Skip to content

Commit bf25b07

Browse files
alexrfordalexrford
committed
Ruby: rack - request input tests
1 parent 175d524 commit bf25b07

File tree

3 files changed

+30
-0
lines changed

3 files changed

+30
-0
lines changed

ruby/ql/test/library-tests/frameworks/rack/Rack.expected

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,8 @@ rackRequestHandlers
66
| rack.rb:60:3:62:5 | call | rack.rb:60:12:60:14 | env | rack.rb:66:7:66:22 | call to [] |
77
| rack.rb:60:3:62:5 | call | rack.rb:60:12:60:14 | env | rack.rb:73:5:73:21 | call to [] |
88
| rack.rb:79:3:81:5 | call | rack.rb:79:17:79:19 | env | rack.rb:93:5:93:78 | call to finish |
9+
| rack.rb:98:3:107:5 | call | rack.rb:98:12:98:14 | env | rack.rb:110:5:110:28 | call to [] |
10+
| rack.rb:98:3:107:5 | call | rack.rb:98:12:98:14 | env | rack.rb:114:5:114:30 | call to [] |
911
| rack_apps.rb:6:3:12:5 | call | rack_apps.rb:6:12:6:14 | env | rack_apps.rb:10:12:10:34 | call to [] |
1012
| rack_apps.rb:16:3:18:5 | call | rack_apps.rb:16:17:16:19 | env | rack_apps.rb:17:5:17:28 | call to [] |
1113
| rack_apps.rb:21:14:21:50 | -> { ... } | rack_apps.rb:21:17:21:19 | env | rack_apps.rb:21:24:21:48 | call to [] |
@@ -16,3 +18,7 @@ rackResponseContentTypes
1618
redirectResponses
1719
| rack.rb:43:5:43:45 | call to [] | rack.rb:42:30:42:40 | "/foo.html" |
1820
| rack.rb:93:5:93:78 | call to finish | rack.rb:93:60:93:70 | redirect_to |
21+
requestInputAccesses
22+
| rack.rb:100:18:100:28 | call to cookies |
23+
| rack.rb:103:14:103:23 | call to params |
24+
| rack.rb:104:18:104:32 | ...[...] |

ruby/ql/test/library-tests/frameworks/rack/Rack.ql

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
private import codeql.ruby.AST
2+
private import codeql.ruby.Concepts
23
private import codeql.ruby.frameworks.Rack
34
private import codeql.ruby.DataFlow
45

@@ -17,3 +18,5 @@ query predicate rackResponseContentTypes(
1718
query predicate redirectResponses(Rack::Response::RedirectResponse resp, DataFlow::Node location) {
1819
location = resp.getRedirectLocation()
1920
}
21+
22+
query predicate requestInputAccesses(Http::Server::RequestInputAccess ria) { any() }

ruby/ql/test/library-tests/frameworks/rack/rack.rb

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,3 +93,24 @@ def do_redirect
9393
Rack::Response.new(['redirecting'], 302, 'Location' => redirect_to).finish
9494
end
9595
end
96+
97+
class UsesRequest
98+
def call(env)
99+
req = Rack::Request.new(env)
100+
if session = req.cookies['session']
101+
reuse_session(session)
102+
else
103+
name = req.params['name']
104+
password = req['password']
105+
login(name, password)
106+
end
107+
end
108+
109+
def login(name, password)
110+
[200, {}, "new session"]
111+
end
112+
113+
def reuse_session(name, password)
114+
[200, {}, "reuse session"]
115+
end
116+
end

0 commit comments

Comments
 (0)