Ruby: Exclude calls with arguments from OrmFieldAsSource

hvitved · hvitved · commit 85782ff1d494 · 2024-03-07T17:34:01.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/XSS.qll b/ruby/ql/lib/codeql/ruby/security/XSS.qll
@@ -324,7 +324,9 @@ module StoredXss {
     OrmFieldAsSource() {
       exists(DataFlow::CallNode subSrc |
         OrmTracking::flow(subSrc, this.getReceiver()) and
-        subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName())
+        subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName()) and
+        this.getNumberOfArguments() = 0 and
+        not exists(this.getBlock())
       )
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -324,7 +324,9 @@ module StoredXss {`
`324`	`324`	`OrmFieldAsSource() {`
`325`	`325`	`exists(DataFlow::CallNode subSrc \|`
`326`	`326`	`OrmTracking::flow(subSrc, this.getReceiver()) and`
`327`		`- subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName())`
	`327`	`+ subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName()) and`
	`328`	`+ this.getNumberOfArguments() = 0 and`
	`329`	`+ not exists(this.getBlock())`
`328`	`330`	`)`
`329`	`331`	`}`
`330`	`332`	`}`