remove the "send(..)" and similar from unsafe-code-construction

erik-krogh · erik-krogh · commit e7c6571f5240 · 2022-11-25T10:25:31.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll
@@ -47,7 +47,8 @@ module UnsafeCodeConstruction {
     TypeTracker::TypeBackTracker t, Concepts::CodeExecution codeExec
   ) {
     t.start() and
-    result = codeExec.getCode().getALocalSource()
+    result = codeExec.getCode().getALocalSource() and
+    codeExec.runsArbitraryCode() // methods like `Object.send` is benign here, because of the string-construction the attacker cannot control the entire method name
     or
     exists(TypeTracker::TypeBackTracker t2 |
       result = getANodeExecutedAsCode(t2, codeExec).backtrack(t2, t)
diff --git a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb
@@ -16,4 +16,8 @@ def foo3(x)
   def indirect_eval(x)
     eval(x) # OK - no construction.
   end
+
+  def send_stuff(x)
+    foo.send("foo_#{x}") # OK - attacker cannot control entire string.
+  end
 end
