Ruby: treat ActionController#cookies as a remote flow source

nickrolfe · nickrolfe · commit d46564caa603 · 2021-12-09T12:13:17.000Z
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -118,6 +118,28 @@ class ParamsSource extends RemoteFlowSource::Range {
   override string getSourceType() { result = "ActionController::Metal#params" }
 }
 
+/**
+ * A call to the `cookies` method to fetch the request parameters.
+ */
+abstract class CookiesCall extends MethodCall {
+  CookiesCall() { this.getMethodName() = "cookies" }
+}
+
+/**
+ * A `RemoteFlowSource::Range` to represent accessing the
+ * ActionController parameters available via the `cookies` method.
+ */
+class CookiesSource extends RemoteFlowSource::Range {
+  CookiesCall call;
+
+  CookiesSource() { this.asExpr().getExpr() = call }
+
+  override string getSourceType() { result = "ActionController::Metal#cookies" }
+}
+
+// A call to `cookies` from within a controller.
+private class ActionControllerCookiesCall extends ActionControllerContextCall, CookiesCall { }
+
 // A call to `params` from within a controller.
 private class ActionControllerParamsCall extends ActionControllerContextCall, ParamsCall { }
 
diff --git a/ruby/ql/test/library-tests/frameworks/ActionController.expected b/ruby/ql/test/library-tests/frameworks/ActionController.expected
@@ -49,6 +49,10 @@ paramsSources
 | app/controllers/foo/bars_controller.rb:21:21:21:26 | call to params |
 | app/controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
 | app/views/foo/bars/show.html.erb:5:9:5:14 | call to params |
+cookiesCalls
+| app/controllers/foo/bars_controller.rb:10:27:10:33 | call to cookies |
+cookiesSources
+| app/controllers/foo/bars_controller.rb:10:27:10:33 | call to cookies |
 redirectToCalls
 | app/controllers/foo/bars_controller.rb:17:5:17:30 | call to redirect_to |
 actionControllerHelperMethods
diff --git a/ruby/ql/test/library-tests/frameworks/ActionController.ql b/ruby/ql/test/library-tests/frameworks/ActionController.ql
@@ -10,6 +10,10 @@ query predicate paramsCalls(ParamsCall c) { any() }
 
 query predicate paramsSources(ParamsSource src) { any() }
 
+query predicate cookiesCalls(CookiesCall c) { any() }
+
+query predicate cookiesSources(CookiesSource src) { any() }
+
 query predicate redirectToCalls(RedirectToCall c) { any() }
 
 query predicate actionControllerHelperMethods(ActionControllerHelperMethod m) { any() }
