Ruby: add Regexp.{compile,quote} to regex injection test

nickrolfe · nickrolfe · commit e5f473052d48 · 2021-11-23T11:05:41.000Z
diff --git a/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected b/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected
@@ -3,6 +3,7 @@ edges
 | RegExpInjection.rb:10:12:10:17 | call to params :  | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ |
 | RegExpInjection.rb:16:12:16:17 | call to params :  | RegExpInjection.rb:17:24:17:27 | name |
 | RegExpInjection.rb:22:12:22:17 | call to params :  | RegExpInjection.rb:23:24:23:33 | ... + ... |
+| RegExpInjection.rb:54:12:54:17 | call to params :  | RegExpInjection.rb:55:28:55:37 | ... + ... |
 nodes
 | RegExpInjection.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
 | RegExpInjection.rb:5:13:5:21 | /#{...}/ | semmle.label | /#{...}/ |
@@ -12,9 +13,12 @@ nodes
 | RegExpInjection.rb:17:24:17:27 | name | semmle.label | name |
 | RegExpInjection.rb:22:12:22:17 | call to params :  | semmle.label | call to params :  |
 | RegExpInjection.rb:23:24:23:33 | ... + ... | semmle.label | ... + ... |
+| RegExpInjection.rb:54:12:54:17 | call to params :  | semmle.label | call to params :  |
+| RegExpInjection.rb:55:28:55:37 | ... + ... | semmle.label | ... + ... |
 subpaths
 #select
 | RegExpInjection.rb:5:13:5:21 | /#{...}/ | RegExpInjection.rb:4:12:4:17 | call to params :  | RegExpInjection.rb:5:13:5:21 | /#{...}/ | This regular expression is constructed from a $@. | RegExpInjection.rb:4:12:4:17 | call to params | user-provided value |
 | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | RegExpInjection.rb:10:12:10:17 | call to params :  | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | This regular expression is constructed from a $@. | RegExpInjection.rb:10:12:10:17 | call to params | user-provided value |
 | RegExpInjection.rb:17:24:17:27 | name | RegExpInjection.rb:16:12:16:17 | call to params :  | RegExpInjection.rb:17:24:17:27 | name | This regular expression is constructed from a $@. | RegExpInjection.rb:16:12:16:17 | call to params | user-provided value |
 | RegExpInjection.rb:23:24:23:33 | ... + ... | RegExpInjection.rb:22:12:22:17 | call to params :  | RegExpInjection.rb:23:24:23:33 | ... + ... | This regular expression is constructed from a $@. | RegExpInjection.rb:22:12:22:17 | call to params | user-provided value |
+| RegExpInjection.rb:55:28:55:37 | ... + ... | RegExpInjection.rb:54:12:54:17 | call to params :  | RegExpInjection.rb:55:28:55:37 | ... + ... | This regular expression is constructed from a $@. | RegExpInjection.rb:54:12:54:17 | call to params | user-provided value |
diff --git a/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.rb b/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.rb
@@ -42,4 +42,16 @@ def route6
     name = params[:name]
     regex = Regexp.new(Regexp.escape(name))
   end
+
+  # GOOD - string is explicitly escaped
+  def route7
+    name = params[:name]
+    regex = Regexp.new(Regexp.quote(name))
+  end
+
+  # BAD
+  def route8
+    name = params[:name]
+    regex = Regexp.compile("@" + name)
+  end
 end
