordInjection.rb:64:32:64:54 | "id = '#{...}'" |
+| ActiveRecordInjection.rb:70:10:70:15 | call to params :  | ActiveRecordInjection.rb:76:20:76:32 | ... + ... |
+| ActiveRecordInjection.rb:109:21:109:26 | call to params :  | ActiveRecordInjection.rb:109:21:109:44 | ...[...] :  |
+| ActiveRecordInjection.rb:109:21:109:44 | ...[...] :  | ActiveRecordInjection.rb:20:22:20:30 | condition :  |
 nodes
 | ActiveRecordInjection.rb:8:25:8:28 | name :  | semmle.label | name :  |
 | ActiveRecordInjection.rb:8:31:8:34 | pass :  | semmle.label | pass :  |
@@ -37,19 +38,22 @@ nodes
 | ActiveRecordInjection.rb:60:23:60:35 | ...[...] :  | semmle.label | ...[...] :  |
 | ActiveRecordInjection.rb:60:38:60:43 | call to params :  | semmle.label | call to params :  |
 | ActiveRecordInjection.rb:60:38:60:50 | ...[...] :  | semmle.label | ...[...] :  |
-| ActiveRecordInjection.rb:66:10:66:15 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:72:20:72:32 | ... + ... | semmle.label | ... + ... |
-| ActiveRecordInjection.rb:105:21:105:26 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:105:21:105:44 | ...[...] :  | semmle.label | ...[...] :  |
+| ActiveRecordInjection.rb:64:32:64:54 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
+| ActiveRecordInjection.rb:64:41:64:46 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:70:10:70:15 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:76:20:76:32 | ... + ... | semmle.label | ... + ... |
+| ActiveRecordInjection.rb:109:21:109:26 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:109:21:109:44 | ...[...] :  | semmle.label | ...[...] :  |
 subpaths
 #select
 | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:60:23:60:28 | call to params :  | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:60:23:60:28 | call to params | a user-provided value |
 | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:60:38:60:43 | call to params :  | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:60:38:60:43 | call to params | a user-provided value |
-| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:105:21:105:26 | call to params :  | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on $@. | ActiveRecordInjection.rb:105:21:105:26 | call to params | a user-provided value |
+| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:109:21:109:26 | call to params :  | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on $@. | ActiveRecordInjection.rb:109:21:109:26 | call to params | a user-provided value |
 | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | ActiveRecordInjection.rb:35:30:35:35 | call to params :  | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:35:30:35:35 | call to params | a user-provided value |
 | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | ActiveRecordInjection.rb:39:18:39:23 | call to params :  | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:39:18:39:23 | call to params | a user-provided value |
 | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | ActiveRecordInjection.rb:43:29:43:34 | call to params :  | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:43:29:43:34 | call to params | a user-provided value |
 | ActiveRecordInjection.rb:47:22:47:44 | "id = '#{...}'" | ActiveRecordInjection.rb:47:31:47:36 | call to params :  | ActiveRecordInjection.rb:47:22:47:44 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:47:31:47:36 | call to params | a user-provided value |
 | ActiveRecordInjection.rb:51:16:51:21 | <<-SQL | ActiveRecordInjection.rb:52:21:52:26 | call to params :  | ActiveRecordInjection.rb:51:16:51:21 | <<-SQL | This SQL query depends on $@. | ActiveRecordInjection.rb:52:21:52:26 | call to params | a user-provided value |
 | ActiveRecordInjection.rb:58:20:58:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:58:34:58:39 | call to params :  | ActiveRecordInjection.rb:58:20:58:47 | "user.id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:58:34:58:39 | call to params | a user-provided value |
-| ActiveRecordInjection.rb:72:20:72:32 | ... + ... | ActiveRecordInjection.rb:66:10:66:15 | call to params :  | ActiveRecordInjection.rb:72:20:72:32 | ... + ... | This SQL query depends on $@. | ActiveRecordInjection.rb:66:10:66:15 | call to params | a user-provided value |
+| ActiveRecordInjection.rb:64:32:64:54 | "id = '#{...}'" | ActiveRecordInjection.rb:64:41:64:46 | call to params :  | ActiveRecordInjection.rb:64:32:64:54 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:64:41:64:46 | call to params | a user-provided value |
+| ActiveRecordInjection.rb:76:20:76:32 | ... + ... | ActiveRecordInjection.rb:70:10:70:15 | call to params :  | ActiveRecordInjection.rb:76:20:76:32 | ... + ... | This SQL query depends on $@. | ActiveRecordInjection.rb:70:10:70:15 | call to params | a user-provided value |