add more array taint steps that taint the entire array

Author: erik-krogh

ruby/ql/lib/codeql/ruby/frameworks/core/Array.qll

@@ -1833,6 +1833,16 @@ module Array {
       succ = call and
       pred = call.getArgument(_)
     )
+    or
+    exists(DataFlow::CallNode call | call.getMethodName() = "join" |
+      pred = call.getReceiver() and
+      succ = call
+    )
+    or
+    exists(DataFlow::CallNode call | call.getMethodName() = "Array" |
+      pred = call.getArgument(_) and
+      succ = call
+    )
   }
 }
 

ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected

@@ -8,6 +8,8 @@ edges
 | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:44:10:44:12 | arr |
 | impl/unsafeCode.rb:47:15:47:15 | x :  | impl/unsafeCode.rb:49:9:49:12 | #{...} |
 | impl/unsafeCode.rb:54:21:54:21 | x :  | impl/unsafeCode.rb:55:22:55:22 | x |
+| impl/unsafeCode.rb:59:21:59:21 | x :  | impl/unsafeCode.rb:61:10:61:12 | arr |
+| impl/unsafeCode.rb:59:21:59:21 | x :  | impl/unsafeCode.rb:64:10:64:12 | arr |
 nodes
 | impl/unsafeCode.rb:2:12:2:17 | target :  | semmle.label | target :  |
 | impl/unsafeCode.rb:3:17:3:25 | #{...} | semmle.label | #{...} |
@@ -26,6 +28,9 @@ nodes
 | impl/unsafeCode.rb:49:9:49:12 | #{...} | semmle.label | #{...} |
 | impl/unsafeCode.rb:54:21:54:21 | x :  | semmle.label | x :  |
 | impl/unsafeCode.rb:55:22:55:22 | x | semmle.label | x |
+| impl/unsafeCode.rb:59:21:59:21 | x :  | semmle.label | x :  |
+| impl/unsafeCode.rb:61:10:61:12 | arr | semmle.label | arr |
+| impl/unsafeCode.rb:64:10:64:12 | arr | semmle.label | arr |
 subpaths
 #select
 | impl/unsafeCode.rb:3:17:3:25 | #{...} | impl/unsafeCode.rb:2:12:2:17 | target :  | impl/unsafeCode.rb:3:17:3:25 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:2:12:2:17 | target | library input | impl/unsafeCode.rb:3:5:3:27 | call to eval | interpreted as code |
@@ -37,3 +42,5 @@ subpaths
 | impl/unsafeCode.rb:44:10:44:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:44:10:44:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:44:5:44:24 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:49:9:49:12 | #{...} | impl/unsafeCode.rb:47:15:47:15 | x :  | impl/unsafeCode.rb:49:9:49:12 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:47:15:47:15 | x | library input | impl/unsafeCode.rb:51:5:51:13 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:55:22:55:22 | x | impl/unsafeCode.rb:54:21:54:21 | x :  | impl/unsafeCode.rb:55:22:55:22 | x | This string concatenation which depends on $@ is later $@. | impl/unsafeCode.rb:54:21:54:21 | x | library input | impl/unsafeCode.rb:56:5:56:13 | call to eval | interpreted as code |
+| impl/unsafeCode.rb:61:10:61:12 | arr | impl/unsafeCode.rb:59:21:59:21 | x :  | impl/unsafeCode.rb:61:10:61:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:59:21:59:21 | x | library input | impl/unsafeCode.rb:61:5:61:23 | call to eval | interpreted as code |
+| impl/unsafeCode.rb:64:10:64:12 | arr | impl/unsafeCode.rb:59:21:59:21 | x :  | impl/unsafeCode.rb:64:10:64:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:59:21:59:21 | x | library input | impl/unsafeCode.rb:64:5:64:24 | call to eval | interpreted as code |

ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb

@@ -55,4 +55,12 @@ def string_concat(x)
     foo = "foo = " + x
     eval(foo) # NOT OK
   end
+
+  def join_indirect(x, y) 
+    arr = Array("foo = ", x)
+    eval(arr.join(" ")) # NOT OK
+
+    arr2 = [Array("foo = ", y).join(" ")]
+    eval(arr.join("\n")) # NOT OK
+  end
 end