Skip to content

Commit 5259d4a

Browse files
hmachmac
committed
Ruby: Model various JSON methods
1 parent 0a98559 commit 5259d4a

File tree

5 files changed

+77
-0
lines changed

5 files changed

+77
-0
lines changed

ruby/ql/lib/codeql/ruby/Frameworks.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,3 +24,4 @@ private import codeql.ruby.frameworks.XmlParsing
2424
private import codeql.ruby.frameworks.ActionDispatch
2525
private import codeql.ruby.frameworks.PosixSpawn
2626
private import codeql.ruby.frameworks.StringFormatters
27+
private import codeql.ruby.frameworks.Json

ruby/ql/lib/codeql/ruby/frameworks/Json.qll

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
/** Provides modelling for the `json` gem. */
2+
3+
private import codeql.ruby.frameworks.data.ModelsAsData
4+
5+
/** Provides modelling for the `json` gem. */
6+
module Json {
7+
/**
8+
* Flow summaries for common `JSON` methods.
9+
* Not all of these methods are strictly defined in the `json` gem.
10+
* The `JSON` namespace is heavily overloaded by other JSON parsing gems such as `oj`, `json_pure`, `multi_json` etc.
11+
* This summary covers common methods we've seen called on `JSON` in the wild.
12+
*/
13+
private class JsonSummary extends ModelInput::SummaryModelCsv {
14+
override predicate row(string row) {
15+
row =
16+
[
17+
"json;;Member[JSON].Method[parse,parse!,load,restore];Argument[0];ReturnValue;taint",
18+
"json;;Member[JSON].Method[generate,fast_generate,dump,unparse,fast_unparse];Argument[0];ReturnValue;taint",
19+
]
20+
}
21+
}
22+
}

ruby/ql/test/library-tests/frameworks/json/JsonDataFlow.expected

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
failures
2+
edges
3+
| json.rb:1:17:1:26 | call to source : | json.rb:1:6:1:27 | call to parse |
4+
| json.rb:2:18:2:27 | call to source : | json.rb:2:6:2:28 | call to parse! |
5+
| json.rb:3:16:3:25 | call to source : | json.rb:3:6:3:26 | call to load |
6+
| json.rb:4:19:4:28 | call to source : | json.rb:4:6:4:29 | call to restore |
7+
| json.rb:6:20:6:29 | call to source : | json.rb:6:6:6:30 | call to generate |
8+
| json.rb:7:25:7:34 | call to source : | json.rb:7:6:7:35 | call to fast_generate |
9+
| json.rb:8:16:8:25 | call to source : | json.rb:8:6:8:26 | call to dump |
10+
| json.rb:9:19:9:28 | call to source : | json.rb:9:6:9:29 | call to unparse |
11+
| json.rb:10:24:10:33 | call to source : | json.rb:10:6:10:34 | call to fast_unparse |
12+
nodes
13+
| json.rb:1:6:1:27 | call to parse | semmle.label | call to parse |
14+
| json.rb:1:17:1:26 | call to source : | semmle.label | call to source : |
15+
| json.rb:2:6:2:28 | call to parse! | semmle.label | call to parse! |
16+
| json.rb:2:18:2:27 | call to source : | semmle.label | call to source : |
17+
| json.rb:3:6:3:26 | call to load | semmle.label | call to load |
18+
| json.rb:3:16:3:25 | call to source : | semmle.label | call to source : |
19+
| json.rb:4:6:4:29 | call to restore | semmle.label | call to restore |
20+
| json.rb:4:19:4:28 | call to source : | semmle.label | call to source : |
21+
| json.rb:6:6:6:30 | call to generate | semmle.label | call to generate |
22+
| json.rb:6:20:6:29 | call to source : | semmle.label | call to source : |
23+
| json.rb:7:6:7:35 | call to fast_generate | semmle.label | call to fast_generate |
24+
| json.rb:7:25:7:34 | call to source : | semmle.label | call to source : |
25+
| json.rb:8:6:8:26 | call to dump | semmle.label | call to dump |
26+
| json.rb:8:16:8:25 | call to source : | semmle.label | call to source : |
27+
| json.rb:9:6:9:29 | call to unparse | semmle.label | call to unparse |
28+
| json.rb:9:19:9:28 | call to source : | semmle.label | call to source : |
29+
| json.rb:10:6:10:34 | call to fast_unparse | semmle.label | call to fast_unparse |
30+
| json.rb:10:24:10:33 | call to source : | semmle.label | call to source : |
31+
subpaths
32+
#select

ruby/ql/test/library-tests/frameworks/json/JsonDataFlow.ql

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
/**
2+
* @kind path-problem
3+
*/
4+
5+
import codeql.ruby.AST
6+
import TestUtilities.InlineFlowTest
7+
import codeql.ruby.Frameworks
8+
import PathGraph
9+
10+
from DataFlow::PathNode source, DataFlow::PathNode sink, DefaultValueFlowConf conf
11+
where conf.hasFlowPath(source, sink)
12+
select sink, source, sink, "$@", source, source.toString()

ruby/ql/test/library-tests/frameworks/json/json.rb

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
sink JSON.parse(source "a") # $hasTaintFlow=a
2+
sink JSON.parse!(source "a") # $hasTaintFlow=a
3+
sink JSON.load(source "a") # $hasTaintFlow=a
4+
sink JSON.restore(source "a") # $hasTaintFlow=a
5+
6+
sink JSON.generate(source "a") # $hasTaintFlow=a
7+
sink JSON.fast_generate(source "a") # $hasTaintFlow=a
8+
sink JSON.dump(source "a") # $hasTaintFlow=a
9+
sink JSON.unparse(source "a") # $hasTaintFlow=a
10+
sink JSON.fast_unparse(source "a") # $hasTaintFlow=a

0 commit comments

Comments
 (0)