From 43741abbc7960c54ac2358fb25cbeb5405f140a6 Mon Sep 17 00:00:00 2001 From: David Roe Date: Tue, 2 Apr 2024 12:54:21 +0100 Subject: [PATCH] fix(ruby): add missing URI#read case (#355) --- rules/ruby/lang/http_url_using_user_input.yml | 6 +++++- .../http_url_using_user_input/testdata/ok_not_unsafe.rb | 1 + .../lang/http_url_using_user_input/testdata/unsafe_open.rb | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/rules/ruby/lang/http_url_using_user_input.yml b/rules/ruby/lang/http_url_using_user_input.yml index 80f0898f8..f222512be 100644 --- a/rules/ruby/lang/http_url_using_user_input.yml +++ b/rules/ruby/lang/http_url_using_user_input.yml @@ -99,11 +99,15 @@ patterns: - variable: USER_INPUT detection: ruby_shared_common_user_input scope: result - - pattern: $.open$<...> + - pattern: $.$$<...> filters: - variable: URI detection: ruby_lang_http_url_using_user_input_uri scope: cursor + - variable: METHOD + values: + - open + - read - pattern: open($$<...>)$<...> filters: - variable: URI diff --git a/tests/ruby/lang/http_url_using_user_input/testdata/ok_not_unsafe.rb b/tests/ruby/lang/http_url_using_user_input/testdata/ok_not_unsafe.rb index 77dee6645..358c78dcc 100644 --- a/tests/ruby/lang/http_url_using_user_input/testdata/ok_not_unsafe.rb +++ b/tests/ruby/lang/http_url_using_user_input/testdata/ok_not_unsafe.rb @@ -64,3 +64,4 @@ open(uri, "r") Kernel.open(uri) {} uri.open +uri.read diff --git a/tests/ruby/lang/http_url_using_user_input/testdata/unsafe_open.rb b/tests/ruby/lang/http_url_using_user_input/testdata/unsafe_open.rb index e6e207ec7..6455f781b 100644 --- a/tests/ruby/lang/http_url_using_user_input/testdata/unsafe_open.rb +++ b/tests/ruby/lang/http_url_using_user_input/testdata/unsafe_open.rb @@ -8,3 +8,6 @@ # bearer:expected ruby_lang_http_url_using_user_input uri.open + +# bearer:expected ruby_lang_http_url_using_user_input +uri.read