Merge pull request github#12360 from kaspersv/kaspersv/actioncontroller-prevent-bad-join

kaspersv · web-flow · commit fe65fb874317 · 2023-03-03T13:38:33.000+01:00
ActionController: Prevent bad join
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -520,15 +520,15 @@ ActionControllerClass getAssociatedControllerClass(ErbFile f) {
  * templates in `app/views/` and `app/views/layouts/`.
  */
 predicate controllerTemplateFile(ActionControllerClass cls, ErbFile templateFile) {
-  exists(string templatesPath, string sourcePrefix, string subPath, string controllerPath |
+  exists(string sourcePrefix, string subPath, string controllerPath |
     controllerPath = cls.getLocation().getFile().getRelativePath() and
-    templatesPath = templateFile.getParentContainer().getRelativePath() and
     // `sourcePrefix` is either a prefix path ending in a slash, or empty if
     // the rails app is at the source root
     sourcePrefix = [controllerPath.regexpCapture("^(.*/)app/controllers/(?:.*?)/(?:[^/]*)$", 1), ""] and
     controllerPath = sourcePrefix + "app/controllers/" + subPath + "_controller.rb" and
     (
-      templatesPath = sourcePrefix + "app/views/" + subPath or
+      sourcePrefix + "app/views/" + subPath = templateFile.getParentContainer().getRelativePath()
+      or
       templateFile.getRelativePath().matches(sourcePrefix + "app/views/layouts/" + subPath + "%")
     )
   )

Original file line number	Diff line number	Diff line change
`@@ -520,15 +520,15 @@ ActionControllerClass getAssociatedControllerClass(ErbFile f) {`
`520`	`520`	* templates in `app/views/` and `app/views/layouts/`.
`521`	`521`	`*/`
`522`	`522`	`predicate controllerTemplateFile(ActionControllerClass cls, ErbFile templateFile) {`
`523`		`- exists(string templatesPath, string sourcePrefix, string subPath, string controllerPath \|`
	`523`	`+ exists(string sourcePrefix, string subPath, string controllerPath \|`
`524`	`524`	`controllerPath = cls.getLocation().getFile().getRelativePath() and`
`525`		`- templatesPath = templateFile.getParentContainer().getRelativePath() and`
`526`	`525`	// `sourcePrefix` is either a prefix path ending in a slash, or empty if
`527`	`526`	`// the rails app is at the source root`
`528`	`527`	`sourcePrefix = [controllerPath.regexpCapture("^(./)app/controllers/(?:.?)/(?:[^/]*)$", 1), ""] and`
`529`	`528`	`controllerPath = sourcePrefix + "app/controllers/" + subPath + "_controller.rb" and`
`530`	`529`	`(`
`531`		`- templatesPath = sourcePrefix + "app/views/" + subPath or`
	`530`	`+ sourcePrefix + "app/views/" + subPath = templateFile.getParentContainer().getRelativePath()`
	`531`	`+ or`
`532`	`532`	`templateFile.getRelativePath().matches(sourcePrefix + "app/views/layouts/" + subPath + "%")`
`533`	`533`	`)`
`534`	`534`	`)`