temp

Author: hvitved

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll

@@ -182,6 +182,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
+    not expectsContent(node, _) and
     if castNode(node) or node instanceof ArgNode or node instanceof ReturnNode
     then compatibleTypes(t, getNodeDataFlowType(node))
     else any()

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -472,9 +472,6 @@ private module Cached {
     or
     // Needed for stores in type tracking
     TypeTrackerSpecific::storeStepIntoSourceNode(_, n, _)
-    or
-    n.asExpr().(CfgNodes::ExprNodes::LocalVariableReadAccessCfgNode).getVariable() instanceof
-      CapturedVariableFlow::CapturedVariable
   }
 
   cached
@@ -486,12 +483,13 @@ private module Cached {
       FlowSummaryImplSpecific::ParsePositions::isParsedElementLowerBoundPosition(_, includeUnknown,
         lower)
     } or
+    TAnyCapturedVariableContent(CapturedVariableFlow::CapturingCallable c) or
     TNoContentSet() // Only used by type-tracking
 
   cached
   class TContentSet =
     TSingletonContent or TAnyElementContent or TKnownOrUnknownElementContent or
-        TElementLowerBoundContent;
+        TElementLowerBoundContent or TAnyCapturedVariableContent;
 
   private predicate trackKnownValue(ConstantValue cv) {
     not cv.isFloat(_) and
@@ -1270,14 +1268,17 @@ predicate storeStepCommon(Node node1, ContentSet c, Node node2) {
   )
 }
 
+pragma[nomagic]
 private predicate capturedVariableStoreStep(
   SsaDefinitionExtNode node1, ContentSet c, CapturedVariableAcccessPostUpdateNode node2
 ) {
-  exists(BasicBlock bb, int i, LocalVariable v, Ssa::WriteDefinition def |
+  exists(BasicBlock bb, int i, Ssa::WriteDefinition def |
     def = node1.getDefinitionExt() and
     bb.getNode(i).getNode() = def.getWriteAccess() and // TODO: splitting
     node2.getAccess().isRead(bb, i, _) and
-    c.isSingleton(any(Content::CapturedVariableContent cvc | cvc.getVariable() = v))
+    c.isSingleton(any(Content::CapturedVariableContent cvc |
+        cvc.getVariable() = def.getSourceVariable()
+      ))
   )
 }
 
@@ -1397,6 +1398,14 @@ predicate clearsContent(Node n, ContentSet c) {
  */
 predicate expectsContent(Node n, ContentSet c) {
   FlowSummaryImpl::Private::Steps::summaryExpectsContent(n, c)
+  or
+  exists(
+    CapturedVariableFlow::CaptureAccess access, CapturedVariableFlow::CapturingCallable callable
+  |
+    n = TCapturedVariableAcccessNode(access, _) and
+    access.isReadOrWrite(_, _, callable) and
+    c.isAnyCapturedVariable(callable)
+  )
 }
 
 private newtype TDataFlowType =

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll

@@ -546,6 +546,8 @@ class ContentSet extends TContentSet {
     this = TElementLowerBoundContent(lower, true)
   }
 
+  predicate isAnyCapturedVariable(Callable c) { this = TAnyCapturedVariableContent(c) }
+
   /** Gets a textual representation of this content set. */
   string toString() {
     exists(Content c |
@@ -570,6 +572,11 @@ class ContentSet extends TContentSet {
       includeUnknown = true and
       result = lower + ".."
     )
+    or
+    exists(Callable c |
+      this.isAnyCapturedVariable(c) and
+      result = "any captured variable inside " + c
+    )
   }
 
   /** Gets a content that may be stored into when storing into this set. */
@@ -615,6 +622,11 @@ class ContentSet extends TContentSet {
       includeUnknown = true and
       result = TUnknownElementContent()
     )
+    or
+    exists(Callable c |
+      this.isAnyCapturedVariable(c) and
+      result.(Content::CapturedVariableContent).getVariable().getAnAccess().getCfgScope() = c
+    )
   }
 }
 

ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll

@@ -2,6 +2,7 @@ private import codeql.ruby.AST as Ast
 private import codeql.ruby.CFG as Cfg
 private import Cfg::CfgNodes
 private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.dataflow.SSA
 private import codeql.ruby.dataflow.internal.CapturedVariableFlow as CapturedVariableFlow
 private import codeql.ruby.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
 private import codeql.ruby.dataflow.internal.DataFlowPublic as DataFlowPublic
@@ -184,19 +185,20 @@ pragma[nomagic]
 private DataFlowPrivate::SsaDefinitionExtNode capturedVariablePredecessor(
   CapturedVariableFlow::CapturedVariable v
 ) {
-  result.getDefinitionExt().getSourceVariable() = v
+  result.getDefinitionExt().(Ssa::WriteDefinition).getSourceVariable() = v
 }
 
 /**
  * Gets a reference to `field` in `mod`, with `instance` indicating if it's
  * a field on an instance of `mod` (as opposed to the module object itself).
  */
 pragma[nomagic]
-private Node capturedVariableSuccessor(CapturedVariableFlow::CapturedVariable v) {
-  exists(LocalVariableReadAccess access |
-    access.getVariable() = v and
-    result.asExpr().getExpr() = access
-  )
+private DataFlowPrivate::SsaDefinitionExtNode capturedVariableSuccessor(
+  CapturedVariableFlow::CapturedVariable v
+) {
+  result.getDefinitionExt().(Ssa::CapturedCallDefinition).getSourceVariable() = v
+  or
+  result.getDefinitionExt().(Ssa::CapturedEntryDefinition).getSourceVariable() = v
 }
 
 /**

ruby/ql/test/library-tests/dataflow/array-flow/type-tracking-array-flow.expected

@@ -13,7 +13,6 @@
 | array_flow.rb:376:10:376:13 | ...[...] | Unexpected result: hasValueFlow=42.3 |
 | array_flow.rb:377:10:377:13 | ...[...] | Unexpected result: hasValueFlow=42.3 |
 | array_flow.rb:378:10:378:13 | ...[...] | Unexpected result: hasValueFlow=42.3 |
-| array_flow.rb:407:10:407:10 | x | Fixed missing result:hasValueFlow=45 |
 | array_flow.rb:484:10:484:13 | ...[...] | Unexpected result: hasValueFlow=54.3 |
 | array_flow.rb:484:10:484:13 | ...[...] | Unexpected result: hasValueFlow=54.4 |
 | array_flow.rb:484:10:484:13 | ...[...] | Unexpected result: hasValueFlow=54.5 |

ruby/ql/test/library-tests/dataflow/global/Flow.expected

@@ -1,5 +1,4 @@
 failures
-| captured_variables.rb:9:14:9:14 | x | Unexpected result: hasValueFlow=1.1 |
 | captured_variables.rb:23:17:23:36 | # $ hasValueFlow=1.4 | Missing result:hasValueFlow=1.4 |
 edges
 | captured_variables.rb:1:24:1:24 | x :  | captured_variables.rb:2:10:2:23 | -> { ... } [captured x] :  |
@@ -8,18 +7,8 @@ edges
 | captured_variables.rb:2:10:2:23 | -> { ... } [captured x] :  | captured_variables.rb:3:5:3:6 | fn [captured x] :  |
 | captured_variables.rb:3:5:3:6 | fn [captured x] :  | captured_variables.rb:2:20:2:20 | x |
 | captured_variables.rb:3:5:3:6 | fn [captured x] :  | captured_variables.rb:2:20:2:20 | x |
-| captured_variables.rb:5:1:5:30 | [post] self [captured x] :  | captured_variables.rb:12:2:12:35 | self [captured x] :  |
-| captured_variables.rb:5:1:5:30 | [post] self [captured x] :  | captured_variables.rb:12:2:12:35 | self [captured x] :  |
 | captured_variables.rb:5:20:5:30 | call to source :  | captured_variables.rb:1:24:1:24 | x :  |
 | captured_variables.rb:5:20:5:30 | call to source :  | captured_variables.rb:1:24:1:24 | x :  |
-| captured_variables.rb:5:20:5:30 | call to source :  | captured_variables.rb:5:1:5:30 | [post] self [captured x] :  |
-| captured_variables.rb:5:20:5:30 | call to source :  | captured_variables.rb:5:1:5:30 | [post] self [captured x] :  |
-| captured_variables.rb:12:1:12:36 | ( ... ) [captured x] :  | captured_variables.rb:9:14:9:14 | x |
-| captured_variables.rb:12:1:12:36 | ( ... ) [captured x] :  | captured_variables.rb:9:14:9:14 | x |
-| captured_variables.rb:12:2:12:35 | call to capture_escape_return1 [captured x] :  | captured_variables.rb:12:1:12:36 | ( ... ) [captured x] :  |
-| captured_variables.rb:12:2:12:35 | call to capture_escape_return1 [captured x] :  | captured_variables.rb:12:1:12:36 | ( ... ) [captured x] :  |
-| captured_variables.rb:12:2:12:35 | self [captured x] :  | captured_variables.rb:12:2:12:35 | call to capture_escape_return1 [captured x] :  |
-| captured_variables.rb:12:2:12:35 | self [captured x] :  | captured_variables.rb:12:2:12:35 | call to capture_escape_return1 [captured x] :  |
 | captured_variables.rb:29:13:29:14 | fn [captured x] :  | captured_variables.rb:30:5:30:6 | fn [captured x] :  |
 | captured_variables.rb:29:13:29:14 | fn [captured x] :  | captured_variables.rb:30:5:30:6 | fn [captured x] :  |
 | captured_variables.rb:30:5:30:6 | fn [captured x] :  | captured_variables.rb:34:14:34:14 | x |
@@ -230,18 +219,8 @@ nodes
 | captured_variables.rb:2:20:2:20 | x | semmle.label | x |
 | captured_variables.rb:3:5:3:6 | fn [captured x] :  | semmle.label | fn [captured x] :  |
 | captured_variables.rb:3:5:3:6 | fn [captured x] :  | semmle.label | fn [captured x] :  |
-| captured_variables.rb:5:1:5:30 | [post] self [captured x] :  | semmle.label | [post] self [captured x] :  |
-| captured_variables.rb:5:1:5:30 | [post] self [captured x] :  | semmle.label | [post] self [captured x] :  |
 | captured_variables.rb:5:20:5:30 | call to source :  | semmle.label | call to source :  |
 | captured_variables.rb:5:20:5:30 | call to source :  | semmle.label | call to source :  |
-| captured_variables.rb:9:14:9:14 | x | semmle.label | x |
-| captured_variables.rb:9:14:9:14 | x | semmle.label | x |
-| captured_variables.rb:12:1:12:36 | ( ... ) [captured x] :  | semmle.label | ( ... ) [captured x] :  |
-| captured_variables.rb:12:1:12:36 | ( ... ) [captured x] :  | semmle.label | ( ... ) [captured x] :  |
-| captured_variables.rb:12:2:12:35 | call to capture_escape_return1 [captured x] :  | semmle.label | call to capture_escape_return1 [captured x] :  |
-| captured_variables.rb:12:2:12:35 | call to capture_escape_return1 [captured x] :  | semmle.label | call to capture_escape_return1 [captured x] :  |
-| captured_variables.rb:12:2:12:35 | self [captured x] :  | semmle.label | self [captured x] :  |
-| captured_variables.rb:12:2:12:35 | self [captured x] :  | semmle.label | self [captured x] :  |
 | captured_variables.rb:29:13:29:14 | fn [captured x] :  | semmle.label | fn [captured x] :  |
 | captured_variables.rb:29:13:29:14 | fn [captured x] :  | semmle.label | fn [captured x] :  |
 | captured_variables.rb:30:5:30:6 | fn [captured x] :  | semmle.label | fn [captured x] :  |
@@ -431,8 +410,6 @@ nodes
 | instance_variables.rb:107:6:107:8 | bar | semmle.label | bar |
 | instance_variables.rb:107:6:107:8 | bar | semmle.label | bar |
 subpaths
-| captured_variables.rb:5:20:5:30 | call to source :  | captured_variables.rb:1:24:1:24 | x :  | captured_variables.rb:1:24:1:24 | x :  | captured_variables.rb:5:1:5:30 | [post] self [captured x] :  |
-| captured_variables.rb:5:20:5:30 | call to source :  | captured_variables.rb:1:24:1:24 | x :  | captured_variables.rb:1:24:1:24 | x :  | captured_variables.rb:5:1:5:30 | [post] self [captured x] :  |
 | instance_variables.rb:28:20:28:24 | field :  | instance_variables.rb:22:20:22:24 | field :  | instance_variables.rb:23:9:23:14 | [post] self [@field] :  | instance_variables.rb:28:9:28:25 | [post] self [@field] :  |
 | instance_variables.rb:28:20:28:24 | field :  | instance_variables.rb:22:20:22:24 | field :  | instance_variables.rb:23:9:23:14 | [post] self [@field] :  | instance_variables.rb:28:9:28:25 | [post] self [@field] :  |
 | instance_variables.rb:39:15:39:23 | call to taint :  | instance_variables.rb:10:19:10:19 | x :  | instance_variables.rb:11:9:11:14 | [post] self [@field] :  | instance_variables.rb:39:1:39:3 | [post] foo [@field] :  |
@@ -492,7 +469,6 @@ subpaths
 | instance_variables.rb:105:6:105:10 | foo16 [@field] :  | instance_variables.rb:13:5:15:7 | self in get_field [@field] :  | instance_variables.rb:14:9:14:21 | return :  | instance_variables.rb:105:6:105:20 | call to get_field |
 #select
 | captured_variables.rb:2:20:2:20 | x | captured_variables.rb:5:20:5:30 | call to source :  | captured_variables.rb:2:20:2:20 | x | $@ | captured_variables.rb:5:20:5:30 | call to source :  | call to source :  |
-| captured_variables.rb:9:14:9:14 | x | captured_variables.rb:5:20:5:30 | call to source :  | captured_variables.rb:9:14:9:14 | x | $@ | captured_variables.rb:5:20:5:30 | call to source :  | call to source :  |
 | captured_variables.rb:34:14:34:14 | x | captured_variables.rb:38:27:38:37 | call to source :  | captured_variables.rb:34:14:34:14 | x | $@ | captured_variables.rb:38:27:38:37 | call to source :  | call to source :  |
 | instance_variables.rb:20:10:20:13 | @foo | instance_variables.rb:19:12:19:21 | call to taint :  | instance_variables.rb:20:10:20:13 | @foo | $@ | instance_variables.rb:19:12:19:21 | call to taint :  | call to taint :  |
 | instance_variables.rb:40:6:40:18 | call to get_field | instance_variables.rb:39:15:39:23 | call to taint :  | instance_variables.rb:40:6:40:18 | call to get_field | $@ | instance_variables.rb:39:15:39:23 | call to taint :  | call to taint :  |

ruby/ql/test/library-tests/dataflow/helpers/dataflow.expected

@@ -131,11 +131,7 @@ getAnImmediateReference
 | tst.rb:8:1:11:3 | C2 | tst.rb:27:12:27:13 | C2 |
 | tst.rb:13:1:18:3 | Mixin | tst.rb:28:13:28:17 | Mixin |
 | tst.rb:20:1:25:3 | Mixin2 | tst.rb:29:13:29:18 | Mixin2 |
-| tst.rb:27:1:35:3 | C3 | tst.rb:28:5:28:17 | self |
-| tst.rb:27:1:35:3 | C3 | tst.rb:29:5:29:18 | self |
-| tst.rb:27:1:35:3 | C3 | tst.rb:31:14:31:17 | self |
 | tst.rb:27:1:35:3 | C3 | tst.rb:37:5:37:6 | C3 |
-| tst.rb:49:1:51:3 | N2 | tst.rb:50:5:50:13 | self |
 getOwnInstanceMethod
 | tst.rb:1:1:6:3 | C1 | c1 | tst.rb:2:5:5:7 | c1 |
 | tst.rb:8:1:11:3 | C2 | c2 | tst.rb:9:5:10:7 | c2 |

ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected

@@ -1,21 +1,17 @@
 edges
-| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  |
-| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | ArchiveApiPathTraversal.rb:49:17:49:27 | destination :  |
 | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  |
 | ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  | ArchiveApiPathTraversal.rb:67:13:67:16 | file :  |
 | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params :  | ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] :  |
 | ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] :  | ArchiveApiPathTraversal.rb:75:11:75:18 | filename :  |
-| ArchiveApiPathTraversal.rb:49:17:49:27 | destination :  | ArchiveApiPathTraversal.rb:52:38:52:48 | destination :  |
-| ArchiveApiPathTraversal.rb:52:28:52:67 | call to join :  | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file |
-| ArchiveApiPathTraversal.rb:52:38:52:48 | destination :  | ArchiveApiPathTraversal.rb:52:28:52:67 | call to join :  |
 | ArchiveApiPathTraversal.rb:67:13:67:16 | file :  | ArchiveApiPathTraversal.rb:68:20:68:23 | file |
 | ArchiveApiPathTraversal.rb:75:11:75:18 | filename :  | ArchiveApiPathTraversal.rb:76:19:76:26 | filename |
 | tainted_path.rb:4:12:4:17 | call to params :  | tainted_path.rb:4:12:4:24 | ...[...] :  |
 | tainted_path.rb:4:12:4:24 | ...[...] :  | tainted_path.rb:5:26:5:29 | path |
 | tainted_path.rb:10:12:10:43 | call to absolute_path :  | tainted_path.rb:11:26:11:29 | path |
 | tainted_path.rb:10:31:10:36 | call to params :  | tainted_path.rb:10:31:10:43 | ...[...] :  |
 | tainted_path.rb:10:31:10:43 | ...[...] :  | tainted_path.rb:10:12:10:43 | call to absolute_path :  |
-| tainted_path.rb:16:15:16:41 | call to dirname :  | tainted_path.rb:17:26:17:29 | path |
+| tainted_path.rb:16:12:16:47 | "#{...}/foo" :  | tainted_path.rb:17:26:17:29 | path |
+| tainted_path.rb:16:15:16:41 | call to dirname :  | tainted_path.rb:16:12:16:47 | "#{...}/foo" :  |
 | tainted_path.rb:16:28:16:33 | call to params :  | tainted_path.rb:16:28:16:40 | ...[...] :  |
 | tainted_path.rb:16:28:16:40 | ...[...] :  | tainted_path.rb:16:15:16:41 | call to dirname :  |
 | tainted_path.rb:22:12:22:41 | call to expand_path :  | tainted_path.rb:23:26:23:29 | path |
@@ -51,16 +47,10 @@ edges
 | tainted_path.rb:90:40:90:45 | call to params :  | tainted_path.rb:90:40:90:52 | ...[...] :  |
 | tainted_path.rb:90:40:90:52 | ...[...] :  | tainted_path.rb:90:12:90:53 | call to new :  |
 nodes
-| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | semmle.label | call to params :  |
-| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | semmle.label | ...[...] :  |
 | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | semmle.label | call to params :  |
 | ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  | semmle.label | ...[...] :  |
 | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params :  | semmle.label | call to params :  |
 | ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] :  | semmle.label | ...[...] :  |
-| ArchiveApiPathTraversal.rb:49:17:49:27 | destination :  | semmle.label | destination :  |
-| ArchiveApiPathTraversal.rb:52:28:52:67 | call to join :  | semmle.label | call to join :  |
-| ArchiveApiPathTraversal.rb:52:38:52:48 | destination :  | semmle.label | destination :  |
-| ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | semmle.label | destination_file |
 | ArchiveApiPathTraversal.rb:67:13:67:16 | file :  | semmle.label | file :  |
 | ArchiveApiPathTraversal.rb:68:20:68:23 | file | semmle.label | file |
 | ArchiveApiPathTraversal.rb:75:11:75:18 | filename :  | semmle.label | filename :  |
@@ -72,6 +62,7 @@ nodes
 | tainted_path.rb:10:31:10:36 | call to params :  | semmle.label | call to params :  |
 | tainted_path.rb:10:31:10:43 | ...[...] :  | semmle.label | ...[...] :  |
 | tainted_path.rb:11:26:11:29 | path | semmle.label | path |
+| tainted_path.rb:16:12:16:47 | "#{...}/foo" :  | semmle.label | "#{...}/foo" :  |
 | tainted_path.rb:16:15:16:41 | call to dirname :  | semmle.label | call to dirname :  |
 | tainted_path.rb:16:28:16:33 | call to params :  | semmle.label | call to params :  |
 | tainted_path.rb:16:28:16:40 | ...[...] :  | semmle.label | ...[...] :  |
@@ -120,7 +111,6 @@ nodes
 | tainted_path.rb:92:11:92:14 | path | semmle.label | path |
 subpaths
 #select
-| ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | This path depends on a $@. | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | user-provided value |
 | ArchiveApiPathTraversal.rb:68:20:68:23 | file | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | ArchiveApiPathTraversal.rb:68:20:68:23 | file | This path depends on a $@. | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params | user-provided value |
 | ArchiveApiPathTraversal.rb:76:19:76:26 | filename | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params :  | ArchiveApiPathTraversal.rb:76:19:76:26 | filename | This path depends on a $@. | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params | user-provided value |
 | tainted_path.rb:5:26:5:29 | path | tainted_path.rb:4:12:4:17 | call to params :  | tainted_path.rb:5:26:5:29 | path | This path depends on a $@. | tainted_path.rb:4:12:4:17 | call to params | user-provided value |

ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected

@@ -28,7 +28,8 @@ edges
 | ActiveRecordInjection.rb:92:21:92:26 | call to params :  | ActiveRecordInjection.rb:92:21:92:35 | ...[...] |
 | ActiveRecordInjection.rb:98:10:98:15 | call to params :  | ActiveRecordInjection.rb:99:11:99:12 | ps :  |
 | ActiveRecordInjection.rb:99:11:99:12 | ps :  | ActiveRecordInjection.rb:99:11:99:17 | ...[...] :  |
-| ActiveRecordInjection.rb:99:11:99:17 | ...[...] :  | ActiveRecordInjection.rb:104:20:104:32 | ... + ... |
+| ActiveRecordInjection.rb:99:11:99:17 | ...[...] :  | ActiveRecordInjection.rb:100:13:100:24 | "= '#{...}'" :  |
+| ActiveRecordInjection.rb:100:13:100:24 | "= '#{...}'" :  | ActiveRecordInjection.rb:104:20:104:32 | ... + ... |
 | ActiveRecordInjection.rb:137:21:137:26 | call to params :  | ActiveRecordInjection.rb:137:21:137:44 | ...[...] :  |
 | ActiveRecordInjection.rb:137:21:137:44 | ...[...] :  | ActiveRecordInjection.rb:20:22:20:30 | condition :  |
 | ActiveRecordInjection.rb:151:59:151:64 | call to params :  | ActiveRecordInjection.rb:151:59:151:74 | ...[...] :  |
@@ -81,6 +82,7 @@ nodes
 | ActiveRecordInjection.rb:98:10:98:15 | call to params :  | semmle.label | call to params :  |
 | ActiveRecordInjection.rb:99:11:99:12 | ps :  | semmle.label | ps :  |
 | ActiveRecordInjection.rb:99:11:99:17 | ...[...] :  | semmle.label | ...[...] :  |
+| ActiveRecordInjection.rb:100:13:100:24 | "= '#{...}'" :  | semmle.label | "= '#{...}'" :  |
 | ActiveRecordInjection.rb:104:20:104:32 | ... + ... | semmle.label | ... + ... |
 | ActiveRecordInjection.rb:137:21:137:26 | call to params :  | semmle.label | call to params :  |
 | ActiveRecordInjection.rb:137:21:137:44 | ...[...] :  | semmle.label | ...[...] :  |