Merge pull request #10791 from asgerf/rb/rails-render-file

asgerf · web-flow · commit d28b9af8bd66 · 2022-10-12T21:18:32.000+02:00
Ruby: treat render 'file:' argument as a file system access
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Rails.qll b/ruby/ql/lib/codeql/ruby/frameworks/Rails.qll
@@ -71,6 +71,21 @@ module Rails {
 
   /** A render call that does not automatically set the HTTP response body. */
   class RenderToCall extends MethodCall instanceof RenderToCallImpl { }
+
+  /**
+   * A `render` call seen as a file system access.
+   */
+  private class RenderAsFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
+    RenderAsFileSystemAccess() {
+      exists(MethodCall call | this.asExpr().getExpr() = call |
+        call instanceof RenderCall
+        or
+        call instanceof RenderToCall
+      )
+    }
+
+    override DataFlow::Node getAPathArgument() { result = this.getKeywordArgument("file") }
+  }
 }
 
 /**
diff --git a/ruby/ql/src/change-notes/2022-10-12-rails-render-file.md b/ruby/ql/src/change-notes/2022-10-12-rails-render-file.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `rb/path-injection` query now treats the `file:` argument of the Rails `render` method as a sink.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The `rb/path-injection` query now treats the `file:` argument of the Rails `render` method as a sink.