forked from githubuniverseworkshops/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstep9.ql
43 lines (39 loc) · 1.46 KB
/
step9.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
/**
* @name URL redirection
* @kind problem
* @id rb/url-redirection
*/
import ruby
import codeql.ruby.frameworks.ActionController
import codeql.ruby.Concepts
import codeql.ruby.dataflow.RemoteFlowSources
import codeql.ruby.TaintTracking
class GetHandlerMethod extends Ast::MethodBase {
GetHandlerMethod() {
this.(ActionControllerActionMethod).getARoute().getHttpMethod() = "get"
or
not exists(this.(ActionControllerActionMethod).getARoute()) and
this = any(ActionControllerControllerClass c).getAMethod() and
not this.getName().regexpMatch(".*(create|update|destroy).*")
}
}
predicate isRedirect(DataFlow::Node redirectLocation, GetHandlerMethod method) {
exists(Http::Server::HttpRedirectResponse redirectCall |
redirectCall.getRedirectLocation() = redirectLocation and
redirectCall.asExpr().getExpr().getEnclosingMethod() = method
)
}
class UrlRedirectionConfig extends TaintTracking::Configuration {
UrlRedirectionConfig() { this = "UrlRedirectionConfig" }
override predicate isSource(DataFlow::Node source) {
// TODO: replace this
// CodeQL offers `RemoteFlowSource` to represent remote flow sources.
// Use `instanceof` to check if the source is a remote flow source.
}
override predicate isSink(DataFlow::Node sink) {
// TODO: replace this
}
}
from UrlRedirectionConfig config, DataFlow::Node source, DataFlow::Node sink
where config.hasFlow(source, sink)
select sink, "Potential URL redirection"