Ruby: treat an Arel.sql call as a SqlConstruction

nickrolfe · nickrolfe · commit 5a15558355fe · 2022-11-10T14:11:14.000Z
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Arel.qll b/ruby/ql/lib/codeql/ruby/frameworks/Arel.qll
@@ -6,6 +6,8 @@
 
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
 
 /**
  * Provides modeling for Arel, a low level SQL library that powers ActiveRecord.
@@ -28,4 +30,14 @@ module Arel {
       input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
     }
   }
+
+  /** A call to `Arel.sql`, considered as a SQL construction. */
+  private class ArelSqlConstruction extends SqlConstruction::Range, DataFlow::CallNode {
+    ArelSqlConstruction() {
+      this = DataFlow::getConstant("Arel").getAMethodCall() and
+      this.getMethodName() = "sql"
+    }
+
+    override DataFlow::Node getSql() { result = this.getArgument(0) }
+  }
 }
diff --git a/ruby/ql/test/library-tests/frameworks/arel/SqlConstruction.expected b/ruby/ql/test/library-tests/frameworks/arel/SqlConstruction.expected
@@ -0,0 +1,2 @@
+| arel.rb:3:8:3:18 | call to sql | arel.rb:3:17:3:17 | x |
+| arel.rb:8:8:8:18 | call to sql | arel.rb:8:17:8:17 | x |
diff --git a/ruby/ql/test/library-tests/frameworks/arel/SqlConstruction.ql b/ruby/ql/test/library-tests/frameworks/arel/SqlConstruction.ql
@@ -0,0 +1,4 @@
+import codeql.ruby.Concepts
+import codeql.ruby.DataFlow
+
+query predicate sqlConstructions(SqlConstruction c, DataFlow::Node sql) { sql = c.getSql() }
diff --git a/ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb b/ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb
@@ -0,0 +1,8 @@
+
+class PotatoController < ActionController::Base
+  def unsafe_action
+    name = params[:user_name]
+    # BAD: SQL statement constructed from user input
+    sql = Arel.sql("SELECT * FROM users WHERE name = #{name}")
+  end
+end
diff --git a/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected
@@ -33,6 +33,8 @@ edges
 | ActiveRecordInjection.rb:137:21:137:44 | ...[...] :  | ActiveRecordInjection.rb:20:22:20:30 | condition :  |
 | ActiveRecordInjection.rb:151:59:151:64 | call to params :  | ActiveRecordInjection.rb:151:59:151:74 | ...[...] :  |
 | ActiveRecordInjection.rb:151:59:151:74 | ...[...] :  | ActiveRecordInjection.rb:151:27:151:76 | "this is an unsafe annotation:..." |
+| ArelInjection.rb:4:12:4:17 | call to params :  | ArelInjection.rb:4:12:4:29 | ...[...] :  |
+| ArelInjection.rb:4:12:4:29 | ...[...] :  | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." |
 nodes
 | ActiveRecordInjection.rb:8:25:8:28 | name :  | semmle.label | name :  |
 | ActiveRecordInjection.rb:8:31:8:34 | pass :  | semmle.label | pass :  |
@@ -85,6 +87,9 @@ nodes
 | ActiveRecordInjection.rb:151:27:151:76 | "this is an unsafe annotation:..." | semmle.label | "this is an unsafe annotation:..." |
 | ActiveRecordInjection.rb:151:59:151:64 | call to params :  | semmle.label | call to params :  |
 | ActiveRecordInjection.rb:151:59:151:74 | ...[...] :  | semmle.label | ...[...] :  |
+| ArelInjection.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
+| ArelInjection.rb:4:12:4:29 | ...[...] :  | semmle.label | ...[...] :  |
+| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | semmle.label | "SELECT * FROM users WHERE nam..." |
 subpaths
 #select
 | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:23:70:28 | call to params :  | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:23:70:28 | call to params | user-provided value |
@@ -105,3 +110,4 @@ subpaths
 | ActiveRecordInjection.rb:92:21:92:35 | ...[...] | ActiveRecordInjection.rb:92:21:92:26 | call to params :  | ActiveRecordInjection.rb:92:21:92:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:92:21:92:26 | call to params | user-provided value |
 | ActiveRecordInjection.rb:104:20:104:32 | ... + ... | ActiveRecordInjection.rb:98:10:98:15 | call to params :  | ActiveRecordInjection.rb:104:20:104:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:98:10:98:15 | call to params | user-provided value |
 | ActiveRecordInjection.rb:151:27:151:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:151:59:151:64 | call to params :  | ActiveRecordInjection.rb:151:27:151:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:151:59:151:64 | call to params | user-provided value |
+| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params :  | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value |

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| arel.rb:3:8:3:18 \| call to sql \| arel.rb:3:17:3:17 \| x \|`
	`2`	`+\| arel.rb:8:8:8:18 \| call to sql \| arel.rb:8:17:8:17 \| x \|`