Merge pull request #15847 from hvitved/ruby/orm-field-as-source-no-args

hvitved · web-flow · commit 9ee2314ef693 · 2024-03-08T13:52:34.000+01:00
Ruby: Exclude calls with arguments from `OrmFieldAsSource`
diff --git a/ruby/ql/lib/codeql/ruby/security/XSS.qll b/ruby/ql/lib/codeql/ruby/security/XSS.qll
@@ -324,7 +324,9 @@ module StoredXss {
     OrmFieldAsSource() {
       exists(DataFlow::CallNode subSrc |
         OrmTracking::flow(subSrc, this.getReceiver()) and
-        subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName())
+        subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName()) and
+        this.getNumberOfArguments() = 0 and
+        not exists(this.getBlock())
       )
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -324,7 +324,9 @@ module StoredXss {`
`324`	`324`	`OrmFieldAsSource() {`
`325`	`325`	`exists(DataFlow::CallNode subSrc \|`
`326`	`326`	`OrmTracking::flow(subSrc, this.getReceiver()) and`
`327`		`- subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName())`
	`327`	`+ subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName()) and`
	`328`	`+ this.getNumberOfArguments() = 0 and`
	`329`	`+ not exists(this.getBlock())`
`328`	`330`	`)`
`329`	`331`	`}`
`330`	`332`	`}`