add support for string-like-literals

erik-krogh · erik-krogh · commit 378cc1aed2e1 · 2022-11-25T10:32:06.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll
@@ -84,7 +84,7 @@ module UnsafeCodeConstruction {
     Concepts::CodeExecution s;
 
     StringFormatAsSink() {
-      exists(Ast::StringLiteral lit |
+      exists(Ast::StringlikeLiteral lit |
         any(DataFlow::Node n | n.asExpr().getExpr() = lit) = getANodeExecutedAsCode(s) and
         this.asExpr().getExpr() = lit.getComponent(_)
       )
diff --git a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected
@@ -6,6 +6,7 @@ edges
 | impl/unsafeCode.rb:32:21:32:21 | x :  | impl/unsafeCode.rb:34:10:34:12 | arr |
 | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:40:10:40:12 | arr |
 | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:44:10:44:12 | arr |
+| impl/unsafeCode.rb:47:15:47:15 | x :  | impl/unsafeCode.rb:49:9:49:12 | #{...} |
 nodes
 | impl/unsafeCode.rb:2:12:2:17 | target :  | semmle.label | target :  |
 | impl/unsafeCode.rb:3:17:3:25 | #{...} | semmle.label | #{...} |
@@ -20,6 +21,8 @@ nodes
 | impl/unsafeCode.rb:37:15:37:15 | x :  | semmle.label | x :  |
 | impl/unsafeCode.rb:40:10:40:12 | arr | semmle.label | arr |
 | impl/unsafeCode.rb:44:10:44:12 | arr | semmle.label | arr |
+| impl/unsafeCode.rb:47:15:47:15 | x :  | semmle.label | x :  |
+| impl/unsafeCode.rb:49:9:49:12 | #{...} | semmle.label | #{...} |
 subpaths
 #select
 | impl/unsafeCode.rb:3:17:3:25 | #{...} | impl/unsafeCode.rb:2:12:2:17 | target :  | impl/unsafeCode.rb:3:17:3:25 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:2:12:2:17 | target | library input | impl/unsafeCode.rb:3:5:3:27 | call to eval | interpreted as code |
@@ -29,3 +32,4 @@ subpaths
 | impl/unsafeCode.rb:34:10:34:12 | arr | impl/unsafeCode.rb:32:21:32:21 | x :  | impl/unsafeCode.rb:34:10:34:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:32:21:32:21 | x | library input | impl/unsafeCode.rb:34:5:34:24 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:40:10:40:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:40:10:40:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:40:5:40:24 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:44:10:44:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:44:10:44:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:44:5:44:24 | call to eval | interpreted as code |
+| impl/unsafeCode.rb:49:9:49:12 | #{...} | impl/unsafeCode.rb:47:15:47:15 | x :  | impl/unsafeCode.rb:49:9:49:12 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:47:15:47:15 | x | library input | impl/unsafeCode.rb:51:5:51:13 | call to eval | interpreted as code |
diff --git a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb
@@ -43,4 +43,11 @@ def pushArr(x, y)
     arr2 << y
     eval(arr.join("\n")) # NOT OK
   end
+
+  def hereDoc(x)
+    foo = <<~HERE
+        #{x}
+    HERE
+    eval(foo) # NOT OK
+  end
 end

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ module UnsafeCodeConstruction {`
`84`	`84`	`Concepts::CodeExecution s;`
`85`	`85`
`86`	`86`	`StringFormatAsSink() {`
`87`		`- exists(Ast::StringLiteral lit \|`
	`87`	`+ exists(Ast::StringlikeLiteral lit \|`
`88`	`88`	`any(DataFlow::Node n \| n.asExpr().getExpr() = lit) = getANodeExecutedAsCode(s) and`
`89`	`89`	`this.asExpr().getExpr() = lit.getComponent(_)`
`90`	`90`	`)`