Ruby: Include send example in qhelp

hmac · hmac · commit a6571a05aba7 · 2022-12-28T11:34:55.000+13:00
diff --git a/ruby/ql/src/queries/security/cwe-094/UnsafeCodeConstruction.qhelp b/ruby/ql/src/queries/security/cwe-094/UnsafeCodeConstruction.qhelp
@@ -69,7 +69,7 @@ to define the getter method.
 <example>
 <p>
 This example dynamically registers a method on another class which
-forwards its arguments to the registering module. This approach uses
+forwards its arguments to a target class. This approach uses
 <code>module_eval</code> and string interpolation to construct class variables
 and methods.
 </p>
@@ -81,6 +81,12 @@ A safer approach is to use <code>class_variable_set</code> and
 <code>class_variable_get</code> along with <code>define_method</code>. String
 interpolation is still used to construct the class variable name, but this is
 safe because <code>class_variable_set<code> is not susceptible to code injection.
+To construct a dynamic method call we use <code>send</code>, which is ulnerable
+to code injection: if an attacker can control the first argument, they can call
+any method on the receiver. However this is less powerful than being able to run
+arbitrary Ruby code, so it is an improvement in security. We also document to
+callers that they should not pass arbitrary user data to the <code>name</code>
+parameter.
 </p>
 
 <sample src="examples/UnsafeCodeConstruction3Safe.rb" />
diff --git a/ruby/ql/src/queries/security/cwe-094/examples/UnsafeCodeConstruction3.rb b/ruby/ql/src/queries/security/cwe-094/examples/UnsafeCodeConstruction3.rb
@@ -1,11 +1,10 @@
 module Invoker
-  def attach(klass, name)
-    invoker = self
+  def attach(klass, name, target)
     klass.module_eval <<-CODE
-      @@#{name} = invoker
+      @@#{name} = target
 
       def #{name}(*args)
-        @@#{name}.call(*args)
+        @@#{name}.#{name}(*args)
       end
     CODE
   end
diff --git a/ruby/ql/src/queries/security/cwe-094/examples/UnsafeCodeConstruction3Safe.rb b/ruby/ql/src/queries/security/cwe-094/examples/UnsafeCodeConstruction3Safe.rb
@@ -1,9 +1,10 @@
 module Invoker
-  def attach(klass, name)
+  # Do not pass arbitrary user input to +name+.
+  def attach(klass, name, target)
     var = :"@@#{name}"
-    klass.class_variable_set(var, self)
+    klass.class_variable_set(var, target)
     klass.define_method(name) do |*args|
-      self.class.class_variable_get(var).call(*args)
+      self.class.class_variable_get(var).send(name, *args)
     end
   end
 end
