Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failing test to demonstrate problem with detecting regex match calls in Ruby #13748

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Failing test to demonstrate problem with detecting regex match calls in Ruby #13748

wants to merge 1 commit into from
+7 −0

Conversation

izuzak
Copy link
Member

@izuzak izuzak commented Jul 14, 2023

This PR just demonstrates a problem with the current implementation of IncompleteHostnameRegExp for Ruby. Specifically, it seems that the rule with report false positives for any X.match(Y) method call where Y is a String and X is any object with a match method.

In the example in this PR, we define a new class ClassWithMatch with a match method, and call it with:

obj = ClassWithMatch.new
obj.match("http://docs.github.com/")

Running tests then reports this:

Executing 1 tests in 1 directories.
Extracting test database in ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp.
Compiling queries in ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp.
Executing tests in ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp.
--- expected
+++ actual
@@ -15,7 +15,7 @@
 | tst-IncompleteHostnameRegExp.rb:19:14:19:30 | ^test.example.com | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.rb:20:13:20:26 | "#{...}$" | here |
...
+| tst-IncompleteHostnameRegExp.rb:62:16:62:38 | http://docs.github.com/ | This regular expression has an unescaped '.' before 'github.com/', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.rb:62:15:62:39 | "http://docs.github.com/" | here |
[1/1 comp 466ms eval 1.3s] FAILED(RESULT) ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.qlref
0 tests passed; 1 tests failed:
  FAILED: ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.qlref

Notice the reported problem:

| tst-IncompleteHostnameRegExp.rb:62:16:62:38 | http://docs.github.com/ 
| This regular expression has an unescaped '.' before 'github.com/', so it might
match more hosts than expected. | tst-IncompleteHostnameRegExp.rb:62:15:62:39 
| "http://docs.github.com/" | here |

So, the rule incorrectly thought that the string "http://docs.github.com/" was a regex being used for matching, likely because in Ruby's String class has a match method which takes a String parameter for defining the regex:

https://ruby-doc.org/3.2.2/String.html#method-i-match

@github-actions github-actions bot added the Ruby label Jul 14, 2023
@izuzak izuzak mentioned this pull request Jul 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github/codeql-ruby codeql-ruby Awaiting requested review from github/codeql-ruby github/codeql-ruby will be requested when the pull request is marked ready for review github/codeql-ruby is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Ruby
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@izuzak