Update Kernel.qll to include send aliases

Alvaro Muñoz · web-flow · commit 2964aef083c4 · 2023-12-28T19:08:03.000+01:00
Add `public_send` and `__send__` as Code Injection sinks as proposed by @vcsjones
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
@@ -43,7 +43,7 @@ module Kernel {
    * ```
    */
   private predicate isPublicKernelMethod(string method) {
-    method in ["class", "clone", "frozen?", "tap", "then", "yield_self", "send"]
+    method in ["class", "clone", "frozen?", "tap", "then", "yield_self", "send", "public_send", "__send__"]
   }
 
   /**
@@ -167,7 +167,7 @@ module Kernel {
    * ```
    */
   class SendCallCodeExecution extends CodeExecution::Range, KernelMethodCall {
-    SendCallCodeExecution() { this.getMethodName() = "send" }
+    SendCallCodeExecution() { this.getMethodName() = ["send", "public_send", "__send__"] }
 
     override DataFlow::Node getCode() { result = this.getArgument(0) }
 
