Ruby: rack - add env['QUERY_STRING'] as an http request input

Author: alexrford

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll

@@ -4,6 +4,7 @@
 
 private import codeql.ruby.AST
 private import codeql.ruby.ApiGraphs
+private import codeql.ruby.Concepts
 private import codeql.ruby.DataFlow
 private import codeql.ruby.typetracking.TypeTracker
 private import Response::Private as RP
@@ -86,4 +87,22 @@ module App {
     /** Gets a response returned from this request handler. */
     RP::PotentialResponseNode getAResponse() { result = resp }
   }
+
+  /** A read of the query string via `env['QUERY_STRING']`. */
+  private class EnvQueryStringRead extends Http::Server::RequestInputAccess::Range {
+    EnvQueryStringRead() {
+      exists(RequestHandler handler, DataFlow::ParameterNode env, ConstantValue key |
+        handler.getEnv() = env
+      |
+        this = env.getAnElementRead(key) and
+        key.isStringlikeValue("QUERY_STRING")
+      )
+    }
+
+    override string getSourceType() { result = "Rack env" }
+
+    override Http::Server::RequestInputKind getKind() {
+      result = Http::Server::parameterInputKind()
+    }
+  }
 }