Skip to content

Commit 3c96bf6

Browse files
hvitvedhvitved
committed
Fix bad join
1 parent fb19288 commit 3c96bf6

File tree

1 file changed

+21
-21
lines changed

1 file changed

+21
-21
lines changed

ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -797,30 +797,30 @@ class ActiveRecordScopeCallTarget extends AdditionalCallTarget {
797797
private module MassAssignmentSinks {
798798
private import codeql.ruby.security.MassAssignmentCustomizations
799799

800+
pragma[nomagic]
801+
private predicate massAssignmentCall(DataFlow::CallNode call, string name) {
802+
call = activeRecordBaseClass().getAMethodCall(name)
803+
or
804+
call instanceof ActiveRecordInstanceMethodCall and
805+
call.getMethodName() = name
806+
}
807+
800808
/** A call to a method that sets attributes of an database record using a hash. */
801809
private class MassAssignmentCall extends MassAssignment::Sink {
802810
MassAssignmentCall() {
803-
exists(DataFlow::CallNode call, string name |
804-
(
805-
call = activeRecordBaseClass().getAMethodCall(name)
806-
or
807-
call instanceof ActiveRecordInstanceMethodCall and
808-
call.getMethodName() = name
809-
) and
810-
(
811-
name =
812-
[
813-
"build", "create", "create!", "create_with", "create_or_find_by",
814-
"create_or_find_by!", "find_or_create_by", "find_or_create_by!",
815-
"find_or_initialize_by", "insert", "insert!", "insert_all", "insert_all!",
816-
"instantiate", "new", "update", "update!", "upsert", "upsert_all"
817-
] and
818-
this = call.getArgument(0)
819-
or
820-
// These methods have an optional first id parameter.
821-
name = ["update", "update!"] and
822-
this = call.getArgument(1)
823-
)
811+
exists(DataFlow::CallNode call, string name | massAssignmentCall(call, name) |
812+
name =
813+
[
814+
"build", "create", "create!", "create_with", "create_or_find_by", "create_or_find_by!",
815+
"find_or_create_by", "find_or_create_by!", "find_or_initialize_by", "insert", "insert!",
816+
"insert_all", "insert_all!", "instantiate", "new", "update", "update!", "upsert",
817+
"upsert_all"
818+
] and
819+
this = call.getArgument(0)
820+
or
821+
// These methods have an optional first id parameter.
822+
name = ["update", "update!"] and
823+
this = call.getArgument(1)
824824
)
825825
}
826826
}

0 commit comments

Comments
 (0)