Skip to content

Commit 75bbc51

Browse files
hmachmac
committed
Make room for new test cases
This just bumps the other code down a bit so that the .expected diff is easier to read.
1 parent f5f79a8 commit 75bbc51

File tree

2 files changed

+61
-51
lines changed

2 files changed

+61
-51
lines changed

ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,10 +42,20 @@ def some_request_handler
4242
# where `params[:id]` is unsanitized
4343
User.delete_by("id = '#{params[:id]}'")
4444

45+
46+
47+
48+
49+
4550
# BAD: executes `SELECT "users".* FROM "users" WHERE (id = '#{params[:id]}')`
4651
# where `params[:id]` is unsanitized
4752
User.destroy_by(["id = '#{params[:id]}'"])
4853

54+
55+
56+
57+
58+
4959
# BAD: executes `SELECT "users".* FROM "users" WHERE id BETWEEN '#{params[:min_id]}' AND 100000`
5060
# where `params[:min_id]` is unsanitized
5161
User.where(<<-SQL, MAX_USER_ID)

ql/test/query-tests/security/cwe-089/SqlInjection.expected

Lines changed: 51 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -5,21 +5,21 @@ edges
55
| ActiveRecordInjection.rb:35:30:35:35 | call to params : | ActiveRecordInjection.rb:35:30:35:44 | ...[...] |
66
| ActiveRecordInjection.rb:39:18:39:23 | call to params : | ActiveRecordInjection.rb:39:18:39:32 | ...[...] |
77
| ActiveRecordInjection.rb:43:29:43:34 | call to params : | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" |
8-
| ActiveRecordInjection.rb:47:31:47:36 | call to params : | ActiveRecordInjection.rb:47:22:47:44 | "id = '#{...}'" |
9-
| ActiveRecordInjection.rb:52:21:52:26 | call to params : | ActiveRecordInjection.rb:51:16:51:21 | <<-SQL |
10-
| ActiveRecordInjection.rb:58:34:58:39 | call to params : | ActiveRecordInjection.rb:58:20:58:47 | "user.id = '#{...}'" |
11-
| ActiveRecordInjection.rb:60:23:60:28 | call to params : | ActiveRecordInjection.rb:60:23:60:35 | ...[...] : |
12-
| ActiveRecordInjection.rb:60:23:60:35 | ...[...] : | ActiveRecordInjection.rb:8:25:8:28 | name : |
13-
| ActiveRecordInjection.rb:60:38:60:43 | call to params : | ActiveRecordInjection.rb:60:38:60:50 | ...[...] : |
14-
| ActiveRecordInjection.rb:60:38:60:50 | ...[...] : | ActiveRecordInjection.rb:8:31:8:34 | pass : |
15-
| ActiveRecordInjection.rb:64:41:64:46 | call to params : | ActiveRecordInjection.rb:64:32:64:54 | "id = '#{...}'" |
16-
| ActiveRecordInjection.rb:73:17:73:22 | call to params : | ActiveRecordInjection.rb:73:17:73:31 | ...[...] |
17-
| ActiveRecordInjection.rb:74:19:74:24 | call to params : | ActiveRecordInjection.rb:74:19:74:33 | ...[...] |
18-
| ActiveRecordInjection.rb:78:18:78:23 | call to params : | ActiveRecordInjection.rb:78:18:78:35 | ...[...] |
19-
| ActiveRecordInjection.rb:82:21:82:26 | call to params : | ActiveRecordInjection.rb:82:21:82:35 | ...[...] |
20-
| ActiveRecordInjection.rb:88:10:88:15 | call to params : | ActiveRecordInjection.rb:94:20:94:32 | ... + ... |
21-
| ActiveRecordInjection.rb:127:21:127:26 | call to params : | ActiveRecordInjection.rb:127:21:127:44 | ...[...] : |
22-
| ActiveRecordInjection.rb:127:21:127:44 | ...[...] : | ActiveRecordInjection.rb:20:22:20:30 | condition : |
8+
| ActiveRecordInjection.rb:52:31:52:36 | call to params : | ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" |
9+
| ActiveRecordInjection.rb:62:21:62:26 | call to params : | ActiveRecordInjection.rb:61:16:61:21 | <<-SQL |
10+
| ActiveRecordInjection.rb:68:34:68:39 | call to params : | ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" |
11+
| ActiveRecordInjection.rb:70:23:70:28 | call to params : | ActiveRecordInjection.rb:70:23:70:35 | ...[...] : |
12+
| ActiveRecordInjection.rb:70:23:70:35 | ...[...] : | ActiveRecordInjection.rb:8:25:8:28 | name : |
13+
| ActiveRecordInjection.rb:70:38:70:43 | call to params : | ActiveRecordInjection.rb:70:38:70:50 | ...[...] : |
14+
| ActiveRecordInjection.rb:70:38:70:50 | ...[...] : | ActiveRecordInjection.rb:8:31:8:34 | pass : |
15+
| ActiveRecordInjection.rb:74:41:74:46 | call to params : | ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" |
16+
| ActiveRecordInjection.rb:83:17:83:22 | call to params : | ActiveRecordInjection.rb:83:17:83:31 | ...[...] |
17+
| ActiveRecordInjection.rb:84:19:84:24 | call to params : | ActiveRecordInjection.rb:84:19:84:33 | ...[...] |
18+
| ActiveRecordInjection.rb:88:18:88:23 | call to params : | ActiveRecordInjection.rb:88:18:88:35 | ...[...] |
19+
| ActiveRecordInjection.rb:92:21:92:26 | call to params : | ActiveRecordInjection.rb:92:21:92:35 | ...[...] |
20+
| ActiveRecordInjection.rb:98:10:98:15 | call to params : | ActiveRecordInjection.rb:104:20:104:32 | ... + ... |
21+
| ActiveRecordInjection.rb:137:21:137:26 | call to params : | ActiveRecordInjection.rb:137:21:137:44 | ...[...] : |
22+
| ActiveRecordInjection.rb:137:21:137:44 | ...[...] : | ActiveRecordInjection.rb:20:22:20:30 | condition : |
2323
nodes
2424
| ActiveRecordInjection.rb:8:25:8:28 | name : | semmle.label | name : |
2525
| ActiveRecordInjection.rb:8:31:8:34 | pass : | semmle.label | pass : |
@@ -32,44 +32,44 @@ nodes
3232
| ActiveRecordInjection.rb:39:18:39:32 | ...[...] | semmle.label | ...[...] |
3333
| ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
3434
| ActiveRecordInjection.rb:43:29:43:34 | call to params : | semmle.label | call to params : |
35-
| ActiveRecordInjection.rb:47:22:47:44 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
36-
| ActiveRecordInjection.rb:47:31:47:36 | call to params : | semmle.label | call to params : |
37-
| ActiveRecordInjection.rb:51:16:51:21 | <<-SQL | semmle.label | <<-SQL |
38-
| ActiveRecordInjection.rb:52:21:52:26 | call to params : | semmle.label | call to params : |
39-
| ActiveRecordInjection.rb:58:20:58:47 | "user.id = '#{...}'" | semmle.label | "user.id = '#{...}'" |
40-
| ActiveRecordInjection.rb:58:34:58:39 | call to params : | semmle.label | call to params : |
41-
| ActiveRecordInjection.rb:60:23:60:28 | call to params : | semmle.label | call to params : |
42-
| ActiveRecordInjection.rb:60:23:60:35 | ...[...] : | semmle.label | ...[...] : |
43-
| ActiveRecordInjection.rb:60:38:60:43 | call to params : | semmle.label | call to params : |
44-
| ActiveRecordInjection.rb:60:38:60:50 | ...[...] : | semmle.label | ...[...] : |
45-
| ActiveRecordInjection.rb:64:32:64:54 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
46-
| ActiveRecordInjection.rb:64:41:64:46 | call to params : | semmle.label | call to params : |
47-
| ActiveRecordInjection.rb:73:17:73:22 | call to params : | semmle.label | call to params : |
48-
| ActiveRecordInjection.rb:73:17:73:31 | ...[...] | semmle.label | ...[...] |
49-
| ActiveRecordInjection.rb:74:19:74:24 | call to params : | semmle.label | call to params : |
50-
| ActiveRecordInjection.rb:74:19:74:33 | ...[...] | semmle.label | ...[...] |
51-
| ActiveRecordInjection.rb:78:18:78:23 | call to params : | semmle.label | call to params : |
52-
| ActiveRecordInjection.rb:78:18:78:35 | ...[...] | semmle.label | ...[...] |
53-
| ActiveRecordInjection.rb:82:21:82:26 | call to params : | semmle.label | call to params : |
54-
| ActiveRecordInjection.rb:82:21:82:35 | ...[...] | semmle.label | ...[...] |
55-
| ActiveRecordInjection.rb:88:10:88:15 | call to params : | semmle.label | call to params : |
56-
| ActiveRecordInjection.rb:94:20:94:32 | ... + ... | semmle.label | ... + ... |
57-
| ActiveRecordInjection.rb:127:21:127:26 | call to params : | semmle.label | call to params : |
58-
| ActiveRecordInjection.rb:127:21:127:44 | ...[...] : | semmle.label | ...[...] : |
35+
| ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
36+
| ActiveRecordInjection.rb:52:31:52:36 | call to params : | semmle.label | call to params : |
37+
| ActiveRecordInjection.rb:61:16:61:21 | <<-SQL | semmle.label | <<-SQL |
38+
| ActiveRecordInjection.rb:62:21:62:26 | call to params : | semmle.label | call to params : |
39+
| ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" | semmle.label | "user.id = '#{...}'" |
40+
| ActiveRecordInjection.rb:68:34:68:39 | call to params : | semmle.label | call to params : |
41+
| ActiveRecordInjection.rb:70:23:70:28 | call to params : | semmle.label | call to params : |
42+
| ActiveRecordInjection.rb:70:23:70:35 | ...[...] : | semmle.label | ...[...] : |
43+
| ActiveRecordInjection.rb:70:38:70:43 | call to params : | semmle.label | call to params : |
44+
| ActiveRecordInjection.rb:70:38:70:50 | ...[...] : | semmle.label | ...[...] : |
45+
| ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
46+
| ActiveRecordInjection.rb:74:41:74:46 | call to params : | semmle.label | call to params : |
47+
| ActiveRecordInjection.rb:83:17:83:22 | call to params : | semmle.label | call to params : |
48+
| ActiveRecordInjection.rb:83:17:83:31 | ...[...] | semmle.label | ...[...] |
49+
| ActiveRecordInjection.rb:84:19:84:24 | call to params : | semmle.label | call to params : |
50+
| ActiveRecordInjection.rb:84:19:84:33 | ...[...] | semmle.label | ...[...] |
51+
| ActiveRecordInjection.rb:88:18:88:23 | call to params : | semmle.label | call to params : |
52+
| ActiveRecordInjection.rb:88:18:88:35 | ...[...] | semmle.label | ...[...] |
53+
| ActiveRecordInjection.rb:92:21:92:26 | call to params : | semmle.label | call to params : |
54+
| ActiveRecordInjection.rb:92:21:92:35 | ...[...] | semmle.label | ...[...] |
55+
| ActiveRecordInjection.rb:98:10:98:15 | call to params : | semmle.label | call to params : |
56+
| ActiveRecordInjection.rb:104:20:104:32 | ... + ... | semmle.label | ... + ... |
57+
| ActiveRecordInjection.rb:137:21:137:26 | call to params : | semmle.label | call to params : |
58+
| ActiveRecordInjection.rb:137:21:137:44 | ...[...] : | semmle.label | ...[...] : |
5959
subpaths
6060
#select
61-
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:60:23:60:28 | call to params : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:60:23:60:28 | call to params | a user-provided value |
62-
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:60:38:60:43 | call to params : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:60:38:60:43 | call to params | a user-provided value |
63-
| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:127:21:127:26 | call to params : | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on $@. | ActiveRecordInjection.rb:127:21:127:26 | call to params | a user-provided value |
61+
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:23:70:28 | call to params : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:70:23:70:28 | call to params | a user-provided value |
62+
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:38:70:43 | call to params : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:70:38:70:43 | call to params | a user-provided value |
63+
| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:137:21:137:26 | call to params : | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on $@. | ActiveRecordInjection.rb:137:21:137:26 | call to params | a user-provided value |
6464
| ActiveRecordInjection.rb:35:30:35:44 | ...[...] | ActiveRecordInjection.rb:35:30:35:35 | call to params : | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:35:30:35:35 | call to params | a user-provided value |
6565
| ActiveRecordInjection.rb:39:18:39:32 | ...[...] | ActiveRecordInjection.rb:39:18:39:23 | call to params : | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:39:18:39:23 | call to params | a user-provided value |
6666
| ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | ActiveRecordInjection.rb:43:29:43:34 | call to params : | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:43:29:43:34 | call to params | a user-provided value |
67-
| ActiveRecordInjection.rb:47:22:47:44 | "id = '#{...}'" | ActiveRecordInjection.rb:47:31:47:36 | call to params : | ActiveRecordInjection.rb:47:22:47:44 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:47:31:47:36 | call to params | a user-provided value |
68-
| ActiveRecordInjection.rb:51:16:51:21 | <<-SQL | ActiveRecordInjection.rb:52:21:52:26 | call to params : | ActiveRecordInjection.rb:51:16:51:21 | <<-SQL | This SQL query depends on $@. | ActiveRecordInjection.rb:52:21:52:26 | call to params | a user-provided value |
69-
| ActiveRecordInjection.rb:58:20:58:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:58:34:58:39 | call to params : | ActiveRecordInjection.rb:58:20:58:47 | "user.id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:58:34:58:39 | call to params | a user-provided value |
70-
| ActiveRecordInjection.rb:64:32:64:54 | "id = '#{...}'" | ActiveRecordInjection.rb:64:41:64:46 | call to params : | ActiveRecordInjection.rb:64:32:64:54 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:64:41:64:46 | call to params | a user-provided value |
71-
| ActiveRecordInjection.rb:73:17:73:31 | ...[...] | ActiveRecordInjection.rb:73:17:73:22 | call to params : | ActiveRecordInjection.rb:73:17:73:31 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:73:17:73:22 | call to params | a user-provided value |
72-
| ActiveRecordInjection.rb:74:19:74:33 | ...[...] | ActiveRecordInjection.rb:74:19:74:24 | call to params : | ActiveRecordInjection.rb:74:19:74:33 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:74:19:74:24 | call to params | a user-provided value |
73-
| ActiveRecordInjection.rb:78:18:78:35 | ...[...] | ActiveRecordInjection.rb:78:18:78:23 | call to params : | ActiveRecordInjection.rb:78:18:78:35 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:78:18:78:23 | call to params | a user-provided value |
74-
| ActiveRecordInjection.rb:82:21:82:35 | ...[...] | ActiveRecordInjection.rb:82:21:82:26 | call to params : | ActiveRecordInjection.rb:82:21:82:35 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:82:21:82:26 | call to params | a user-provided value |
75-
| ActiveRecordInjection.rb:94:20:94:32 | ... + ... | ActiveRecordInjection.rb:88:10:88:15 | call to params : | ActiveRecordInjection.rb:94:20:94:32 | ... + ... | This SQL query depends on $@. | ActiveRecordInjection.rb:88:10:88:15 | call to params | a user-provided value |
67+
| ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | ActiveRecordInjection.rb:52:31:52:36 | call to params : | ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:52:31:52:36 | call to params | a user-provided value |
68+
| ActiveRecordInjection.rb:61:16:61:21 | <<-SQL | ActiveRecordInjection.rb:62:21:62:26 | call to params : | ActiveRecordInjection.rb:61:16:61:21 | <<-SQL | This SQL query depends on $@. | ActiveRecordInjection.rb:62:21:62:26 | call to params | a user-provided value |
69+
| ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:68:34:68:39 | call to params : | ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:68:34:68:39 | call to params | a user-provided value |
70+
| ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" | ActiveRecordInjection.rb:74:41:74:46 | call to params : | ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:74:41:74:46 | call to params | a user-provided value |
71+
| ActiveRecordInjection.rb:83:17:83:31 | ...[...] | ActiveRecordInjection.rb:83:17:83:22 | call to params : | ActiveRecordInjection.rb:83:17:83:31 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:83:17:83:22 | call to params | a user-provided value |
72+
| ActiveRecordInjection.rb:84:19:84:33 | ...[...] | ActiveRecordInjection.rb:84:19:84:24 | call to params : | ActiveRecordInjection.rb:84:19:84:33 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:84:19:84:24 | call to params | a user-provided value |
73+
| ActiveRecordInjection.rb:88:18:88:35 | ...[...] | ActiveRecordInjection.rb:88:18:88:23 | call to params : | ActiveRecordInjection.rb:88:18:88:35 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:88:18:88:23 | call to params | a user-provided value |
74+
| ActiveRecordInjection.rb:92:21:92:35 | ...[...] | ActiveRecordInjection.rb:92:21:92:26 | call to params : | ActiveRecordInjection.rb:92:21:92:35 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:92:21:92:26 | call to params | a user-provided value |
75+
| ActiveRecordInjection.rb:104:20:104:32 | ... + ... | ActiveRecordInjection.rb:98:10:98:15 | call to params : | ActiveRecordInjection.rb:104:20:104:32 | ... + ... | This SQL query depends on $@. | ActiveRecordInjection.rb:98:10:98:15 | call to params | a user-provided value |

0 commit comments

Comments
 (0)