Merge pull request github#12657 from alexrford/rb/sensitive-get-no-path-problem

alexrford · web-flow · commit ee6fa93007c1 · 2023-03-27T12:08:27.000+01:00
Ruby: convert `rb/sensitive-get-query` into a `@kind problem`
diff --git a/ruby/ql/src/change-notes/2023-03-24-sensitive-get-query-problem.md b/ruby/ql/src/change-notes/2023-03-24-sensitive-get-query-problem.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* `rb/sensitive-get-query` no longer reports flow paths from input parameters to sensitive use nodes. This avoids cases where many flow paths could be generated for a single parameter, which caused excessive paths to be generated.
diff --git a/ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.ql b/ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.ql
@@ -2,7 +2,7 @@
  * @name Sensitive data read from GET request
  * @description Placing sensitive data in a GET request increases the risk of
  *              the data being exposed to an attacker.
- * @kind path-problem
+ * @kind problem
  * @problem.severity warning
  * @security-severity 6.5
  * @precision high
@@ -12,12 +12,10 @@
  */
 
 import ruby
-import DataFlow::PathGraph
 import codeql.ruby.security.SensitiveGetQueryQuery
 import codeql.ruby.security.SensitiveActions
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveGetQuery::Configuration config
-where config.hasFlowPath(source, sink)
-select source.getNode(), source, sink,
-  "$@ for GET requests uses query parameter as sensitive data.",
-  source.getNode().(SensitiveGetQuery::Source).getHandler(), "Route handler"
+from DataFlow::Node source, DataFlow::Node sink, SensitiveGetQuery::Configuration config
+where config.hasFlow(source, sink)
+select source, "$@ for GET requests uses query parameter as sensitive data.",
+  source.(SensitiveGetQuery::Source).getHandler(), "Route handler"
diff --git a/ruby/ql/test/query-tests/security/cwe-598/SensitiveGetQuery.expected b/ruby/ql/test/query-tests/security/cwe-598/SensitiveGetQuery.expected
@@ -1,24 +1,3 @@
-edges
-| app/controllers/users_controller.rb:4:11:4:16 | call to params :  | app/controllers/users_controller.rb:4:11:4:27 | ...[...] |
-| app/controllers/users_controller.rb:9:16:9:21 | call to params :  | app/controllers/users_controller.rb:9:16:9:27 | ...[...] :  |
-| app/controllers/users_controller.rb:9:16:9:27 | ...[...] :  | app/controllers/users_controller.rb:10:42:10:49 | password |
-| app/controllers/users_controller.rb:14:5:14:13 | [post] self [@password] :  | app/controllers/users_controller.rb:15:42:15:50 | self [@password] :  |
-| app/controllers/users_controller.rb:14:17:14:22 | call to params :  | app/controllers/users_controller.rb:14:17:14:28 | ...[...] :  |
-| app/controllers/users_controller.rb:14:17:14:28 | ...[...] :  | app/controllers/users_controller.rb:14:5:14:13 | [post] self [@password] :  |
-| app/controllers/users_controller.rb:15:42:15:50 | self [@password] :  | app/controllers/users_controller.rb:15:42:15:50 | @password |
-nodes
-| app/controllers/users_controller.rb:4:11:4:16 | call to params :  | semmle.label | call to params :  |
-| app/controllers/users_controller.rb:4:11:4:27 | ...[...] | semmle.label | ...[...] |
-| app/controllers/users_controller.rb:9:16:9:21 | call to params :  | semmle.label | call to params :  |
-| app/controllers/users_controller.rb:9:16:9:27 | ...[...] :  | semmle.label | ...[...] :  |
-| app/controllers/users_controller.rb:10:42:10:49 | password | semmle.label | password |
-| app/controllers/users_controller.rb:14:5:14:13 | [post] self [@password] :  | semmle.label | [post] self [@password] :  |
-| app/controllers/users_controller.rb:14:17:14:22 | call to params :  | semmle.label | call to params :  |
-| app/controllers/users_controller.rb:14:17:14:28 | ...[...] :  | semmle.label | ...[...] :  |
-| app/controllers/users_controller.rb:15:42:15:50 | @password | semmle.label | @password |
-| app/controllers/users_controller.rb:15:42:15:50 | self [@password] :  | semmle.label | self [@password] :  |
-subpaths
-#select
-| app/controllers/users_controller.rb:4:11:4:16 | call to params | app/controllers/users_controller.rb:4:11:4:16 | call to params :  | app/controllers/users_controller.rb:4:11:4:27 | ...[...] | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get_1 | Route handler |
-| app/controllers/users_controller.rb:9:16:9:21 | call to params | app/controllers/users_controller.rb:9:16:9:21 | call to params :  | app/controllers/users_controller.rb:10:42:10:49 | password | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:8:3:11:5 | login_get_2 | Route handler |
-| app/controllers/users_controller.rb:14:17:14:22 | call to params | app/controllers/users_controller.rb:14:17:14:22 | call to params :  | app/controllers/users_controller.rb:15:42:15:50 | @password | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:13:3:16:5 | login_get_3 | Route handler |
+| app/controllers/users_controller.rb:4:11:4:16 | call to params | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get_1 | Route handler |
+| app/controllers/users_controller.rb:9:16:9:21 | call to params | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:8:3:11:5 | login_get_2 | Route handler |
+| app/controllers/users_controller.rb:14:17:14:22 | call to params | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:13:3:16:5 | login_get_3 | Route handler |

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* `rb/sensitive-get-query` no longer reports flow paths from input parameters to sensitive use nodes. This avoids cases where many flow paths could be generated for a single parameter, which caused excessive paths to be generated.