Ruby: Add support for Grape Framework #20427
Open
+685
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces comprehensive CodeQL modeling support for the Ruby Grape API framework. The implementation identifies Grape API classes, their endpoints, and various sources of user input including parameters, headers, cookies, route parameters, and request objects.
Key changes:
- New
Grape.qlllibrary with classes to model Grape API structure and taint sources - Framework integration by importing Grape in the main Ruby frameworks library
- Comprehensive test coverage with vulnerability detection validation
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
ruby/ql/lib/codeql/ruby/frameworks/Grape.qll |
Core Grape framework modeling with API class detection and taint source definitions |
ruby/ql/lib/codeql/ruby/Frameworks.qll |
Integration of Grape framework into main Ruby frameworks library |
ruby/ql/test/library-tests/frameworks/grape/Grape.ql |
Query predicates for testing Grape framework modeling |
ruby/ql/test/library-tests/frameworks/grape/app.rb |
Test application demonstrating various Grape API patterns |
ruby/ql/test/library-tests/frameworks/grape/Grape.expected |
Expected test results for Grape framework modeling |
ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb |
Additional vulnerability test cases using Grape taint sources |
ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected |
Updated expected results including Grape-based SQL injection detection |
ruby/ql/lib/change-notes/2025-09-15-grape-framework-support.md |
Release notes documenting the new Grape framework support |
Co-authored-by: Copilot <[email protected]>
… ruby-framework-grape
- added unit tests for flow using inline format - removed grape from Arel tests (temporary)
hvitved
requested changes
Sep 19, 2025
| */ | ||
| class RootApi extends GrapeApiClass { | ||
| RootApi() { | ||
| not exists(GrapeApiClass parent | this != parent and this = parent.getADescendent()) |
There was a problem hiding this comment.
not this = any(GrapeApiClass parent).getAnImmediateDescendent()| */ | ||
| class GrapeApiClass extends DataFlow::ClassNode { | ||
| GrapeApiClass() { | ||
| this = grapeApiBaseClass().getADescendentModule() and |
There was a problem hiding this comment.
getADescendentModule is not transitive here, so the line below should be redundant.
Comment on lines
+124
to
+135
| // Params calls within endpoint blocks | ||
| exists(GrapeApiClass api | | ||
| this.getMethodName() = "params" and | ||
| this.getParent+() = api.getADeclaration() | ||
| ) | ||
| or | ||
| // Params calls within helper methods (defined in helpers blocks) | ||
| exists(GrapeApiClass api, DataFlow::CallNode helpersCall | | ||
| helpersCall = api.getAModuleLevelCall("helpers") and | ||
| this.getMethodName() = "params" and | ||
| this.getParent+() = helpersCall.getBlock().asExpr().getExpr() | ||
| ) |
There was a problem hiding this comment.
Suggested change
| // Params calls within endpoint blocks | |
| exists(GrapeApiClass api | | |
| this.getMethodName() = "params" and | |
| this.getParent+() = api.getADeclaration() | |
| ) | |
| or | |
| // Params calls within helper methods (defined in helpers blocks) | |
| exists(GrapeApiClass api, DataFlow::CallNode helpersCall | | |
| helpersCall = api.getAModuleLevelCall("helpers") and | |
| this.getMethodName() = "params" and | |
| this.getParent+() = helpersCall.getBlock().asExpr().getExpr() | |
| ) | |
| exists(API::Node n | this = n.getAMethodCall("params").asExpr().getExpr() | | |
| // Params calls within endpoint blocks | |
| n = grapeApiInstance() | |
| or | |
| // Params calls within helper methods (defined in helpers blocks) | |
| n = any(GrapeApiClass c).getHelperSelf().track() | |
| ) |
where you add this predicate to the GrapeApiClass class:
/**
* Gets the `self` parameter belonging to a method defined within a
* `helpers` block in this API class.
*
* These methods become available in endpoint contexts through Grape's DSL.
*/
DataFlow::SelfParameterNode getHelperSelf() {
exists(DataFlow::CallNode helpersCall |
helpersCall = this.getAModuleLevelCall("helpers") and
result.getSelfVariable().getDeclaringScope().getOuterScope+() =
helpersCall.getBlock().asExpr().getExpr()
)
}
Comment on lines
+230
to
+234
| exists(GrapeApiClass api | | ||
| this.getParent+() = api.getADeclaration() and | ||
| this.getMethodName() = "headers" and | ||
| exists(this.getBlock()) | ||
| ) |
There was a problem hiding this comment.
Suggested change
| exists(GrapeApiClass api | | |
| this.getParent+() = api.getADeclaration() and | |
| this.getMethodName() = "headers" and | |
| exists(this.getBlock()) | |
| ) | |
| this = grapeApiInstance().getAMethodCall("headers").asExpr().getExpr() and | |
| exists(this.getBlock()) |
Comment on lines
+244
to
+248
| exists(GrapeApiClass api | | ||
| this.getParent+() = api.getADeclaration() and | ||
| this.getMethodName() = "cookies" and | ||
| exists(this.getBlock()) | ||
| ) |
There was a problem hiding this comment.
Suggested change
| exists(GrapeApiClass api | | |
| this.getParent+() = api.getADeclaration() and | |
| this.getMethodName() = "cookies" and | |
| exists(this.getBlock()) | |
| ) | |
| this = grapeApiInstance().getAMethodCall("cookies").asExpr().getExpr() and | |
| exists(this.getBlock()) |
Comment on lines
+273
to
+276
| exists(GrapeEndpoint endpoint | | ||
| this.getParent+() = endpoint.getBody().asCallableAstNode() and | ||
| this.getMethodName() = "cookies" | ||
| ) |
Comment on lines
+290
to
+295
| GrapeHelperMethod() { | ||
| exists(DataFlow::CallNode helpersCall | | ||
| helpersCall = apiClass.getAModuleLevelCall("helpers") and | ||
| this.getParent+() = helpersCall.getBlock().asExpr().getExpr() | ||
| ) | ||
| } |
There was a problem hiding this comment.
Suggested change
| GrapeHelperMethod() { | |
| exists(DataFlow::CallNode helpersCall | | |
| helpersCall = apiClass.getAModuleLevelCall("helpers") and | |
| this.getParent+() = helpersCall.getBlock().asExpr().getExpr() | |
| ) | |
| } | |
| GrapeHelperMethod() { this = apiClass.getHelperSelf().getSelfVariable().getDeclaringScope() } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request adds modeling support for the Grape Ruby API framework to the CodeQL library. It introduces a new
Grape.qlllibrary that models Grape API classes, endpoints, and sources of user input such as parameters, headers, cookies, and route parameters.The changes are validated with new framework and vulnerability tests and expected outputs, and Grape is now imported in the main Ruby frameworks library.
Vulnerable tests verified: https://github.com/vulna-felickz/ruby-grape-sqli/blob/main/app/api/potato_api.rb
