Model the RestClient HTTP client

hmac · hmac · commit 88885a222edf · 2021-09-23T16:32:15.000+01:00
diff --git a/ql/lib/codeql/ruby/frameworks/HTTPClients.qll b/ql/lib/codeql/ruby/frameworks/HTTPClients.qll
@@ -5,3 +5,4 @@
 private import codeql.ruby.frameworks.http_clients.NetHTTP
 private import codeql.ruby.frameworks.http_clients.Excon
 private import codeql.ruby.frameworks.http_clients.Faraday
+private import codeql.ruby.frameworks.http_clients.RestClient
diff --git a/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll b/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll
@@ -0,0 +1,29 @@
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+
+/**
+ * A call that makes an HTTP request using `RestClient`.
+ * ```ruby
+ * RestClient.get("http://example.com").body
+ * ```
+ */
+class RestClientHTTPRequest extends HTTP::Client::Request::Range {
+  DataFlow::Node request;
+  DataFlow::CallNode responseBody;
+
+  RestClientHTTPRequest() {
+    exists(API::Node requestNode |
+      requestNode =
+        API::getTopLevelMember("RestClient")
+            .getReturn(["get", "head", "delete", "options", "post", "put", "patch"]) and
+      request = requestNode.getAnImmediateUse() and
+      responseBody = requestNode.getAMethodCall("body") and
+      this = request.asExpr().getExpr()
+    )
+  }
+
+  override DataFlow::Node getResponseBody() { result = responseBody }
+
+  override string getFramework() { result = "RestClient" }
+}
diff --git a/ql/test/library-tests/frameworks/http_clients/RestClient.expected b/ql/test/library-tests/frameworks/http_clients/RestClient.expected
@@ -0,0 +1,7 @@
+| RestClient.rb:3:9:3:45 | call to get | RestClient.rb:4:1:4:10 | call to body |
+| RestClient.rb:6:9:6:59 | call to post | RestClient.rb:7:1:7:10 | call to body |
+| RestClient.rb:9:9:9:58 | call to put | RestClient.rb:10:1:10:10 | call to body |
+| RestClient.rb:12:9:12:60 | call to patch | RestClient.rb:13:1:13:10 | call to body |
+| RestClient.rb:15:9:15:47 | call to delete | RestClient.rb:16:1:16:10 | call to body |
+| RestClient.rb:18:9:18:45 | call to head | RestClient.rb:19:1:19:10 | call to body |
+| RestClient.rb:21:9:21:48 | call to options | RestClient.rb:22:1:22:10 | call to body |
diff --git a/ql/test/library-tests/frameworks/http_clients/RestClient.ql b/ql/test/library-tests/frameworks/http_clients/RestClient.ql
@@ -0,0 +1,6 @@
+import codeql.ruby.frameworks.http_clients.RestClient
+import codeql.ruby.DataFlow
+
+query DataFlow::Node restClientHTTPRequests(RestClientHTTPRequest e) {
+  result = e.getResponseBody()
+}
diff --git a/ql/test/library-tests/frameworks/http_clients/RestClient.rb b/ql/test/library-tests/frameworks/http_clients/RestClient.rb
@@ -0,0 +1,22 @@
+require "rest-client"
+
+resp1 = RestClient.get("http://example.com/")
+resp1.body
+
+resp2 = RestClient.post("http://example.com", some: "data")
+resp2.body
+
+resp3 = RestClient.put("http://example.com", some: "data")
+resp3.body
+
+resp4 = RestClient.patch("http://example.com", some: "data")
+resp4.body
+
+resp5 = RestClient.delete("http://example.com")
+resp5.body
+
+resp6 = RestClient.head("http://example.com")
+resp6.body
+
+resp7 = RestClient.options("http://example.com")
+resp7.body
