Ruby: rack - model redirect responses #13289

alexrford · 2023-05-25T13:23:47Z

Models redirect responses from rack applications. The direct motivation behind this PR is to help detect open redirects.

The bulk of this PR is restructuring to split Rack modelling into component parts, as it's a fairly complex library. ~~The mimeTypeMatches predicate data is taken from https://www.rubydoc.info/github/rack/rack/Rack/Mime#MIME_TYPES-constant and comprises most of the diff.~~

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Response.qll

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll

…occur in a rack application

…ckTracker to track instances

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Response.qll

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Mime.qll

Co-authored-by: Asger F <[email protected]>

… consistency with concepts

alexrford added the Ruby label May 25, 2023

github-advanced-security bot found potential problems May 25, 2023

View reviewed changes

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Response.qll Fixed Show fixed Hide fixed

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll Fixed Show fixed Hide fixed

alexrford force-pushed the rb/rack-redirect branch from 34ab09e to b8a5bcb Compare May 25, 2023 13:40

alexrford added 12 commits June 1, 2023 14:01

ruby: add Rack::ResponseNode class

e7e0cf5

ruby: add Rack::ResponseNode#getAStatusCode

c87c266

ruby: rack responses implement are HTTP responses

f8d2cbb

ruby: start restructuring rack

c3ab867

ruby: rack - add redirect responses

b2958f8

Ruby: restructure rack model

a5a15f3

ruby: slightly expand a TODO

1966487

Ruby: update rack test output

4905a70

ruby: make a predicate private

40da7d4

ruby: add some qldoc for rack

24635df

ruby: rack - modelling -> modeling

23e2279

ruby: remove unused field

b62a02f

alexrford force-pushed the rb/rack-redirect branch from bd88fd8 to 3f772c7 Compare June 1, 2023 15:22

alexrford added 2 commits June 7, 2023 15:55

ruby: Limit rack PotentialResponseNode to things that look like they …

57508b2

…occur in a rack application

Ruby: fix qldoc

a5d8db6

alexrford force-pushed the rb/rack-redirect branch from 3f772c7 to a5d8db6 Compare June 7, 2023 14:55

Ruby: revert to simpler Rack PotentialResponseNode def and use TypeBa…

0a7ae58

…ckTracker to track instances

alexrford marked this pull request as ready for review June 7, 2023 15:33

alexrford requested a review from a team as a code owner June 7, 2023 15:33

alexrford added 2 commits June 8, 2023 11:59

Ruby: add a change note for rack redirect support

c531b94

ruby: fix qldoc

21b4f88

github-actions bot added the documentation label Jun 8, 2023

alexrford added 2 commits June 8, 2023 12:07

Merge remote-tracking branch 'origin/main' into rb/rack-redirect

397a809

Ruby: fix use of deprecated predicate

b462004

calumgrant requested a review from asgerf June 12, 2023 08:38

asgerf reviewed Jun 13, 2023

View reviewed changes

Update ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll

af1ca7f

Co-authored-by: Asger F <[email protected]>

alexrford added 2 commits June 13, 2023 12:42

Ruby: rack - remove PotentialResponseNode#getAStatusCode

977ceb8

Ruby: rack - use Mimetype rather than MimeType in predicate names for…

75ccbe5

… consistency with concepts

alexrford requested a review from asgerf June 13, 2023 11:48

Ruby: rack - remove MIME modelling

7aec22c

alexrford changed the title ~~Ruby: rack - model redirect responses and Rack::Mime::mime_type~~ Ruby: rack - model redirect responses Jun 20, 2023

qlformat

8ef8a0d

alexrford mentioned this pull request Jun 20, 2023

Ruby: rack - model more responses and app types #13483

Merged

asgerf approved these changes Jun 22, 2023

View reviewed changes

alexrford merged commit 24e8316 into github:main Jun 22, 2023

alexrford deleted the rb/rack-redirect branch June 22, 2023 12:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Ruby: rack - model redirect responses #13289

Ruby: rack - model redirect responses #13289

Uh oh!

alexrford commented May 25, 2023 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Ruby: rack - model redirect responses #13289

Ruby: rack - model redirect responses #13289

Uh oh!

Conversation

alexrford commented May 25, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

alexrford commented May 25, 2023 •

edited

Loading