Skip to content

Commit 3430a46

Browse files
committed
fix some local variable mappings between view and controller
1 parent b264a05 commit 3430a46

3 files changed

Lines changed: 16 additions & 28 deletions

File tree

ql/lib/codeql/ruby/security/ReflectedXSSCustomizations.qll

Lines changed: 3 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,3 @@
1-
/**
2-
* Provides default sources, sinks and sanitizers for detecting
3-
* "reflected server-side cross-site scripting"
4-
* vulnerabilities, as well as extension points for adding your own.
5-
*/
6-
71
private import ruby
82
private import codeql.ruby.DataFlow
93
private import codeql.ruby.CFG
@@ -122,19 +116,16 @@ module ReflectedXSS {
122116
call.getTemplateFile() = node2.getLocation().getFile() and
123117
(
124118
// ...node2 is a variable read
125-
exists(CfgNodes::ExprNodes::VariableReadAccessCfgNode readNode |
126-
readNode = node2.asExpr() and
127-
readNode.getExpr().getVariable().getName() = "@" + hashKey
128-
)
119+
node2.asExpr().getExpr().(VariableReadAccess).getVariable().getName() = hashKey
129120
or
130-
// ...node2 is an element reference against `locals`
121+
// ...node2 is an element reference against `local_assigns`
131122
exists(
132123
CfgNodes::ExprNodes::ElementReferenceCfgNode refNode, DataFlow::Node argNode,
133124
CfgNodes::ExprNodes::StringlikeLiteralCfgNode strNode
134125
|
135126
refNode = node2.asExpr() and
136127
argNode.asExpr() = refNode.getArgument(0) and
137-
refNode.getReceiver().getExpr().(MethodCall).getMethodName() = "locals" and
128+
refNode.getReceiver().getExpr().(MethodCall).getMethodName() = "local_assigns" and
138129
argNode.getALocalSource() = DataFlow::exprNode(strNode) and
139130
strNode.getExpr().getValueText() = hashKey
140131
)

ql/test/query-tests/security/cwe-079/app/views/foo/bars/_widget.html.erb

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,8 @@
44
<%# BAD: A local rendered raw as a local variable %>
55
<%= raw display_text %>
66

7-
<%# BAD: A local rendered raw via the locals hash %>
8-
<%= raw locals[:display_text] %>
7+
<%# BAD: A local rendered raw via the local_assigns hash %>
8+
<%= raw local_assigns[:display_text] %>
99

10-
<%# GOOD: A local rendered with default escaping via the locals hash %>
11-
<%= @display_text %>
10+
<%# GOOD: A local rendered with default escaping via the local_assigns hash %>
11+
<%= local_assigns[:display_text] %>

ql/test/query-tests/security/cwe-079/app/views/foo/bars/show.html.erb

Lines changed: 9 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,39 +1,36 @@
11
<%# BAD: An instance variable rendered without escaping %>
22
<a href="<%= raw user_website %>">website</a>
33

4-
<%# BAD: A local rendered raw as an instance variable %>
5-
<%= raw @display_text %>
6-
74
<%# BAD: A local rendered raw as a local variable %>
85
<%= raw display_text %>
96

10-
<%# BAD: A local rendered raw via the locals hash %>
11-
<%= raw locals[:display_text] %>
7+
<%# BAD: A local rendered raw via the local_assigns hash %>
8+
<%= raw local_assigns[:display_text] %>
129

1310
<% key = :display_text %>
14-
<%# BAD: A local rendered raw via the locals hash %>
15-
<%= raw locals[key] %>
11+
<%# BAD: A local rendered raw via the locals_assigns hash %>
12+
<%= raw local_assigns[key] %>
1613

1714
<ul>
1815
<% for key in [:display_text, :safe_text] do %>
1916
<%# BAD: A local rendered raw via the locals hash %>
2017
<%# TODO: we miss that `key` can take `:display_text` as a value here %>
21-
<li><%= raw locals[key] %></li>
18+
<li><%= raw local_assigns[key] %></li>
2219
<% end %>
2320
</ul>
2421

25-
<%# GOOD: A local rendered with default escaping via the locals hash %>
26-
<%= @display_text %>
22+
<%# GOOD: A local rendered with default escaping via the local_assigns hash %>
23+
<%= local_assigns[display_text] %>
2724

2825
<%# GOOD: default escaping of rendered text %>
2926
<%=
30-
full_text = prefix + locals[:display_text]
27+
full_text = prefix + local_assigns[:display_text]
3128
full_text
3229
%>
3330

3431
<%# BAD: html_safe marks string as not requiring HTML escaping %>
3532
<%=
36-
@display_text.html_safe
33+
display_text.html_safe
3734
%>
3835

3936
<%# BAD: html_safe marks string as not requiring HTML escaping %>

0 commit comments

Comments
 (0)