Ruby: avoid toString in query warning

alexrford · alexrford · commit 4a01de13efd9 · 2023-09-07T14:54:50.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll
@@ -31,7 +31,12 @@ module CodeInjection {
 
     /** Flow states used to distinguish whether an attacker controls the entire string. */
     class State extends TState {
-      string toString() {
+      string toString() { result = this.getStringRepresentation() }
+
+      /**
+       * Gets a canonical string representation of this state.
+       */
+      string getStringRepresentation() {
         this = TSubString() and result = "substring"
         or
         this = TFull() and result = "full"
diff --git a/ruby/ql/src/queries/security/cwe-094/CodeInjection.ql b/ruby/ql/src/queries/security/cwe-094/CodeInjection.ql
@@ -29,7 +29,7 @@ where
         otherSink) and
       otherSink.getNode() = sink.getNode()
     |
-      otherSink order by otherSink.getState().toString()
+      otherSink order by otherSink.getState().getStringRepresentation()
     )
 select sink.getNode(), source, sink, "This code execution depends on a $@.", sourceNode,
   "user-provided value"

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ where`
`29`	`29`	`otherSink) and`
`30`	`30`	`otherSink.getNode() = sink.getNode()`
`31`	`31`	`\|`
`32`		`- otherSink order by otherSink.getState().toString()`
	`32`	`+ otherSink order by otherSink.getState().getStringRepresentation()`
`33`	`33`	`)`
`34`	`34`	`select sink.getNode(), source, sink, "This code execution depends on a $@.", sourceNode,`
`35`	`35`	`"user-provided value"`