Ruby: String.index method returns 'nil', not '-1'

aibaars · aibaars · commit fb8cc6e1a40e · 2022-03-16T16:18:19.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/InclusionTests.qll b/ruby/ql/lib/codeql/ruby/InclusionTests.qll
@@ -13,7 +13,7 @@ private import codeql.ruby.controlflow.CfgNodes
  * Examples:
  * ```
  * A.include?(B)
- * A.index(B) !== -1
+ * A.index(B) != nil
  * A.index(B) >= 0
  * ```
  */
@@ -74,7 +74,7 @@ module InclusionTest {
   }
 
   /**
-   * A check of form `A.index(B) != -1`, `A.index(B) >= 0`, or similar.
+   * A check of form `A.index(B) != nil`, `A.index(B) >= 0`, or similar.
    */
   private class Includes_IndexOfComparison extends Range, DataFlow::Node {
     private DataFlow::CallNode indexOf;
@@ -88,8 +88,11 @@ module InclusionTest {
         // one operand is of the form `whitelist.index(x)`
         indexOf.getMethodName() = "index" and
         // and the other one is 0 or -1
-        value = index.getConstantValue().getInt() and
-        value = [0, -1]
+        (
+          value = index.getConstantValue().getInt() and value = 0
+          or
+          index.getExpr() instanceof NilLiteral and value = -1
+        )
       |
         value = -1 and polarity = false and comparison.getExpr() instanceof CaseEqExpr
         or
diff --git a/ruby/ql/test/query-tests/security/cwe-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.expected b/ruby/ql/test/query-tests/security/cwe-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.expected
@@ -1,23 +1,23 @@
-| tst-IncompleteUrlSubstringSanitization.rb:4:5:4:31 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:4:13:4:24 | "secure.com" | secure.com |
-| tst-IncompleteUrlSubstringSanitization.rb:5:5:5:31 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:5:13:5:24 | "secure.net" | secure.net |
-| tst-IncompleteUrlSubstringSanitization.rb:6:5:6:32 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:6:13:6:25 | ".secure.com" | .secure.com |
-| tst-IncompleteUrlSubstringSanitization.rb:10:5:10:32 | ... === ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:10:13:10:24 | "secure.com" | secure.com |
+| tst-IncompleteUrlSubstringSanitization.rb:4:5:4:32 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:4:13:4:24 | "secure.com" | secure.com |
+| tst-IncompleteUrlSubstringSanitization.rb:5:5:5:32 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:5:13:5:24 | "secure.net" | secure.net |
+| tst-IncompleteUrlSubstringSanitization.rb:6:5:6:33 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:6:13:6:25 | ".secure.com" | .secure.com |
+| tst-IncompleteUrlSubstringSanitization.rb:10:5:10:33 | ... === ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:10:13:10:24 | "secure.com" | secure.com |
 | tst-IncompleteUrlSubstringSanitization.rb:11:5:11:31 | ... === ... | '$@' may be followed by an arbitrary host name. | tst-IncompleteUrlSubstringSanitization.rb:11:13:11:24 | "secure.com" | secure.com |
 | tst-IncompleteUrlSubstringSanitization.rb:12:5:12:30 | ... >= ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:12:13:12:24 | "secure.com" | secure.com |
 | tst-IncompleteUrlSubstringSanitization.rb:14:5:14:39 | call to start_with? | '$@' may be followed by an arbitrary host name. | tst-IncompleteUrlSubstringSanitization.rb:14:19:14:38 | "https://secure.com" | https://secure.com |
 | tst-IncompleteUrlSubstringSanitization.rb:15:5:15:29 | call to end_with? | '$@' may be preceded by an arbitrary host name. | tst-IncompleteUrlSubstringSanitization.rb:15:17:15:28 | "secure.com" | secure.com |
 | tst-IncompleteUrlSubstringSanitization.rb:20:5:20:28 | call to include? | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:20:16:20:27 | "secure.com" | secure.com |
-| tst-IncompleteUrlSubstringSanitization.rb:32:5:32:39 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:32:13:32:32 | "https://secure.com" | https://secure.com |
-| tst-IncompleteUrlSubstringSanitization.rb:33:5:33:43 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:33:13:33:36 | "https://secure.com:443" | https://secure.com:443 |
-| tst-IncompleteUrlSubstringSanitization.rb:34:5:34:40 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:34:13:34:33 | "https://secure.com/" | https://secure.com/ |
-| tst-IncompleteUrlSubstringSanitization.rb:52:5:52:45 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:52:13:52:38 | "https://example.internal" | https://example.internal |
+| tst-IncompleteUrlSubstringSanitization.rb:32:5:32:40 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:32:13:32:32 | "https://secure.com" | https://secure.com |
+| tst-IncompleteUrlSubstringSanitization.rb:33:5:33:44 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:33:13:33:36 | "https://secure.com:443" | https://secure.com:443 |
+| tst-IncompleteUrlSubstringSanitization.rb:34:5:34:41 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:34:13:34:33 | "https://secure.com/" | https://secure.com/ |
+| tst-IncompleteUrlSubstringSanitization.rb:52:5:52:46 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:52:13:52:38 | "https://example.internal" | https://example.internal |
 | tst-IncompleteUrlSubstringSanitization.rb:55:5:55:45 | call to start_with? | '$@' may be followed by an arbitrary host name. | tst-IncompleteUrlSubstringSanitization.rb:55:19:55:44 | "https://example.internal" | https://example.internal |
 | tst-IncompleteUrlSubstringSanitization.rb:56:5:56:48 | ... != ... | '$@' may be followed by an arbitrary host name. | tst-IncompleteUrlSubstringSanitization.rb:56:13:56:42 | "https://example.internal.org" | https://example.internal.org |
 | tst-IncompleteUrlSubstringSanitization.rb:57:5:57:49 | ... === ... | '$@' may be followed by an arbitrary host name. | tst-IncompleteUrlSubstringSanitization.rb:57:13:57:42 | "https://example.internal.org" | https://example.internal.org |
 | tst-IncompleteUrlSubstringSanitization.rb:58:5:58:31 | call to end_with? | '$@' may be preceded by an arbitrary host name. | tst-IncompleteUrlSubstringSanitization.rb:58:17:58:30 | "internal.com" | internal.com |
-| tst-IncompleteUrlSubstringSanitization.rb:61:2:61:28 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:61:10:61:21 | "secure.com" | secure.com |
-| tst-IncompleteUrlSubstringSanitization.rb:62:2:62:29 | ... === ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:62:10:62:21 | "secure.com" | secure.com |
-| tst-IncompleteUrlSubstringSanitization.rb:63:4:63:30 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:63:12:63:23 | "secure.com" | secure.com |
+| tst-IncompleteUrlSubstringSanitization.rb:61:2:61:29 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:61:10:61:21 | "secure.com" | secure.com |
+| tst-IncompleteUrlSubstringSanitization.rb:62:2:62:30 | ... === ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:62:10:62:21 | "secure.com" | secure.com |
+| tst-IncompleteUrlSubstringSanitization.rb:63:4:63:31 | ... != ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:63:12:63:23 | "secure.com" | secure.com |
 | tst-IncompleteUrlSubstringSanitization.rb:64:3:64:26 | call to include? | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:64:14:64:25 | "secure.com" | secure.com |
 | tst-IncompleteUrlSubstringSanitization.rb:66:6:66:29 | call to include? | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:66:17:66:28 | "secure.com" | secure.com |
 | tst-IncompleteUrlSubstringSanitization.rb:73:5:73:46 | ... >= ... | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.rb:73:13:73:40 | "https://secure.com/foo/bar" | https://secure.com/foo/bar |
diff --git a/ruby/ql/test/query-tests/security/cwe-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.rb b/ruby/ql/test/query-tests/security/cwe-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.rb
@@ -1,13 +1,13 @@
 def test (x)
-    x.index("internal") != -1; # NOT OK, but not flagged
-    x.index("localhost") != -1; # NOT OK, but not flagged
-    x.index("secure.com") != -1; # NOT OK
-    x.index("secure.net") != -1; # NOT OK
-    x.index(".secure.com") != -1; # NOT OK
-    x.index("sub.secure.") != -1; # NOT OK, but not flagged
-    x.index(".sub.secure.") != -1; # NOT OK, but not flagged
+    x.index("internal") != nil; # NOT OK, but not flagged
+    x.index("localhost") != nil; # NOT OK, but not flagged
+    x.index("secure.com") != nil; # NOT OK
+    x.index("secure.net") != nil; # NOT OK
+    x.index(".secure.com") != nil; # NOT OK
+    x.index("sub.secure.") != nil; # NOT OK, but not flagged
+    x.index(".sub.secure.") != nil; # NOT OK, but not flagged
 
-    x.index("secure.com") === -1; # NOT OK
+    x.index("secure.com") === nil; # NOT OK
     x.index("secure.com") === 0; # NOT OK
     x.index("secure.com") >= 0; # NOT OK
 
@@ -19,48 +19,48 @@ def test (x)
 
     x.include?("secure.com"); # NOT OK
 
-    x.index("#") != -1; # OK
-    x.index(":") != -1; # OK
-    x.index(":/") != -1; # OK
-    x.index("://") != -1; # OK
-    x.index("//") != -1; # OK
-    x.index(":443") != -1; # OK
-    x.index("/some/path/") != -1; # OK
-    x.index("some/path") != -1; # OK
-    x.index("/index.html") != -1; # OK
-    x.index(":template:") != -1; # OK
-    x.index("https://secure.com") != -1; # NOT OK
-    x.index("https://secure.com:443") != -1; # NOT OK
-    x.index("https://secure.com/") != -1; # NOT OK
+    x.index("#") != nil; # OK
+    x.index(":") != nil; # OK
+    x.index(":/") != nil; # OK
+    x.index("://") != nil; # OK
+    x.index("//") != nil; # OK
+    x.index(":443") != nil; # OK
+    x.index("/some/path/") != nil; # OK
+    x.index("some/path") != nil; # OK
+    x.index("/index.html") != nil; # OK
+    x.index(":template:") != nil; # OK
+    x.index("https://secure.com") != nil; # NOT OK
+    x.index("https://secure.com:443") != nil; # NOT OK
+    x.index("https://secure.com/") != nil; # NOT OK
 
-    x.index(".cn") != -1; # NOT OK, but not flagged
-    x.index(".jpg") != -1; # OK
-    x.index("index.html") != -1; # OK
-    x.index("index.js") != -1; # OK
-    x.index("index.php") != -1; # OK
-    x.index("index.css") != -1; # OK
+    x.index(".cn") != nil; # NOT OK, but not flagged
+    x.index(".jpg") != nil; # OK
+    x.index("index.html") != nil; # OK
+    x.index("index.js") != nil; # OK
+    x.index("index.php") != nil; # OK
+    x.index("index.css") != nil; # OK
 
-    x.index("secure=true") != -1; # OK (query param)
-    x.index("&auth=") != -1; # OK (query param)
+    x.index("secure=true") != nil; # OK (query param)
+    x.index("&auth=") != nil; # OK (query param)
 
-    x.index(getCurrentDomain()) != -1; # NOT OK, but not flagged
-    x.index(location.origin) != -1; # NOT OK, but not flagged
+    x.index(getCurrentDomain()) != nil; # NOT OK, but not flagged
+    x.index(location.origin) != nil; # NOT OK, but not flagged
 
 	x.index("tar.gz") + offset; # OK
 	x.index("tar.gz") - offset; # OK
 
-    x.index("https://example.internal") != -1; # NOT OK
-    x.index("https://") != -1; # OK
+    x.index("https://example.internal") != nil; # NOT OK
+    x.index("https://") != nil; # OK
 
     x.start_with?("https://example.internal"); # NOT OK
     x.index('https://example.internal.org') != 0; # NOT OK
     x.index('https://example.internal.org') === 0; # NOT OK
     x.end_with?("internal.com"); # NOT OK
     x.start_with?("https://example.internal:80"); # OK
 
-	x.index("secure.com") != -1; # NOT OK
-	x.index("secure.com") === -1; # OK
-	!(x.index("secure.com") != -1); # OK
+	x.index("secure.com") != nil; # NOT OK
+	x.index("secure.com") === nil; # OK
+	!(x.index("secure.com") != nil); # OK
 	!x.include?("secure.com"); # OK
 
 	if !x.include?("secure.com") # NOT OK
