Skip to content

Commit c9d3494

Browse files
nickrolfenickrolfe
committed
Ruby: add SqlConstruction concept
1 parent 9f31ef8 commit c9d3494

File tree

2 files changed

+49
-1
lines changed

2 files changed

+49
-1
lines changed

ruby/ql/lib/codeql/ruby/Concepts.qll

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,47 @@ private import codeql.ruby.Frameworks
1111
private import codeql.ruby.dataflow.RemoteFlowSources
1212
private import codeql.ruby.ApiGraphs
1313

14+
/**
15+
* A data-flow node that constructs a SQL statement.
16+
*
17+
* Often, it is worthy of an alert if a SQL statement is constructed such that
18+
* executing it would be a security risk.
19+
*
20+
* If it is important that the SQL statement is indeed executed, use `SqlExecution`.
21+
*
22+
* Extend this class to refine existing API models. If you want to model new APIs,
23+
* extend `SqlConstruction::Range` instead.
24+
*/
25+
class SqlConstruction extends DataFlow::Node instanceof SqlConstruction::Range {
26+
/** Gets the argument that specifies the SQL statements to be constructed. */
27+
DataFlow::Node getSql() { result = super.getSql() }
28+
}
29+
30+
/** Provides a class for modeling new SQL execution APIs. */
31+
module SqlConstruction {
32+
/**
33+
* A data-flow node that constructs a SQL statement.
34+
*
35+
* Often, it is worthy of an alert if a SQL statement is constructed such that
36+
* executing it would be a security risk.
37+
*
38+
* If it is important that the SQL statement is indeed executed, use `SqlExecution`.
39+
*
40+
* Extend this class to model new APIs. If you want to refine existing API models,
41+
* extend `SqlConstruction` instead.
42+
*/
43+
abstract class Range extends DataFlow::Node {
44+
/** Gets the argument that specifies the SQL statements to be constructed. */
45+
abstract DataFlow::Node getSql();
46+
}
47+
}
48+
1449
/**
1550
* A data-flow node that executes SQL statements.
1651
*
52+
* If the context of interest is such that merely constructing a SQL statement
53+
* would be valuable to report, consider using `SqlConstruction`.
54+
*
1755
* Extend this class to refine existing API models. If you want to model new APIs,
1856
* extend `SqlExecution::Range` instead.
1957
*/
@@ -27,6 +65,9 @@ module SqlExecution {
2765
/**
2866
* A data-flow node that executes SQL statements.
2967
*
68+
* If the context of interest is such that merely constructing a SQL
69+
* statement would be valuable to report, consider using `SqlConstruction`.
70+
*
3071
* Extend this class to model new APIs. If you want to refine existing API models,
3172
* extend `SqlExecution` instead.
3273
*/

ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,12 +25,19 @@ module SqlInjection {
2525
private class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
2626

2727
/**
28-
* A SQL statement of a SQL execution, considered as a flow sink.
28+
* An SQL statement of a SQL execution, considered as a flow sink.
2929
*/
3030
private class SqlExecutionAsSink extends Sink {
3131
SqlExecutionAsSink() { this = any(SqlExecution e).getSql() }
3232
}
3333

34+
/**
35+
* An SQL statement of a SQL construction, considered as a flow sink.
36+
*/
37+
private class SqlConstructionAsSink extends Sink {
38+
SqlConstructionAsSink() { this = any(SqlConstruction e).getSql() }
39+
}
40+
3441
/**
3542
* A comparison with a constant string, considered as a sanitizer-guard.
3643
*/

0 commit comments

Comments
 (0)