Merge pull request #16354 from hmac/hmac-incomplete-hostname-fp

Ruby: Reduce FPs for rb/incomplete-hostname-regexp
github · Apr 29, 2024 · 607ed2e · 607ed2e
2 parents a304e2d + 51bc8e9
commit 607ed2e
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/ruby/ql/lib/codeql/ruby/Regexp.qll b/ruby/ql/lib/codeql/ruby/Regexp.qll
@@ -122,7 +122,9 @@ class StdLibRegExpInterpretation extends RegExpInterpretation::Range {
       mce.getMethodName() = ["match", "match?"] and
       this = mce.getArgument(0) and
       // exclude https://ruby-doc.org/core-2.4.0/Regexp.html#method-i-match
-      not mce.getReceiver() = RegExpTracking::trackRegexpType()
+      not mce.getReceiver() = RegExpTracking::trackRegexpType() and
+      // exclude non-stdlib methods
+      not exists(mce.getATarget())
     )
   }
 }

diff --git a/...t/query-tests/security/cwe-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected b/...t/query-tests/security/cwe-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected
@@ -28,3 +28,4 @@
 | tst-IncompleteHostnameRegExp.rb:48:42:48:67 | ^https?://.+.example\\.com/ | This string, which is used as a regular expression $@, has an unescaped '.' before 'example\\.com/', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.rb:48:13:48:69 | ... + ... | here |
 | tst-IncompleteHostnameRegExp.rb:48:42:48:67 | ^https?://.+.example\\.com/ | This string, which is used as a regular expression $@, has an unrestricted wildcard '.+' which may cause 'example\\.com/' to be matched anywhere in the URL, outside the hostname. | tst-IncompleteHostnameRegExp.rb:48:13:48:69 | ... + ... | here |
 | tst-IncompleteHostnameRegExp.rb:59:5:59:20 | foo.example\\.com | This regular expression has an unescaped '.' before 'example\\.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.rb:59:2:59:32 | /^(foo.example\\.com\|whatever)$/ | here |
+| tst-IncompleteHostnameRegExp.rb:81:11:81:34 | ^http://test.example.com | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.rb:77:22:77:22 | x | here |
diff --git a/...est/query-tests/security/cwe-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.rb b/...est/query-tests/security/cwe-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.rb
@@ -65,3 +65,17 @@ def convert1(domain)
 def convert2(domain)
 	return Regexp.new(domain[:hostname]);
 end
+
+class A
+	def self.match?(x) = true
+end
+
+A.match?("^http://test.example.com") # OK
+
+class B
+	def self.match?(x)
+		some_string.match?(x)
+	end
+end
+
+B.match?("^http://test.example.com") # NOT OK