From d6fb0fe31b158ed4948b7f6d00d9447de42e594d Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 23 Jan 2025 11:01:21 +0100 Subject: [PATCH 1/3] Ruby: remove an unused sink --- .../src/experimental/cwe-807/ConditionalBypass.ql | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/ruby/ql/src/experimental/cwe-807/ConditionalBypass.ql b/ruby/ql/src/experimental/cwe-807/ConditionalBypass.ql index 12f9fb0a0117..49a25e006995 100644 --- a/ruby/ql/src/experimental/cwe-807/ConditionalBypass.ql +++ b/ruby/ql/src/experimental/cwe-807/ConditionalBypass.ql @@ -50,18 +50,6 @@ class SensitiveActionGuardComparison extends ComparisonOperation { SensitiveActionGuardConditional getGuard() { result = guard } } -/** - * An intermediary sink to enable reuse of the taint configuration. - * This sink should not be presented to the client of this query. - */ -class SensitiveActionGuardComparisonOperand extends Sink { - SensitiveActionGuardComparison comparison; - - SensitiveActionGuardComparisonOperand() { this.asExpr().getExpr() = comparison.getAnOperand() } - - override SensitiveAction getAction() { result = comparison.getGuard().getAction() } -} - /** * Holds if `sink` guards `action`, and `source` taints `sink`. * @@ -73,8 +61,6 @@ predicate isTaintedGuardForSensitiveAction( SensitiveAction action ) { action = sink.getNode().(Sink).getAction() and - // exclude the intermediary sink - not sink.getNode() instanceof SensitiveActionGuardComparisonOperand and ConditionalBypassFlow::flowPath(source, sink) } From 9d600d40fd4307d4c99291d7458b6adeae99761f Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 23 Jan 2025 11:08:14 +0100 Subject: [PATCH 2/3] Ruby: remove another unused class --- .../experimental/cwe-807/ConditionalBypass.ql | 22 ------------------- 1 file changed, 22 deletions(-) diff --git a/ruby/ql/src/experimental/cwe-807/ConditionalBypass.ql b/ruby/ql/src/experimental/cwe-807/ConditionalBypass.ql index 49a25e006995..64e30674506f 100644 --- a/ruby/ql/src/experimental/cwe-807/ConditionalBypass.ql +++ b/ruby/ql/src/experimental/cwe-807/ConditionalBypass.ql @@ -28,28 +28,6 @@ predicate flowsToGuardExpr(DataFlow::Node nd, SensitiveActionGuardConditional gu exists(DataFlow::Node succ | localFlowStep(nd, succ) | flowsToGuardExpr(succ, guard)) } -/** - * A comparison that guards a sensitive action, e.g. the comparison in: - * ```rb - * ok = x == y - * if ok - * login - * end - * ``` - */ -class SensitiveActionGuardComparison extends ComparisonOperation { - SensitiveActionGuardConditional guard; - - SensitiveActionGuardComparison() { - exists(DataFlow::Node node | this = node.asExpr().getExpr() | flowsToGuardExpr(node, guard)) - } - - /** - * Gets the guard that uses this comparison. - */ - SensitiveActionGuardConditional getGuard() { result = guard } -} - /** * Holds if `sink` guards `action`, and `source` taints `sink`. * From 96b90b88cd51a86c99b67085946ec0d76763abea Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 29 Jan 2025 09:43:47 +0100 Subject: [PATCH 3/3] Ruby: accept test output --- .../cwe-807-user-controlled-bypass/ConditionalBypass.expected | 2 -- 1 file changed, 2 deletions(-) diff --git a/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected b/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected index 897e8276049f..f5b786d45a84 100644 --- a/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected +++ b/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected @@ -5,7 +5,6 @@ edges | ConditionalBypass.rb:14:14:14:19 | call to params | ConditionalBypass.rb:14:14:14:27 | ...[...] | provenance | | | ConditionalBypass.rb:25:5:25:5 | p | ConditionalBypass.rb:27:8:27:8 | p | provenance | | | ConditionalBypass.rb:25:10:25:15 | call to params | ConditionalBypass.rb:25:10:25:22 | ...[...] | provenance | | -| ConditionalBypass.rb:25:10:25:15 | call to params | ConditionalBypass.rb:25:10:25:22 | ...[...] | provenance | | | ConditionalBypass.rb:25:10:25:22 | ...[...] | ConditionalBypass.rb:25:5:25:5 | p | provenance | | nodes | ConditionalBypass.rb:3:5:3:9 | check | semmle.label | check | @@ -17,7 +16,6 @@ nodes | ConditionalBypass.rb:25:5:25:5 | p | semmle.label | p | | ConditionalBypass.rb:25:10:25:15 | call to params | semmle.label | call to params | | ConditionalBypass.rb:25:10:25:22 | ...[...] | semmle.label | ...[...] | -| ConditionalBypass.rb:25:10:25:22 | ...[...] | semmle.label | ...[...] | | ConditionalBypass.rb:27:8:27:8 | p | semmle.label | p | subpaths #select