add test for .send(..) in code-injection

erik-krogh · erik-krogh · commit cb33d5aeff42 · 2022-10-19T11:25:30.000+02:00
diff --git a/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.expected b/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.expected
@@ -8,6 +8,8 @@ edges
 | CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:38:24:38:27 | code :  |
 | CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:41:40:41:43 | code |
 | CodeInjection.rb:38:24:38:27 | code :  | CodeInjection.rb:38:10:38:28 | call to escape |
+| CodeInjection.rb:78:12:78:17 | call to params :  | CodeInjection.rb:78:12:78:24 | ...[...] :  |
+| CodeInjection.rb:78:12:78:24 | ...[...] :  | CodeInjection.rb:80:16:80:19 | code |
 nodes
 | CodeInjection.rb:5:12:5:17 | call to params :  | semmle.label | call to params :  |
 | CodeInjection.rb:5:12:5:24 | ...[...] :  | semmle.label | ...[...] :  |
@@ -20,6 +22,9 @@ nodes
 | CodeInjection.rb:38:10:38:28 | call to escape | semmle.label | call to escape |
 | CodeInjection.rb:38:24:38:27 | code :  | semmle.label | code :  |
 | CodeInjection.rb:41:40:41:43 | code | semmle.label | code |
+| CodeInjection.rb:78:12:78:17 | call to params :  | semmle.label | call to params :  |
+| CodeInjection.rb:78:12:78:24 | ...[...] :  | semmle.label | ...[...] :  |
+| CodeInjection.rb:80:16:80:19 | code | semmle.label | code |
 subpaths
 #select
 | CodeInjection.rb:8:10:8:13 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:8:10:8:13 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
@@ -30,3 +35,4 @@ subpaths
 | CodeInjection.rb:32:19:32:22 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:32:19:32:22 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
 | CodeInjection.rb:38:10:38:28 | call to escape | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:38:10:38:28 | call to escape | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
 | CodeInjection.rb:41:40:41:43 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:41:40:41:43 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
+| CodeInjection.rb:80:16:80:19 | code | CodeInjection.rb:78:12:78:17 | call to params :  | CodeInjection.rb:80:16:80:19 | code | This code execution depends on a $@. | CodeInjection.rb:78:12:78:17 | call to params | user-provided value |
diff --git a/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.rb b/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.rb
@@ -72,3 +72,11 @@ def self.const_get(x)
     true
   end
 end
+
+class UsersController < ActionController::Base
+  def create
+    code = params[:code]
+
+    obj().send(code, "foo"); # BAD
+  end
+end
