Add CSRFProtectionSetting concept

alexrford · alexrford · commit 8a412dc5fd89 · 2021-11-04T18:18:29.000Z
diff --git a/ruby/ql/lib/codeql/ruby/Concepts.qll b/ruby/ql/lib/codeql/ruby/Concepts.qll
@@ -584,6 +584,31 @@ module OrmInstantiation {
   }
 }
 
+/**
+ * A data-flow node that may set or unset Cross-site request forgery protection.
+ * `getVerificationSetting() = false` corresponds to disabling verification.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `CSRFProtectionSetting::Range` instead.
+ */
+class CSRFProtectionSetting extends DataFlow::Node instanceof CSRFProtectionSetting::Range {
+  boolean getVerificationSetting() { result = super.getVerificationSetting() }
+}
+
+/** Provides a class for modeling new CSRF protection setting APIs. */
+module CSRFProtectionSetting {
+  /**
+   * A data-flow node that may set or unset Cross-site request forgery protection.
+   * `getVerificationSetting() = false` corresponds to disabling verification.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `CSRFProtectionSetting` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    abstract boolean getVerificationSetting();
+  }
+}
+
 /** Provides classes for modeling path-related APIs. */
 module Path {
   /**
