Ruby: Identify safe_constantize

hmac · hmac · commit b389d5094302 · 2022-10-28T11:31:54.000+13:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll
@@ -24,14 +24,17 @@ module ActiveSupport {
      */
     module String {
       /**
-       * A call to `String#constantize`, which tries to find a declared constant with the given name.
-       * Passing user input to this method may result in instantiation of arbitrary Ruby classes.
+       * A call to `String#constantize` or `String#safe_constantize`, which
+       * tries to find a declared constant with the given name.
+       * Passing user input to this method may result in instantiation of
+       * arbitrary Ruby classes.
        */
       class Constantize extends CodeExecution::Range, DataFlow::CallNode {
         // We treat this an `UnknownMethodCall` in order to match every call to `constantize` that isn't overridden.
         // We can't (yet) rely on API Graphs or dataflow to tell us that the receiver is a String.
         Constantize() {
-          this.asExpr().getExpr().(UnknownMethodCall).getMethodName() = "constantize"
+          this.asExpr().getExpr().(UnknownMethodCall).getMethodName() =
+            ["constantize", "safe_constantize"]
         }
 
         override DataFlow::Node getCode() { result = this.getReceiver() }
diff --git a/ruby/ql/test/library-tests/frameworks/active_support/ActiveSupport.expected b/ruby/ql/test/library-tests/frameworks/active_support/ActiveSupport.expected
@@ -1,6 +1,7 @@
 constantizeCalls
 | active_support.rb:1:1:1:22 | call to constantize | active_support.rb:1:1:1:10 | "Foo::Bar" |
 | active_support.rb:3:1:3:13 | call to constantize | active_support.rb:3:1:3:1 | call to a |
+| active_support.rb:4:1:4:18 | call to safe_constantize | active_support.rb:4:1:4:1 | call to a |
 loggerInstantiations
-| active_support.rb:5:1:5:33 | call to new |
-| active_support.rb:6:1:6:40 | call to new |
+| active_support.rb:6:1:6:33 | call to new |
+| active_support.rb:7:1:7:40 | call to new |
diff --git a/ruby/ql/test/library-tests/frameworks/active_support/active_support.rb b/ruby/ql/test/library-tests/frameworks/active_support/active_support.rb
@@ -1,6 +1,7 @@
 "Foo::Bar".constantize
 
 a.constantize
+a.safe_constantize
 
 ActiveSupport::Logger.new(STDOUT)
 ActiveSupport::TaggedLogging.new(STDOUT)
