Ruby: Track flow into ActiveRecord scopes #14426
Conversation
When `map` is called on a hash, the values in the hash are passed to the second parameter of the block.
| input = "Argument[self].Element[any]" and | ||
| output = "ReturnValue.Element[?]" and | ||
| preservesValue = true |
There was a problem hiding this comment.
Couldn't this result in incorrect flow, such as sink({:a => taint}.keys[0])? It would probably be better to just have input = Argument[self] and output = ReturnValue.Element[?] and preservesValue = false.
There was a problem hiding this comment.
Yes, admittedly it is a broad summary. I will change it
| keys = h.keys | ||
| sink(keys[:a]) # $ hasValueFlow=55.1 |
There was a problem hiding this comment.
Isn't keys an array of all the keys in h?
There was a problem hiding this comment.
Yes sorry this should be sink(keys[some_index()]) I think
There was a problem hiding this comment.
But none of the keys are tainted, right? So perhaps instead of h[f()] = taint(55.1) you meant e.g. h[taint(55.1)] = nil?
There was a problem hiding this comment.
Yes that it also true, but I believe we don't yet track taint in Hash keys anyway, so this is a bit of an approximation. Given the change to the summary you suggested, I've changed the test to just taint the whole hash:
h = taint(55.1)
keys = h.keys
sink(keys[f()])This gives the specific behaviour I'm looking for in the context of modelling Rails params, because we taint the whole params object which is a Hash-like thing.
Track flow into ActiveRecord scopes, e.g.
We will track flow from
roleassigned in (1), through the call towith_role(2) which targets the lambda at (3). We do this by adding an additional call step.Also add a few missing flow summaries for Hash.