add tests for the fixes in the qhelp, and fix an FP that appeared

erik-krogh · erik-krogh · commit 642a134035b2 · 2024-04-08T12:00:27.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/ast/internal/Constant.qll b/ruby/ql/lib/codeql/ruby/ast/internal/Constant.qll
@@ -560,6 +560,11 @@ private predicate isArrayExpr(Expr e, ArrayLiteralCfgNode arr) {
   // Note(hmac): I don't think this is necessary, as `getSource` will not return
   // results if the source is a phi node.
   forex(ExprCfgNode n | n = e.getAControlFlowNode() | isArrayConstant(n, arr))
+  or
+  // if `e` is an array, then `e.freeze` is also an array
+  e instanceof MethodCall and
+  e.(MethodCall).getMethodName() = "freeze" and
+  isArrayExpr(e.(MethodCall).getReceiver(), arr)
 }
 
 private class TokenConstantAccess extends ConstantAccess, TTokenConstantAccess {
diff --git a/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll
@@ -83,6 +83,12 @@ module UrlRedirect {
    */
   class StringConstCompareAsSanitizer extends Sanitizer, StringConstCompareBarrier { }
 
+  /**
+   * A string concatenation against a constant list, considered as a sanitizer-guard.
+   */
+  class StringConstArrayInclusionAsSanitizer extends Sanitizer, StringConstArrayInclusionCallBarrier
+  { }
+
   /**
    * Some methods will propagate taint to their return values.
    * Here we cover a few common ones related to `ActionController::Parameters`.
diff --git a/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.rb b/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.rb
@@ -98,3 +98,40 @@ def filter_params(input_params)
 Rails.routes.draw do
   get "/r9", to: "users#route9"
 end
+
+class DomainController < ActionController::Base
+  KNOWN_HOST = "example.org"
+  
+  def hello
+    begin
+      target_url = URI.parse(params[:url])
+ 
+      # Redirect if the URL is either relative or on a known good host
+      if !target_url.host || target_url.host == KNOWN_HOST
+        redirect_to target_url.to_s
+      else
+        redirect_to "/error.html" # Redirect to error page if the host is not known
+      end
+    rescue URI::InvalidURIError
+      # Handle the exception, for example, by redirecting to a safe page
+      redirect_to "/error.html"
+    end
+  end
+end
+
+class ConstController < ActionController::Base
+  VALID_REDIRECTS = [
+    "http://cwe.mitre.org/data/definitions/601.html",
+    "http://cwe.mitre.org/data/definitions/79.html"
+  ].freeze
+  
+  def hello
+    # GOOD: the request parameter is validated against a known list of URLs
+    target_url = params[:url]
+    if VALID_REDIRECTS.include?(target_url)
+      redirect_to target_url
+    else
+      redirect_to "/error.html"
+    end
+  end
+end
