Skip to content

Commit 91a809f

Browse files
hvitvedhvitved
committed
Ruby: Add data-flow tests for captured variables
1 parent bfc2571 commit 91a809f

File tree

3 files changed

+133
-0
lines changed

3 files changed

+133
-0
lines changed

ruby/ql/test/library-tests/dataflow/capture-flow/CaptureFlow.expected

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
failures
2+
| capture_flow.rb:29:25:29:68 | # $ hasValueFlow=3 $ MISSING: hasValueFlow=4 | Missing result:hasValueFlow=3 |
3+
| capture_flow.rb:33:21:33:66 | # $ hasValueFlow=4 $ SPURIOUS: hasValueFlow=3 | Missing result:hasValueFlow=4 |
4+
| capture_flow.rb:44:21:44:38 | # $ hasValueFlow=5 | Missing result:hasValueFlow=5 |
5+
edges
6+
| capture_flow.rb:9:1:9:12 | ... = ... : | capture_flow.rb:11:10:11:10 | x |
7+
| capture_flow.rb:9:1:9:12 | ... = ... : | capture_flow.rb:11:10:11:10 | x |
8+
| capture_flow.rb:9:5:9:12 | call to taint : | capture_flow.rb:9:1:9:12 | ... = ... : |
9+
| capture_flow.rb:9:5:9:12 | call to taint : | capture_flow.rb:9:1:9:12 | ... = ... : |
10+
| capture_flow.rb:12:5:12:16 | ... = ... : | capture_flow.rb:15:6:15:6 | x |
11+
| capture_flow.rb:12:5:12:16 | ... = ... : | capture_flow.rb:15:6:15:6 | x |
12+
| capture_flow.rb:12:9:12:16 | call to taint : | capture_flow.rb:12:5:12:16 | ... = ... : |
13+
| capture_flow.rb:12:9:12:16 | call to taint : | capture_flow.rb:12:5:12:16 | ... = ... : |
14+
| capture_flow.rb:18:19:18:19 | x : | capture_flow.rb:19:18:19:18 | x : |
15+
| capture_flow.rb:18:19:18:19 | x : | capture_flow.rb:19:18:19:18 | x : |
16+
| capture_flow.rb:19:18:19:18 | x : | capture_flow.rb:19:9:19:14 | [post] self [@field] : |
17+
| capture_flow.rb:19:18:19:18 | x : | capture_flow.rb:19:9:19:14 | [post] self [@field] : |
18+
| capture_flow.rb:21:5:23:7 | self in get_field [@field] : | capture_flow.rb:22:16:22:21 | self [@field] : |
19+
| capture_flow.rb:21:5:23:7 | self in get_field [@field] : | capture_flow.rb:22:16:22:21 | self [@field] : |
20+
| capture_flow.rb:22:16:22:21 | @field : | capture_flow.rb:22:9:22:21 | return : |
21+
| capture_flow.rb:22:16:22:21 | @field : | capture_flow.rb:22:9:22:21 | return : |
22+
| capture_flow.rb:22:16:22:21 | self [@field] : | capture_flow.rb:22:16:22:21 | @field : |
23+
| capture_flow.rb:22:16:22:21 | self [@field] : | capture_flow.rb:22:16:22:21 | @field : |
24+
| capture_flow.rb:27:1:27:3 | [post] foo [@field] : | capture_flow.rb:33:6:33:8 | foo [@field] : |
25+
| capture_flow.rb:27:1:27:3 | [post] foo [@field] : | capture_flow.rb:33:6:33:8 | foo [@field] : |
26+
| capture_flow.rb:27:15:27:22 | call to taint : | capture_flow.rb:18:19:18:19 | x : |
27+
| capture_flow.rb:27:15:27:22 | call to taint : | capture_flow.rb:18:19:18:19 | x : |
28+
| capture_flow.rb:27:15:27:22 | call to taint : | capture_flow.rb:27:1:27:3 | [post] foo [@field] : |
29+
| capture_flow.rb:27:15:27:22 | call to taint : | capture_flow.rb:27:1:27:3 | [post] foo [@field] : |
30+
| capture_flow.rb:33:6:33:8 | foo [@field] : | capture_flow.rb:21:5:23:7 | self in get_field [@field] : |
31+
| capture_flow.rb:33:6:33:8 | foo [@field] : | capture_flow.rb:21:5:23:7 | self in get_field [@field] : |
32+
| capture_flow.rb:33:6:33:8 | foo [@field] : | capture_flow.rb:33:6:33:18 | call to get_field |
33+
| capture_flow.rb:33:6:33:8 | foo [@field] : | capture_flow.rb:33:6:33:18 | call to get_field |
34+
nodes
35+
| capture_flow.rb:9:1:9:12 | ... = ... : | semmle.label | ... = ... : |
36+
| capture_flow.rb:9:1:9:12 | ... = ... : | semmle.label | ... = ... : |
37+
| capture_flow.rb:9:5:9:12 | call to taint : | semmle.label | call to taint : |
38+
| capture_flow.rb:9:5:9:12 | call to taint : | semmle.label | call to taint : |
39+
| capture_flow.rb:11:10:11:10 | x | semmle.label | x |
40+
| capture_flow.rb:11:10:11:10 | x | semmle.label | x |
41+
| capture_flow.rb:12:5:12:16 | ... = ... : | semmle.label | ... = ... : |
42+
| capture_flow.rb:12:5:12:16 | ... = ... : | semmle.label | ... = ... : |
43+
| capture_flow.rb:12:9:12:16 | call to taint : | semmle.label | call to taint : |
44+
| capture_flow.rb:12:9:12:16 | call to taint : | semmle.label | call to taint : |
45+
| capture_flow.rb:15:6:15:6 | x | semmle.label | x |
46+
| capture_flow.rb:15:6:15:6 | x | semmle.label | x |
47+
| capture_flow.rb:18:19:18:19 | x : | semmle.label | x : |
48+
| capture_flow.rb:18:19:18:19 | x : | semmle.label | x : |
49+
| capture_flow.rb:19:9:19:14 | [post] self [@field] : | semmle.label | [post] self [@field] : |
50+
| capture_flow.rb:19:9:19:14 | [post] self [@field] : | semmle.label | [post] self [@field] : |
51+
| capture_flow.rb:19:18:19:18 | x : | semmle.label | x : |
52+
| capture_flow.rb:19:18:19:18 | x : | semmle.label | x : |
53+
| capture_flow.rb:21:5:23:7 | self in get_field [@field] : | semmle.label | self in get_field [@field] : |
54+
| capture_flow.rb:21:5:23:7 | self in get_field [@field] : | semmle.label | self in get_field [@field] : |
55+
| capture_flow.rb:22:9:22:21 | return : | semmle.label | return : |
56+
| capture_flow.rb:22:9:22:21 | return : | semmle.label | return : |
57+
| capture_flow.rb:22:16:22:21 | @field : | semmle.label | @field : |
58+
| capture_flow.rb:22:16:22:21 | @field : | semmle.label | @field : |
59+
| capture_flow.rb:22:16:22:21 | self [@field] : | semmle.label | self [@field] : |
60+
| capture_flow.rb:22:16:22:21 | self [@field] : | semmle.label | self [@field] : |
61+
| capture_flow.rb:27:1:27:3 | [post] foo [@field] : | semmle.label | [post] foo [@field] : |
62+
| capture_flow.rb:27:1:27:3 | [post] foo [@field] : | semmle.label | [post] foo [@field] : |
63+
| capture_flow.rb:27:15:27:22 | call to taint : | semmle.label | call to taint : |
64+
| capture_flow.rb:27:15:27:22 | call to taint : | semmle.label | call to taint : |
65+
| capture_flow.rb:33:6:33:8 | foo [@field] : | semmle.label | foo [@field] : |
66+
| capture_flow.rb:33:6:33:8 | foo [@field] : | semmle.label | foo [@field] : |
67+
| capture_flow.rb:33:6:33:18 | call to get_field | semmle.label | call to get_field |
68+
| capture_flow.rb:33:6:33:18 | call to get_field | semmle.label | call to get_field |
69+
subpaths
70+
| capture_flow.rb:27:15:27:22 | call to taint : | capture_flow.rb:18:19:18:19 | x : | capture_flow.rb:19:9:19:14 | [post] self [@field] : | capture_flow.rb:27:1:27:3 | [post] foo [@field] : |
71+
| capture_flow.rb:27:15:27:22 | call to taint : | capture_flow.rb:18:19:18:19 | x : | capture_flow.rb:19:9:19:14 | [post] self [@field] : | capture_flow.rb:27:1:27:3 | [post] foo [@field] : |
72+
| capture_flow.rb:33:6:33:8 | foo [@field] : | capture_flow.rb:21:5:23:7 | self in get_field [@field] : | capture_flow.rb:22:9:22:21 | return : | capture_flow.rb:33:6:33:18 | call to get_field |
73+
| capture_flow.rb:33:6:33:8 | foo [@field] : | capture_flow.rb:21:5:23:7 | self in get_field [@field] : | capture_flow.rb:22:9:22:21 | return : | capture_flow.rb:33:6:33:18 | call to get_field |
74+
#select
75+
| capture_flow.rb:11:10:11:10 | x | capture_flow.rb:9:5:9:12 | call to taint : | capture_flow.rb:11:10:11:10 | x | $@ | capture_flow.rb:9:5:9:12 | call to taint : | call to taint : |
76+
| capture_flow.rb:15:6:15:6 | x | capture_flow.rb:12:9:12:16 | call to taint : | capture_flow.rb:15:6:15:6 | x | $@ | capture_flow.rb:12:9:12:16 | call to taint : | call to taint : |
77+
| capture_flow.rb:33:6:33:18 | call to get_field | capture_flow.rb:27:15:27:22 | call to taint : | capture_flow.rb:33:6:33:18 | call to get_field | $@ | capture_flow.rb:27:15:27:22 | call to taint : | call to taint : |

ruby/ql/test/library-tests/dataflow/capture-flow/CaptureFlow.ql

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
/**
2+
* @kind path-problem
3+
*/
4+
5+
import codeql.ruby.AST
6+
import codeql.ruby.DataFlow
7+
private import TestUtilities.InlineFlowTest
8+
import DataFlow::PathGraph
9+
10+
from DataFlow::PathNode source, DataFlow::PathNode sink, DefaultTaintFlowConf conf
11+
where conf.hasFlowPath(source, sink)
12+
select sink, source, sink, "$@", source, source.toString()

ruby/ql/test/library-tests/dataflow/capture-flow/capture_flow.rb

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
def taint x
2+
x
3+
end
4+
5+
def sink x
6+
puts "SINK: #{x}"
7+
end
8+
9+
x = taint(1)
10+
[1, 2, 3].each do |i|
11+
sink x # $ hasValueFlow=1 $ MISSING: hasValueFlow=2
12+
x = taint(2)
13+
end
14+
15+
sink x # $ hasValueFlow=2
16+
17+
class Foo
18+
def set_field x
19+
@field = x
20+
end
21+
def get_field
22+
return @field
23+
end
24+
end
25+
26+
foo = Foo.new
27+
foo.set_field(taint(3))
28+
[1, 2, 3].each do |i|
29+
sink(foo.get_field) # $ hasValueFlow=3 $ MISSING: hasValueFlow=4
30+
foo.set_field(taint(4))
31+
end
32+
33+
sink(foo.get_field) # $ hasValueFlow=4 $ SPURIOUS: hasValueFlow=3
34+
35+
foo = Foo.new
36+
if (rand() < 0) then
37+
foo = Foo.new
38+
else
39+
[1, 2, 3].each do |i|
40+
foo.set_field(taint(5))
41+
end
42+
end
43+
44+
sink(foo.get_field) # $ hasValueFlow=5

0 commit comments

Comments
 (0)