Merge pull request #21341 from owen-mc/rb/accept-mad-sanitizers

Ruby: Accept MaD sanitizers for queries with MaD sinks and convert some existing sanitizers

Author: owen-mc

ruby/ql/lib/change-notes/2026-02-17-flow-through-shellwords-escape-shellescape.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* We now track taint flow through `Shellwords.escape` and `Shellwords.shellescape` for all queries except command injection, for which they are sanitizers.

ruby/ql/lib/codeql/ruby/Concepts.qll

@@ -9,6 +9,7 @@ private import codeql.ruby.CFG
 private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.internal.DataFlowImplSpecific
 private import codeql.ruby.Frameworks
+private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.Regexp as RE
@@ -95,6 +96,10 @@ module SqlSanitization {
   abstract class Range extends DataFlow::Node { }
 }
 
+private class ExternalSqlInjectionSanitizer extends SqlSanitization::Range {
+  ExternalSqlInjectionSanitizer() { ModelOutput::barrierNode(this, "sql-injection") }
+}
+
 /**
  * A data-flow node that executes a regular expression.
  *

ruby/ql/lib/codeql/ruby/frameworks/Mysql2.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: summaryModel
+    data:
+      - ['Mysql2::Client!', 'Method[escape]', 'Argument[0]', 'ReturnValue', 'taint']
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: barrierModel
+    data:
+      - ['Mysql2::Client!', 'Method[escape].ReturnValue', 'sql-injection']

ruby/ql/lib/codeql/ruby/frameworks/Mysql2.qll

@@ -48,26 +48,4 @@ module Mysql2 {
 
     override DataFlow::Node getSql() { result = query }
   }
-
-  /**
-   * A call to `Mysql2::Client.escape`, considered as a sanitizer for SQL statements.
-   */
-  private class Mysql2EscapeSanitization extends SqlSanitization::Range {
-    Mysql2EscapeSanitization() {
-      this = API::getTopLevelMember("Mysql2").getMember("Client").getAMethodCall("escape")
-    }
-  }
-
-  /**
-   * Flow summary for `Mysql2::Client.escape()`.
-   */
-  private class EscapeSummary extends SummarizedCallable::Range {
-    EscapeSummary() { this = "Mysql2::Client.escape()" }
-
-    override MethodCall getACall() { result = any(Mysql2EscapeSanitization c).asExpr().getExpr() }
-
-    override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
-    }
-  }
 }

ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: summaryModel
+    data:
+      - ['SQLite3::Database!', 'Method[quote]', 'Argument[0]', 'ReturnValue', 'taint']
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: barrierModel
+    data:
+      - ['SQLite3::Database!', 'Method[quote].ReturnValue', 'sql-injection']

ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.qll

@@ -76,26 +76,4 @@ module Sqlite3 {
 
     override DataFlow::Node getSql() { result = this.getArgument(0) }
   }
-
-  /**
-   * A call to `SQLite3::Database.quote`, considered as a sanitizer for SQL statements.
-   */
-  private class SQLite3QuoteSanitization extends SqlSanitization {
-    SQLite3QuoteSanitization() {
-      this = API::getTopLevelMember("SQLite3").getMember("Database").getAMethodCall("quote")
-    }
-  }
-
-  /**
-   * Flow summary for `SQLite3::Database.quote()`.
-   */
-  private class QuoteSummary extends SummarizedCallable::Range {
-    QuoteSummary() { this = "SQLite3::Database.quote()" }
-
-    override MethodCall getACall() { result = any(SQLite3QuoteSanitization c).asExpr().getExpr() }
-
-    override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
-    }
-  }
 }

ruby/ql/lib/codeql/ruby/frameworks/stdlib/Shellwords.model.yml

@@ -0,0 +1,12 @@
+extensions:
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: summaryModel
+    data:
+      - ['Shellwords!', 'Method[escape,shellescape]', 'Argument[0]', 'ReturnValue', 'taint']
+
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: barrierModel
+    data:
+      - ['Shellwords!', 'Method[escape,shellescape].ReturnValue', 'command-injection']

ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll

@@ -118,4 +118,8 @@ module CodeInjection {
   private class ExternalCodeInjectionSink extends Sink {
     ExternalCodeInjectionSink() { ModelOutput::sinkNode(this, "code-injection") }
   }
+
+  private class ExternalCodeInjectionSanitizer extends Sanitizer {
+    ExternalCodeInjectionSanitizer() { ModelOutput::barrierNode(this, "code-injection") }
+  }
 }

ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll

@@ -43,18 +43,20 @@ module CommandInjection {
   }
 
   /**
-   * A call to `Shellwords.escape` or `Shellwords.shellescape` sanitizes its input.
+   * A call to `String#shellescape` sanitizes its input.
    */
   class ShellwordsEscapeAsSanitizer extends Sanitizer {
     ShellwordsEscapeAsSanitizer() {
-      this = API::getTopLevelMember("Shellwords").getAMethodCall(["escape", "shellescape"])
-      or
-      // The method is also added as `String#shellescape`.
+      // The `Shellwords.shellescape` method is also added as `String#shellescape`.
       this.(DataFlow::CallNode).getMethodName() = "shellescape"
     }
   }
 
   private class ExternalCommandInjectionSink extends Sink {
     ExternalCommandInjectionSink() { ModelOutput::sinkNode(this, "command-injection") }
   }
+
+  private class ExternalCommandInjectionSanitizer extends Sanitizer {
+    ExternalCommandInjectionSanitizer() { ModelOutput::barrierNode(this, "command-injection") }
+  }
 }

ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll

@@ -67,6 +67,10 @@ class HtmlEscapingAsSanitizer extends Sanitizer {
   HtmlEscapingAsSanitizer() { this = any(HtmlEscaping esc).getOutput() }
 }
 
+private class ExternalLogInjectionSanitizer extends Sanitizer {
+  ExternalLogInjectionSanitizer() { ModelOutput::barrierNode(this, "log-injection") }
+}
+
 private module LogInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }