Ruby: Exclude calls with arguments from OrmFieldAsSource

github · Mar 7, 2024 · 85782ff · 85782ff
1 parent 67612e6
commit 85782ff
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/ruby/ql/lib/codeql/ruby/security/XSS.qll b/ruby/ql/lib/codeql/ruby/security/XSS.qll
@@ -324,7 +324,9 @@ module StoredXss {
     OrmFieldAsSource() {
       exists(DataFlow::CallNode subSrc |
         OrmTracking::flow(subSrc, this.getReceiver()) and
-        subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName())
+        subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName()) and
+        this.getNumberOfArguments() = 0 and
+        not exists(this.getBlock())
       )
     }
   }