Ruby: Reduce FPs for rb/incomplete-hostname-regexp

hmac · hmac · commit 51bc8e917e57 · 2024-04-29T11:19:34.000+01:00
Arguments in calls to `match[?]` should only be considered regular
expression interpretations if the `match` refers to the standard library
method, not a method in source code.
diff --git a/ruby/ql/lib/codeql/ruby/Regexp.qll b/ruby/ql/lib/codeql/ruby/Regexp.qll
@@ -122,7 +122,9 @@ class StdLibRegExpInterpretation extends RegExpInterpretation::Range {
       mce.getMethodName() = ["match", "match?"] and
       this = mce.getArgument(0) and
       // exclude https://ruby-doc.org/core-2.4.0/Regexp.html#method-i-match
-      not mce.getReceiver() = RegExpTracking::trackRegexpType()
+      not mce.getReceiver() = RegExpTracking::trackRegexpType() and
+      // exclude non-stdlib methods
+      not exists(mce.getATarget())
     )
   }
 }
diff --git a/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected b/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected
@@ -28,3 +28,4 @@
 | tst-IncompleteHostnameRegExp.rb:48:42:48:67 | ^https?://.+.example\\.com/ | This string, which is used as a regular expression $@, has an unescaped '.' before 'example\\.com/', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.rb:48:13:48:69 | ... + ... | here |
 | tst-IncompleteHostnameRegExp.rb:48:42:48:67 | ^https?://.+.example\\.com/ | This string, which is used as a regular expression $@, has an unrestricted wildcard '.+' which may cause 'example\\.com/' to be matched anywhere in the URL, outside the hostname. | tst-IncompleteHostnameRegExp.rb:48:13:48:69 | ... + ... | here |
 | tst-IncompleteHostnameRegExp.rb:59:5:59:20 | foo.example\\.com | This regular expression has an unescaped '.' before 'example\\.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.rb:59:2:59:32 | /^(foo.example\\.com\|whatever)$/ | here |
+| tst-IncompleteHostnameRegExp.rb:81:11:81:34 | ^http://test.example.com | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.rb:77:22:77:22 | x | here |
diff --git a/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.rb b/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.rb
@@ -65,3 +65,17 @@ def convert1(domain)
 def convert2(domain)
 	return Regexp.new(domain[:hostname]);
 end
+
+class A
+	def self.match?(x) = true
+end
+
+A.match?("^http://test.example.com") # OK
+
+class B
+	def self.match?(x)
+		some_string.match?(x)
+	end
+end
+
+B.match?("^http://test.example.com") # NOT OK

Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,9 @@ class StdLibRegExpInterpretation extends RegExpInterpretation::Range {`
`122`	`122`	`mce.getMethodName() = ["match", "match?"] and`
`123`	`123`	`this = mce.getArgument(0) and`
`124`	`124`	`// exclude https://ruby-doc.org/core-2.4.0/Regexp.html#method-i-match`
`125`		`- not mce.getReceiver() = RegExpTracking::trackRegexpType()`
	`125`	`+ not mce.getReceiver() = RegExpTracking::trackRegexpType() and`
	`126`	`+ // exclude non-stdlib methods`
	`127`	`+ not exists(mce.getATarget())`
`126`	`128`	`)`
`127`	`129`	`}`
`128`	`130`	`}`