add failing test for safe-ish uses of Object.send

erik-krogh · erik-krogh · commit d77b31672d93 · 2022-10-19T11:27:08.000+02:00
diff --git a/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.expected b/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.expected
@@ -10,6 +10,7 @@ edges
 | CodeInjection.rb:38:24:38:27 | code :  | CodeInjection.rb:38:10:38:28 | call to escape |
 | CodeInjection.rb:78:12:78:17 | call to params :  | CodeInjection.rb:78:12:78:24 | ...[...] :  |
 | CodeInjection.rb:78:12:78:24 | ...[...] :  | CodeInjection.rb:80:16:80:19 | code |
+| CodeInjection.rb:78:12:78:24 | ...[...] :  | CodeInjection.rb:82:16:82:43 | ... + ... |
 nodes
 | CodeInjection.rb:5:12:5:17 | call to params :  | semmle.label | call to params :  |
 | CodeInjection.rb:5:12:5:24 | ...[...] :  | semmle.label | ...[...] :  |
@@ -25,6 +26,7 @@ nodes
 | CodeInjection.rb:78:12:78:17 | call to params :  | semmle.label | call to params :  |
 | CodeInjection.rb:78:12:78:24 | ...[...] :  | semmle.label | ...[...] :  |
 | CodeInjection.rb:80:16:80:19 | code | semmle.label | code |
+| CodeInjection.rb:82:16:82:43 | ... + ... | semmle.label | ... + ... |
 subpaths
 #select
 | CodeInjection.rb:8:10:8:13 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:8:10:8:13 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
@@ -36,3 +38,4 @@ subpaths
 | CodeInjection.rb:38:10:38:28 | call to escape | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:38:10:38:28 | call to escape | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
 | CodeInjection.rb:41:40:41:43 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:41:40:41:43 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
 | CodeInjection.rb:80:16:80:19 | code | CodeInjection.rb:78:12:78:17 | call to params :  | CodeInjection.rb:80:16:80:19 | code | This code execution depends on a $@. | CodeInjection.rb:78:12:78:17 | call to params | user-provided value |
+| CodeInjection.rb:82:16:82:43 | ... + ... | CodeInjection.rb:78:12:78:17 | call to params :  | CodeInjection.rb:82:16:82:43 | ... + ... | This code execution depends on a $@. | CodeInjection.rb:78:12:78:17 | call to params | user-provided value |
diff --git a/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.rb b/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.rb
@@ -78,5 +78,7 @@ def create
     code = params[:code]
 
     obj().send(code, "foo"); # BAD
+
+    obj().send("prefix_" + code + "_suffix", "foo"); # GOOD - but still flagged by this query
   end
 end
