Identify more ActiveRecord calculate methods

hmac · hmac · commit 3a1b294c21da · 2021-09-29T10:11:38.000+01:00
`average`, `count`, `maximum`, `minimum` and `sum` are all convenience
methods that call `calculate(:&lt;method name&gt;, ...)` under the hood.
Therefore they are vulnerable to SQL injection too.
diff --git a/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll b/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
@@ -75,6 +75,9 @@ private Expr sqlFragmentArgument(MethodCall call) {
       or
       methodName = "calculate" and result = call.getArgument(1)
       or
+      methodName in ["average", "count", "maximum", "minimum", "sum"] and
+      result = call.getArgument(0)
+      or
       // This format was supported until Rails 2.3.8
       methodName = ["all", "find", "first", "last"] and
       result = call.getKeywordArgument("conditions")
diff --git a/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb b/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb
@@ -34,6 +34,10 @@ def some_request_handler
     # where `params[:column]` is unsanitized
     User.calculate(:average, params[:column])
 
+    # BAD: executes `SELECT MAX(#{params[:column]}) FROM "users"`
+    # where `params[:column]` is unsanitized
+    User.maximum(params[:column])
+
     # BAD: executes `DELETE FROM "users" WHERE (id = '#{params[:id]}')`
     # where `params[:id]` is unsanitized
     User.delete_all("id = '#{params[:id]}'")
diff --git a/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/ql/test/query-tests/security/cwe-089/SqlInjection.expected
@@ -3,17 +3,18 @@ edges
 | ActiveRecordInjection.rb:8:31:8:34 | pass :  | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" |
 | ActiveRecordInjection.rb:20:23:20:31 | condition :  | ActiveRecordInjection.rb:23:17:23:25 | condition |
 | ActiveRecordInjection.rb:35:30:35:35 | call to params :  | ActiveRecordInjection.rb:35:30:35:44 | ...[...] |
-| ActiveRecordInjection.rb:39:30:39:35 | call to params :  | ActiveRecordInjection.rb:39:21:39:43 | "id = '#{...}'" |
-| ActiveRecordInjection.rb:43:32:43:37 | call to params :  | ActiveRecordInjection.rb:43:23:43:45 | "id = '#{...}'" |
-| ActiveRecordInjection.rb:48:21:48:26 | call to params :  | ActiveRecordInjection.rb:47:16:47:21 | <<-SQL |
-| ActiveRecordInjection.rb:54:34:54:39 | call to params :  | ActiveRecordInjection.rb:54:20:54:47 | "user.id = '#{...}'" |
-| ActiveRecordInjection.rb:56:23:56:28 | call to params :  | ActiveRecordInjection.rb:56:23:56:35 | ...[...] :  |
-| ActiveRecordInjection.rb:56:23:56:35 | ...[...] :  | ActiveRecordInjection.rb:8:25:8:28 | name :  |
-| ActiveRecordInjection.rb:56:38:56:43 | call to params :  | ActiveRecordInjection.rb:56:38:56:50 | ...[...] :  |
-| ActiveRecordInjection.rb:56:38:56:50 | ...[...] :  | ActiveRecordInjection.rb:8:31:8:34 | pass :  |
-| ActiveRecordInjection.rb:62:10:62:15 | call to params :  | ActiveRecordInjection.rb:68:21:68:33 | ... + ... |
-| ActiveRecordInjection.rb:101:22:101:27 | call to params :  | ActiveRecordInjection.rb:101:22:101:45 | ...[...] :  |
-| ActiveRecordInjection.rb:101:22:101:45 | ...[...] :  | ActiveRecordInjection.rb:20:23:20:31 | condition :  |
+| ActiveRecordInjection.rb:39:18:39:23 | call to params :  | ActiveRecordInjection.rb:39:18:39:32 | ...[...] |
+| ActiveRecordInjection.rb:43:30:43:35 | call to params :  | ActiveRecordInjection.rb:43:21:43:43 | "id = '#{...}'" |
+| ActiveRecordInjection.rb:47:32:47:37 | call to params :  | ActiveRecordInjection.rb:47:23:47:45 | "id = '#{...}'" |
+| ActiveRecordInjection.rb:52:21:52:26 | call to params :  | ActiveRecordInjection.rb:51:16:51:21 | <<-SQL |
+| ActiveRecordInjection.rb:58:34:58:39 | call to params :  | ActiveRecordInjection.rb:58:20:58:47 | "user.id = '#{...}'" |
+| ActiveRecordInjection.rb:60:23:60:28 | call to params :  | ActiveRecordInjection.rb:60:23:60:35 | ...[...] :  |
+| ActiveRecordInjection.rb:60:23:60:35 | ...[...] :  | ActiveRecordInjection.rb:8:25:8:28 | name :  |
+| ActiveRecordInjection.rb:60:38:60:43 | call to params :  | ActiveRecordInjection.rb:60:38:60:50 | ...[...] :  |
+| ActiveRecordInjection.rb:60:38:60:50 | ...[...] :  | ActiveRecordInjection.rb:8:31:8:34 | pass :  |
+| ActiveRecordInjection.rb:66:10:66:15 | call to params :  | ActiveRecordInjection.rb:72:21:72:33 | ... + ... |
+| ActiveRecordInjection.rb:105:22:105:27 | call to params :  | ActiveRecordInjection.rb:105:22:105:45 | ...[...] :  |
+| ActiveRecordInjection.rb:105:22:105:45 | ...[...] :  | ActiveRecordInjection.rb:20:23:20:31 | condition :  |
 nodes
 | ActiveRecordInjection.rb:8:25:8:28 | name :  | semmle.label | name :  |
 | ActiveRecordInjection.rb:8:31:8:34 | pass :  | semmle.label | pass :  |
@@ -22,30 +23,33 @@ nodes
 | ActiveRecordInjection.rb:23:17:23:25 | condition | semmle.label | condition |
 | ActiveRecordInjection.rb:35:30:35:35 | call to params :  | semmle.label | call to params :  |
 | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | semmle.label | ...[...] |
-| ActiveRecordInjection.rb:39:21:39:43 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
-| ActiveRecordInjection.rb:39:30:39:35 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:43:23:43:45 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
-| ActiveRecordInjection.rb:43:32:43:37 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:47:16:47:21 | <<-SQL | semmle.label | <<-SQL |
-| ActiveRecordInjection.rb:48:21:48:26 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:54:20:54:47 | "user.id = '#{...}'" | semmle.label | "user.id = '#{...}'" |
-| ActiveRecordInjection.rb:54:34:54:39 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:56:23:56:28 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:56:23:56:35 | ...[...] :  | semmle.label | ...[...] :  |
-| ActiveRecordInjection.rb:56:38:56:43 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:56:38:56:50 | ...[...] :  | semmle.label | ...[...] :  |
-| ActiveRecordInjection.rb:62:10:62:15 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:68:21:68:33 | ... + ... | semmle.label | ... + ... |
-| ActiveRecordInjection.rb:101:22:101:27 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:101:22:101:45 | ...[...] :  | semmle.label | ...[...] :  |
+| ActiveRecordInjection.rb:39:18:39:23 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:39:18:39:32 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:43:21:43:43 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
+| ActiveRecordInjection.rb:43:30:43:35 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:47:23:47:45 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
+| ActiveRecordInjection.rb:47:32:47:37 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:51:16:51:21 | <<-SQL | semmle.label | <<-SQL |
+| ActiveRecordInjection.rb:52:21:52:26 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:58:20:58:47 | "user.id = '#{...}'" | semmle.label | "user.id = '#{...}'" |
+| ActiveRecordInjection.rb:58:34:58:39 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:60:23:60:28 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:60:23:60:35 | ...[...] :  | semmle.label | ...[...] :  |
+| ActiveRecordInjection.rb:60:38:60:43 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:60:38:60:50 | ...[...] :  | semmle.label | ...[...] :  |
+| ActiveRecordInjection.rb:66:10:66:15 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:72:21:72:33 | ... + ... | semmle.label | ... + ... |
+| ActiveRecordInjection.rb:105:22:105:27 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:105:22:105:45 | ...[...] :  | semmle.label | ...[...] :  |
 subpaths
 #select
-| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:56:23:56:28 | call to params :  | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:56:23:56:28 | call to params | a user-provided value |
-| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:56:38:56:43 | call to params :  | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:56:38:56:43 | call to params | a user-provided value |
-| ActiveRecordInjection.rb:23:17:23:25 | condition | ActiveRecordInjection.rb:101:22:101:27 | call to params :  | ActiveRecordInjection.rb:23:17:23:25 | condition | This SQL query depends on $@. | ActiveRecordInjection.rb:101:22:101:27 | call to params | a user-provided value |
+| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:60:23:60:28 | call to params :  | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:60:23:60:28 | call to params | a user-provided value |
+| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:60:38:60:43 | call to params :  | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:60:38:60:43 | call to params | a user-provided value |
+| ActiveRecordInjection.rb:23:17:23:25 | condition | ActiveRecordInjection.rb:105:22:105:27 | call to params :  | ActiveRecordInjection.rb:23:17:23:25 | condition | This SQL query depends on $@. | ActiveRecordInjection.rb:105:22:105:27 | call to params | a user-provided value |
 | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | ActiveRecordInjection.rb:35:30:35:35 | call to params :  | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:35:30:35:35 | call to params | a user-provided value |
-| ActiveRecordInjection.rb:39:21:39:43 | "id = '#{...}'" | ActiveRecordInjection.rb:39:30:39:35 | call to params :  | ActiveRecordInjection.rb:39:21:39:43 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:39:30:39:35 | call to params | a user-provided value |
-| ActiveRecordInjection.rb:43:23:43:45 | "id = '#{...}'" | ActiveRecordInjection.rb:43:32:43:37 | call to params :  | ActiveRecordInjection.rb:43:23:43:45 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:43:32:43:37 | call to params | a user-provided value |
-| ActiveRecordInjection.rb:47:16:47:21 | <<-SQL | ActiveRecordInjection.rb:48:21:48:26 | call to params :  | ActiveRecordInjection.rb:47:16:47:21 | <<-SQL | This SQL query depends on $@. | ActiveRecordInjection.rb:48:21:48:26 | call to params | a user-provided value |
-| ActiveRecordInjection.rb:54:20:54:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:54:34:54:39 | call to params :  | ActiveRecordInjection.rb:54:20:54:47 | "user.id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:54:34:54:39 | call to params | a user-provided value |
-| ActiveRecordInjection.rb:68:21:68:33 | ... + ... | ActiveRecordInjection.rb:62:10:62:15 | call to params :  | ActiveRecordInjection.rb:68:21:68:33 | ... + ... | This SQL query depends on $@. | ActiveRecordInjection.rb:62:10:62:15 | call to params | a user-provided value |
+| ActiveRecordInjection.rb:39:18:39:32 | ...[...] | ActiveRecordInjection.rb:39:18:39:23 | call to params :  | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:39:18:39:23 | call to params | a user-provided value |
+| ActiveRecordInjection.rb:43:21:43:43 | "id = '#{...}'" | ActiveRecordInjection.rb:43:30:43:35 | call to params :  | ActiveRecordInjection.rb:43:21:43:43 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:43:30:43:35 | call to params | a user-provided value |
+| ActiveRecordInjection.rb:47:23:47:45 | "id = '#{...}'" | ActiveRecordInjection.rb:47:32:47:37 | call to params :  | ActiveRecordInjection.rb:47:23:47:45 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:47:32:47:37 | call to params | a user-provided value |
+| ActiveRecordInjection.rb:51:16:51:21 | <<-SQL | ActiveRecordInjection.rb:52:21:52:26 | call to params :  | ActiveRecordInjection.rb:51:16:51:21 | <<-SQL | This SQL query depends on $@. | ActiveRecordInjection.rb:52:21:52:26 | call to params | a user-provided value |
+| ActiveRecordInjection.rb:58:20:58:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:58:34:58:39 | call to params :  | ActiveRecordInjection.rb:58:20:58:47 | "user.id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:58:34:58:39 | call to params | a user-provided value |
+| ActiveRecordInjection.rb:72:21:72:33 | ... + ... | ActiveRecordInjection.rb:66:10:66:15 | call to params :  | ActiveRecordInjection.rb:72:21:72:33 | ... + ... | This SQL query depends on $@. | ActiveRecordInjection.rb:66:10:66:15 | call to params | a user-provided value |
