Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ruby: Extend FileSystemReadAccess to include more potential sources of input from the filesystem #7163

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

@alexrford
Copy link
Contributor

@alexrford alexrford commented Nov 17, 2021

The main aim here is to consider expressions like IO.new(IO.sysopen("foo.txt", "r"), "r").read as potential reads from a file. We previously would not have considered this as a file read because IO.new(IO.sysopen("foo.txt", "r"), "r") was assumed to be some non-file input source. In other words, this changes from under-approximating possible file reads for these cases to over-approximating them.

There is some minor restructuring here to support this. In particular, IOReader only deals with the IO module directly, and FileReader is the new name for IOFileReader (extended, as mentioned above).

Separately, calls to {IO,File}::try_convert are no longer considered as a potential IO/File read nodes. Rather, they potentially return an IO/File instance.

@alexrford alexrford added the Ruby label Nov 17, 2021
@alexrford alexrford requested a review from as a code owner Nov 17, 2021
ruby/ql/lib/codeql/ruby/frameworks/Files.qll Outdated Show resolved Hide resolved
Loading
@@ -110,72 +110,81 @@ module IO {
*
* This class includes reads both from shell commands and reads from the
* filesystem. For working with filesystem accesses specifically, see
* `IOFileReader` or the `FileSystemReadAccess` concept.
* `FileReader` or the `FileSystemReadAccess` concept.
Copy link
Contributor

@hmac hmac Nov 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't include File calls anymore though, by the looks of it?

Loading

Copy link
Contributor

@hmac hmac Nov 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I mean is, this comment implies that FileReader is a subset of IOReader but it seems that they're disjoint. Is that right?

Loading

Copy link
Contributor Author

@alexrford alexrford Nov 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should have updated this comment - it's pretty misleading.

IOReader only includes calls that use the IO class directly - so not any calls involving subclasses like File.

FileReader includes calls using both File and IO - but it excludes calls using IO that "obviously" invoke shell commands such as IO.read("|date") where its argument is a StringlikeLiteral that specifies a shell command. It's not a very precise exclusion, as a shell command could read from a file anyway, or, conversely, a non-StringlikeLiteral argument could refer to something that isn't a filename (e.g. cmd = "|date"; IO.read(cmd)).

I've updated the doc comments on both of these classes to try to make this clearer, relying more on examples than on prose.

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants