Ruby: Allow ORM tracking into ERb templates

hmac · hmac · commit 880b35e787b5 · 2024-03-06T11:41:02.000Z
diff --git a/ruby/ql/lib/codeql/ruby/security/XSS.qll b/ruby/ql/lib/codeql/ruby/security/XSS.qll
@@ -298,7 +298,10 @@ private module OrmTracking {
       Shared::isAdditionalXssFlowStep(node1, node2)
     }
 
-    predicate isBarrierIn(DataFlow::Node node) { node instanceof DataFlow::SelfParameterNode }
+    predicate isBarrierIn(DataFlow::Node node) {
+      node instanceof DataFlow::SelfParameterNode and
+      not node.getLocation().getFile() instanceof ErbFile
+    }
   }
 
   import DataFlow::Global<Config>

Original file line number	Diff line number	Diff line change
`@@ -298,7 +298,10 @@ private module OrmTracking {`
`298`	`298`	`Shared::isAdditionalXssFlowStep(node1, node2)`
`299`	`299`	`}`
`300`	`300`
`301`		`- predicate isBarrierIn(DataFlow::Node node) { node instanceof DataFlow::SelfParameterNode }`
	`301`	`+ predicate isBarrierIn(DataFlow::Node node) {`
	`302`	`+ node instanceof DataFlow::SelfParameterNode and`
	`303`	`+ not node.getLocation().getFile() instanceof ErbFile`
	`304`	`+ }`
`302`	`305`	`}`
`303`	`306`
`304`	`307`	`import DataFlow::Global<Config>`