Skip to content

Ruby: Include all assignments in data flow paths #12566

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hvitved merged 1 commit into from
Mar 24, 2023
Merged

Ruby: Include all assignments in data flow paths #12566

hvitved merged 1 commit into from
Mar 24, 2023

Conversation

@hvitved
Copy link
Contributor

@hvitved hvitved commented Mar 17, 2023

This PR ensures that flow that goes through assignments always include those assignments in the reported data flow path.

For example, in

x = taint
if (b)
  y = x
sink(y)

we will no longer report a flow path directly from taint to the y in sink(y), but instead have an intermediate step that goes through the assignment y = x. This should make it easier to follow flow paths.

Instead of requiring that all right-hand sides of assignments always be included in flow paths, we make use of the underlying SSA definition, which means that we will only break at assignments when flow actually goes via the assignee. For example, in

x = taint
if (b)
  y = x
sink(x)

we don't want to have an intermediate step at the assignment y = x.

@github-actions github-actions bot added the Ruby label Mar 17, 2023
@hvitved hvitved marked this pull request as ready for review March 17, 2023 11:37
@hvitved hvitved requested a review from a team as a code owner March 17, 2023 11:37
@hvitved hvitved added the no-change-note-required This PR does not need a change note label Mar 17, 2023
@calumgrant calumgrant requested a review from hmac March 20, 2023 09:42
@hvitved hvitved force-pushed the ruby/dataflow-assignments-in-paths branch 2 times, most recently from 4b1f9f0 to c2bc21c Compare March 23, 2023 19:19
hmac
hmac previously approved these changes Mar 23, 2023
View reviewed changes
@hvitved hvitved force-pushed the ruby/dataflow-assignments-in-paths branch from c2bc21c to b816c79 Compare March 24, 2023 09:09
@hvitved hvitved merged commit a5b7a0f into github:main Mar 24, 2023
@hvitved hvitved deleted the ruby/dataflow-assignments-in-paths branch March 24, 2023 11:32
RasmusWL added a commit to RasmusWL/codeql that referenced this pull request Jul 13, 2023
@RasmusWL
Python: Include all assignments in data flow paths
07d960a 
Like Ruby did in github#12566
@RasmusWL RasmusWL mentioned this pull request Jul 13, 2023
Merged
RasmusWL added a commit to RasmusWL/codeql that referenced this pull request Aug 9, 2023
@RasmusWL
Python: Include all assignments in data flow paths
ce8bc58 
Like Ruby did in github#12566
RasmusWL added a commit to RasmusWL/codeql that referenced this pull request Aug 9, 2023
@RasmusWL
Python: Include all assignments in data flow paths
0363528 
Like Ruby did in github#12566
RasmusWL added a commit to RasmusWL/codeql that referenced this pull request Aug 10, 2023
@RasmusWL
Python: Include all assignments in data flow paths
46af77c 
Like Ruby did in github#12566
@hvitved hvitved mentioned this pull request Feb 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@calumgrant calumgrant calumgrant approved these changes

@hmac hmac hmac left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

no-change-note-required This PR does not need a change note Ruby

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hvitved @hmac @calumgrant