add support for super calls to Kernel

erik-krogh · erik-krogh · commit 8f0c0f3c174d · 2022-12-06T14:25:51.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
@@ -24,11 +24,19 @@ module Kernel {
       this = API::getTopLevelMember("Kernel").getAMethodCall(methodName)
       or
       this.asExpr().getExpr() instanceof UnknownMethodCall and
-      methodName = super.getMethodName() and
+      (
+        methodName = super.getMethodName()
+        or
+        this.asExpr().getExpr() instanceof SuperCall and
+        methodName = this.asExpr().getExpr().getEnclosingCallable().(MethodBase).getName()
+      ) and
       (
         this.getReceiver().asExpr().getExpr() instanceof SelfVariableAccess and
         isPrivateKernelMethod(methodName)
         or
+        this.asExpr().getExpr() instanceof SuperCall and
+        isPrivateKernelMethod(methodName)
+        or
         isPublicKernelMethod(methodName)
       )
     }
diff --git a/ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected b/ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected
@@ -47,6 +47,9 @@ edges
 | tainted_path.rb:84:12:84:53 | call to new :  | tainted_path.rb:86:25:86:28 | path |
 | tainted_path.rb:84:40:84:45 | call to params :  | tainted_path.rb:84:40:84:52 | ...[...] :  |
 | tainted_path.rb:84:40:84:52 | ...[...] :  | tainted_path.rb:84:12:84:53 | call to new :  |
+| tainted_path.rb:90:12:90:53 | call to new :  | tainted_path.rb:92:11:92:14 | path |
+| tainted_path.rb:90:40:90:45 | call to params :  | tainted_path.rb:90:40:90:52 | ...[...] :  |
+| tainted_path.rb:90:40:90:52 | ...[...] :  | tainted_path.rb:90:12:90:53 | call to new :  |
 nodes
 | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | semmle.label | call to params :  |
 | ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | semmle.label | ...[...] :  |
@@ -111,6 +114,10 @@ nodes
 | tainted_path.rb:84:40:84:52 | ...[...] :  | semmle.label | ...[...] :  |
 | tainted_path.rb:85:10:85:13 | path | semmle.label | path |
 | tainted_path.rb:86:25:86:28 | path | semmle.label | path |
+| tainted_path.rb:90:12:90:53 | call to new :  | semmle.label | call to new :  |
+| tainted_path.rb:90:40:90:45 | call to params :  | semmle.label | call to params :  |
+| tainted_path.rb:90:40:90:52 | ...[...] :  | semmle.label | ...[...] :  |
+| tainted_path.rb:92:11:92:14 | path | semmle.label | path |
 subpaths
 #select
 | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | This path depends on a $@. | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | user-provided value |
@@ -130,3 +137,4 @@ subpaths
 | tainted_path.rb:79:14:79:17 | path | tainted_path.rb:77:40:77:45 | call to params :  | tainted_path.rb:79:14:79:17 | path | This path depends on a $@. | tainted_path.rb:77:40:77:45 | call to params | user-provided value |
 | tainted_path.rb:85:10:85:13 | path | tainted_path.rb:84:40:84:45 | call to params :  | tainted_path.rb:85:10:85:13 | path | This path depends on a $@. | tainted_path.rb:84:40:84:45 | call to params | user-provided value |
 | tainted_path.rb:86:25:86:28 | path | tainted_path.rb:84:40:84:45 | call to params :  | tainted_path.rb:86:25:86:28 | path | This path depends on a $@. | tainted_path.rb:84:40:84:45 | call to params | user-provided value |
+| tainted_path.rb:92:11:92:14 | path | tainted_path.rb:90:40:90:45 | call to params :  | tainted_path.rb:92:11:92:14 | path | This path depends on a $@. | tainted_path.rb:90:40:90:45 | call to params | user-provided value |
diff --git a/ruby/ql/test/query-tests/security/cwe-022/tainted_path.rb b/ruby/ql/test/query-tests/security/cwe-022/tainted_path.rb
@@ -85,4 +85,10 @@ def route13
     load(path)
     autoload(:MyModule, path)
   end
+
+  def require_relative()
+    path = ActiveStorage::Filename.new(params[:path])
+    puts "Debug: require_relative(#{path})"
+    super(path)
+  end
 end
