Add != to StringConstCompare

hmac · hmac · commit 800e18349f40 · 2021-09-10T16:42:45.000+01:00
This means we treat != comparisons against strings as taint tracking guards:

    if foo != "A"
      foo         # still tainted
    else
      foo         # not tainted, because we know foo == "A"
    end
diff --git a/ql/lib/codeql/ruby/dataflow/BarrierGuards.qll b/ql/lib/codeql/ruby/dataflow/BarrierGuards.qll
@@ -20,19 +20,26 @@ private import codeql.ruby.CFG
 class StringConstCompare extends DataFlow::BarrierGuard,
   CfgNodes::ExprNodes::ComparisonOperationCfgNode {
   private CfgNode checkedNode;
+  // The value of the condition that results in the node being validated.
+  private boolean checkedBranch;
 
   StringConstCompare() {
     exists(CfgNodes::ExprNodes::StringLiteralCfgNode strLitNode |
-      this.getExpr() instanceof EqExpr or
-      this.getExpr() instanceof CaseEqExpr
+      this.getExpr() instanceof EqExpr and checkedBranch = true
+      or
+      this.getExpr() instanceof CaseEqExpr and checkedBranch = true
+      or
+      this.getExpr() instanceof NEExpr and checkedBranch = false
     |
       this.getLeftOperand() = strLitNode and this.getRightOperand() = checkedNode
       or
       this.getLeftOperand() = checkedNode and this.getRightOperand() = strLitNode
     )
   }
 
-  override predicate checks(CfgNode expr, boolean branch) { expr = checkedNode and branch = true }
+  override predicate checks(CfgNode expr, boolean branch) {
+    expr = checkedNode and branch = checkedBranch
+  }
 }
 
 /**
diff --git a/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.expected b/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.expected
@@ -1,2 +1,3 @@
-| barrier-guards.rb:3:4:3:15 | ... == ... | barrier-guards.rb:4:15:4:17 | foo | barrier-guards.rb:3:4:3:6 | foo | true |
-| barrier-guards.rb:9:4:9:24 | call to include? | barrier-guards.rb:10:15:10:17 | foo | barrier-guards.rb:9:21:9:23 | foo | true |
+| barrier-guards.rb:3:4:3:15 | ... == ... | barrier-guards.rb:4:13:4:15 | foo | barrier-guards.rb:3:4:3:6 | foo | true |
+| barrier-guards.rb:9:4:9:24 | call to include? | barrier-guards.rb:10:13:10:15 | foo | barrier-guards.rb:9:21:9:23 | foo | true |
+| barrier-guards.rb:15:4:15:15 | ... != ... | barrier-guards.rb:18:14:18:16 | foo | barrier-guards.rb:15:4:15:6 | foo | false |
diff --git a/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.rb b/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.rb
@@ -1,15 +1,21 @@
 foo = "foo"
 
 if foo == "foo"
-    do_true_1 foo
+    do_true foo
 else
-    do_false_1 foo
+    do_false foo
 end
 
 if ["foo"].include?(foo)
-    do_true_2 foo
+    do_true foo
 else
-    do_false_2 foo
+    do_false foo
+end
+
+if foo != "foo"
+    do_true foo
+else
+    do_false foo
 end
 
 do_default foo
