Ruby: configsig rb/reflected-xss

Author: alexrford

ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll

@@ -2,8 +2,8 @@
  * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
  *
  * Note, for performance reasons: only import this file if
- * `ReflectedXSS::Configuration` is needed, otherwise
- * `XSS::ReflectedXSS` should be imported instead.
+ * `ReflectedXssFlow` is needed, otherwise
+ * `XSS::ReflectedXss` should be imported instead.
  */
 
 private import codeql.ruby.AST
@@ -12,14 +12,16 @@ import codeql.ruby.TaintTracking
 
 /**
  * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
+ * DEPRECATED: Use `ReflectedXssFlow`
  */
-module ReflectedXss {
+deprecated module ReflectedXss {
   import XSS::ReflectedXss
 
   /**
    * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
+   * DEPRECATED: Use `ReflectedXssFlow`
    */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "ReflectedXSS" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -37,3 +39,22 @@ module ReflectedXss {
     }
   }
 }
+
+private module ReflectedXssConfig implements DataFlow::ConfigSig {
+  private import XSS::ReflectedXss as RX
+
+  predicate isSource(DataFlow::Node source) { source instanceof RX::Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof RX::Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof RX::Sanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    RX::isAdditionalXssTaintStep(node1, node2)
+  }
+}
+
+/**
+ * Taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities.
+ */
+module ReflectedXssFlow = TaintTracking::Global<ReflectedXssConfig>;

ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql

@@ -15,9 +15,9 @@
 
 import codeql.ruby.AST
 import codeql.ruby.security.ReflectedXSSQuery
-import DataFlow::PathGraph
+import ReflectedXssFlow::PathGraph
 
-from ReflectedXss::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from ReflectedXssFlow::PathNode source, ReflectedXssFlow::PathNode sink
+where ReflectedXssFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",
   source.getNode(), "user-provided value"

ruby/ql/test/query-tests/security/cwe-079/ReflectedXSS.expected

@@ -9,9 +9,9 @@ edges
 | app/controllers/foo/bars_controller.rb:17:21:17:26 | call to params | app/controllers/foo/bars_controller.rb:17:21:17:36 | ...[...] |
 | app/controllers/foo/bars_controller.rb:17:21:17:36 | ...[...] | app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website |
 | app/controllers/foo/bars_controller.rb:18:5:18:6 | dt | app/controllers/foo/bars_controller.rb:19:22:19:23 | dt |
-| app/controllers/foo/bars_controller.rb:18:5:18:6 | dt | app/controllers/foo/bars_controller.rb:26:53:26:54 | dt |
 | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params | app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] |
 | app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] | app/controllers/foo/bars_controller.rb:18:5:18:6 | dt |
+| app/controllers/foo/bars_controller.rb:19:22:19:23 | dt | app/controllers/foo/bars_controller.rb:26:53:26:54 | dt |
 | app/controllers/foo/bars_controller.rb:19:22:19:23 | dt | app/views/foo/bars/show.html.erb:40:3:40:16 | @instance_text |
 | app/controllers/foo/bars_controller.rb:24:39:24:44 | call to params | app/controllers/foo/bars_controller.rb:24:39:24:59 | ...[...] |
 | app/controllers/foo/bars_controller.rb:24:39:24:59 | ...[...] | app/controllers/foo/bars_controller.rb:24:39:24:59 | ... = ... |