Merge pull request #7341 from github/nickrolfe/cookies

Author: nickrolfe

ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -118,6 +118,28 @@ class ParamsSource extends RemoteFlowSource::Range {
   override string getSourceType() { result = "ActionController::Metal#params" }
 }
 
+/**
+ * A call to the `cookies` method to fetch the request parameters.
+ */
+abstract class CookiesCall extends MethodCall {
+  CookiesCall() { this.getMethodName() = "cookies" }
+}
+
+/**
+ * A `RemoteFlowSource::Range` to represent accessing the
+ * ActionController parameters available via the `cookies` method.
+ */
+class CookiesSource extends RemoteFlowSource::Range {
+  CookiesCall call;
+
+  CookiesSource() { this.asExpr().getExpr() = call }
+
+  override string getSourceType() { result = "ActionController::Metal#cookies" }
+}
+
+// A call to `cookies` from within a controller.
+private class ActionControllerCookiesCall extends ActionControllerContextCall, CookiesCall { }
+
 // A call to `params` from within a controller.
 private class ActionControllerParamsCall extends ActionControllerContextCall, ParamsCall { }
 

ruby/ql/lib/codeql/ruby/frameworks/ActionView.qll

@@ -66,6 +66,9 @@ class RawCall extends ActionViewContextCall {
 // A call to the `params` method within the context of a template.
 private class ActionViewParamsCall extends ActionViewContextCall, ParamsCall { }
 
+// A call to the `cookies` method within the context of a template.
+private class ActionViewCookiesCall extends ActionViewContextCall, CookiesCall { }
+
 /**
  * A call to a `render` method that will populate the response body with the
  * rendered content.

ruby/ql/test/library-tests/frameworks/ActionController.expected

@@ -2,15 +2,15 @@ actionControllerControllerClasses
 | ActiveRecordInjection.rb:27:1:58:3 | FooController |
 | ActiveRecordInjection.rb:60:1:90:3 | BarController |
 | ActiveRecordInjection.rb:92:1:96:3 | BazController |
-| app/controllers/foo/bars_controller.rb:1:1:20:3 | BarsController |
+| app/controllers/foo/bars_controller.rb:3:1:25:3 | BarsController |
 actionControllerActionMethods
 | ActiveRecordInjection.rb:32:3:57:5 | some_request_handler |
 | ActiveRecordInjection.rb:61:3:69:5 | some_other_request_handler |
 | ActiveRecordInjection.rb:71:3:89:5 | safe_paths |
 | ActiveRecordInjection.rb:93:3:95:5 | yet_another_handler |
-| app/controllers/foo/bars_controller.rb:3:3:5:5 | index |
-| app/controllers/foo/bars_controller.rb:7:3:13:5 | show_debug |
-| app/controllers/foo/bars_controller.rb:15:3:19:5 | show |
+| app/controllers/foo/bars_controller.rb:5:3:7:5 | index |
+| app/controllers/foo/bars_controller.rb:9:3:18:5 | show_debug |
+| app/controllers/foo/bars_controller.rb:20:3:24:5 | show |
 paramsCalls
 | ActiveRecordInjection.rb:35:30:35:35 | call to params |
 | ActiveRecordInjection.rb:39:29:39:34 | call to params |
@@ -25,10 +25,10 @@ paramsCalls
 | ActiveRecordInjection.rb:83:12:83:17 | call to params |
 | ActiveRecordInjection.rb:88:15:88:20 | call to params |
 | ActiveRecordInjection.rb:94:21:94:26 | call to params |
-| app/controllers/foo/bars_controller.rb:8:21:8:26 | call to params |
-| app/controllers/foo/bars_controller.rb:9:10:9:15 | call to params |
-| app/controllers/foo/bars_controller.rb:16:21:16:26 | call to params |
-| app/controllers/foo/bars_controller.rb:17:10:17:15 | call to params |
+| app/controllers/foo/bars_controller.rb:13:21:13:26 | call to params |
+| app/controllers/foo/bars_controller.rb:14:10:14:15 | call to params |
+| app/controllers/foo/bars_controller.rb:21:21:21:26 | call to params |
+| app/controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
 | app/views/foo/bars/show.html.erb:5:9:5:14 | call to params |
 paramsSources
 | ActiveRecordInjection.rb:35:30:35:35 | call to params |
@@ -44,17 +44,21 @@ paramsSources
 | ActiveRecordInjection.rb:83:12:83:17 | call to params |
 | ActiveRecordInjection.rb:88:15:88:20 | call to params |
 | ActiveRecordInjection.rb:94:21:94:26 | call to params |
-| app/controllers/foo/bars_controller.rb:8:21:8:26 | call to params |
-| app/controllers/foo/bars_controller.rb:9:10:9:15 | call to params |
-| app/controllers/foo/bars_controller.rb:16:21:16:26 | call to params |
-| app/controllers/foo/bars_controller.rb:17:10:17:15 | call to params |
+| app/controllers/foo/bars_controller.rb:13:21:13:26 | call to params |
+| app/controllers/foo/bars_controller.rb:14:10:14:15 | call to params |
+| app/controllers/foo/bars_controller.rb:21:21:21:26 | call to params |
+| app/controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
 | app/views/foo/bars/show.html.erb:5:9:5:14 | call to params |
+cookiesCalls
+| app/controllers/foo/bars_controller.rb:10:27:10:33 | call to cookies |
+cookiesSources
+| app/controllers/foo/bars_controller.rb:10:27:10:33 | call to cookies |
 redirectToCalls
-| app/controllers/foo/bars_controller.rb:12:5:12:30 | call to redirect_to |
+| app/controllers/foo/bars_controller.rb:17:5:17:30 | call to redirect_to |
 actionControllerHelperMethods
 getAssociatedControllerClasses
-| app/controllers/foo/bars_controller.rb:1:1:20:3 | BarsController | app/views/foo/bars/_widget.html.erb:0:0:0:0 | app/views/foo/bars/_widget.html.erb |
-| app/controllers/foo/bars_controller.rb:1:1:20:3 | BarsController | app/views/foo/bars/show.html.erb:0:0:0:0 | app/views/foo/bars/show.html.erb |
+| app/controllers/foo/bars_controller.rb:3:1:25:3 | BarsController | app/views/foo/bars/_widget.html.erb:0:0:0:0 | app/views/foo/bars/_widget.html.erb |
+| app/controllers/foo/bars_controller.rb:3:1:25:3 | BarsController | app/views/foo/bars/show.html.erb:0:0:0:0 | app/views/foo/bars/show.html.erb |
 controllerTemplateFiles
-| app/controllers/foo/bars_controller.rb:1:1:20:3 | BarsController | app/views/foo/bars/_widget.html.erb:0:0:0:0 | app/views/foo/bars/_widget.html.erb |
-| app/controllers/foo/bars_controller.rb:1:1:20:3 | BarsController | app/views/foo/bars/show.html.erb:0:0:0:0 | app/views/foo/bars/show.html.erb |
+| app/controllers/foo/bars_controller.rb:3:1:25:3 | BarsController | app/views/foo/bars/_widget.html.erb:0:0:0:0 | app/views/foo/bars/_widget.html.erb |
+| app/controllers/foo/bars_controller.rb:3:1:25:3 | BarsController | app/views/foo/bars/show.html.erb:0:0:0:0 | app/views/foo/bars/show.html.erb |

ruby/ql/test/library-tests/frameworks/ActionController.ql

@@ -10,6 +10,10 @@ query predicate paramsCalls(ParamsCall c) { any() }
 
 query predicate paramsSources(ParamsSource src) { any() }
 
+query predicate cookiesCalls(CookiesCall c) { any() }
+
+query predicate cookiesSources(CookiesSource src) { any() }
+
 query predicate redirectToCalls(RedirectToCall c) { any() }
 
 query predicate actionControllerHelperMethods(ActionControllerHelperMethod m) { any() }

ruby/ql/test/library-tests/frameworks/ActionView.expected

@@ -12,10 +12,10 @@ rawCalls
 | app/views/foo/bars/show.html.erb:5:5:5:21 | call to raw |
 | app/views/foo/bars/show.html.erb:7:5:7:19 | call to raw |
 renderCalls
-| app/controllers/foo/bars_controller.rb:4:5:4:37 | call to render |
-| app/controllers/foo/bars_controller.rb:18:5:18:76 | call to render |
+| app/controllers/foo/bars_controller.rb:6:5:6:37 | call to render |
+| app/controllers/foo/bars_controller.rb:23:5:23:76 | call to render |
 | app/views/foo/bars/show.html.erb:31:5:31:89 | call to render |
 renderToCalls
-| app/controllers/foo/bars_controller.rb:10:16:10:97 | call to render_to_string |
+| app/controllers/foo/bars_controller.rb:15:16:15:97 | call to render_to_string |
 linkToCalls
 | app/views/foo/bars/show.html.erb:33:5:33:41 | call to link_to |

ruby/ql/test/library-tests/frameworks/app/controllers/foo/bars_controller.rb

@@ -1,10 +1,15 @@
+require 'json'
+
 class BarsController < ApplicationController
 
   def index
     render template: "foo/bars/index"
   end
 
   def show_debug
+    user_info = JSON.load cookies[:user_info]
+    puts "User: #{user_info['name']}"
+
     @user_website = params[:website]
     dt = params[:text]
     rendered = render_to_string "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }