Ruby: add Regexp.compile as sink for regexp injection query

nickrolfe · nickrolfe · commit 13459c8afc1b · 2021-11-22T17:43:55.000Z
diff --git a/ruby/ql/lib/codeql/ruby/security/performance/RegExpInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/performance/RegExpInjectionCustomizations.qll
@@ -48,12 +48,16 @@ module RegExpInjection {
   }
 
   /**
-   * The first argument of a call to `Regexp.new`, considered as a flow sink.
+   * The first argument of a call to `Regexp.new` or `Regexp.compile`,
+   * considered as a flow sink.
    */
   class ConstructedRegExpAsSink extends Sink {
     ConstructedRegExpAsSink() {
-      this =
-        API::getTopLevelMember("Regexp").getAnInstantiation().(DataFlow::CallNode).getArgument(0)
+      exists(API::Node regexp, DataFlow::CallNode callNode |
+        regexp = API::getTopLevelMember("Regexp") and
+        (callNode = regexp.getAnInstantiation() or callNode = regexp.getAMethodCall("compile")) and
+        this = callNode.getArgument(0)
+      )
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -48,12 +48,16 @@ module RegExpInjection {`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`/**`
`51`		- * The first argument of a call to `Regexp.new`, considered as a flow sink.
	`51`	+ * The first argument of a call to `Regexp.new` or `Regexp.compile`,
	`52`	`+ * considered as a flow sink.`
`52`	`53`	`*/`
`53`	`54`	`class ConstructedRegExpAsSink extends Sink {`
`54`	`55`	`ConstructedRegExpAsSink() {`
`55`		`- this =`
`56`		`- API::getTopLevelMember("Regexp").getAnInstantiation().(DataFlow::CallNode).getArgument(0)`
	`56`	`+ exists(API::Node regexp, DataFlow::CallNode callNode \|`
	`57`	`+ regexp = API::getTopLevelMember("Regexp") and`
	`58`	`+ (callNode = regexp.getAnInstantiation() or callNode = regexp.getAMethodCall("compile")) and`
	`59`	`+ this = callNode.getArgument(0)`
	`60`	`+ )`
`57`	`61`	`}`
`58`	`62`	`}`
`59`	`63`