Review suggestions - rename sink class and add barrier out

joefarebrother · joefarebrother · commit 976ca4831725 · 2024-04-10T10:17:19.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
@@ -806,8 +806,8 @@ private module MassAssignmentSinks {
   }
 
   /** A call to a method that sets attributes of an database record using a hash. */
-  private class MassAssignmentCall extends MassAssignment::Sink {
-    MassAssignmentCall() {
+  private class MassAssignmentSink extends MassAssignment::Sink {
+    MassAssignmentSink() {
       exists(DataFlow::CallNode call, string name | massAssignmentCall(call, name) |
         name =
           [
diff --git a/ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll b/ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll
@@ -43,10 +43,9 @@ private module Config implements DataFlow::StateConfigSig {
     state instanceof FlowState::Permitted
   }
 
-  predicate isBarrierIn(DataFlow::Node node, FlowState state) {
-    node instanceof MassAssignment::Source and
-    state instanceof FlowState::Unpermitted
-  }
+  predicate isBarrierIn(DataFlow::Node node, FlowState state) { isSource(node, state) }
+
+  predicate isBarrierOut(DataFlow::Node node, FlowState state) { isSink(node, state) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof MassAssignment::Sanitizer }
 

Original file line number	Diff line number	Diff line change
`@@ -806,8 +806,8 @@ private module MassAssignmentSinks {`
`806`	`806`	`}`
`807`	`807`
`808`	`808`	`/** A call to a method that sets attributes of an database record using a hash. */`
`809`		`- private class MassAssignmentCall extends MassAssignment::Sink {`
`810`		`- MassAssignmentCall() {`
	`809`	`+ private class MassAssignmentSink extends MassAssignment::Sink {`
	`810`	`+ MassAssignmentSink() {`
`811`	`811`	`exists(DataFlow::CallNode call, string name \| massAssignmentCall(call, name) \|`
`812`	`812`	`name =`
`813`	`813`	`[`