Merge pull request #15847 from hvitved/ruby/orm-field-as-source-no-args

Ruby: Exclude calls with arguments from `OrmFieldAsSource`
github · Mar 8, 2024 · 9ee2314 · 9ee2314
2 parents 7c35309 + 85782ff
commit 9ee2314
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/ruby/ql/lib/codeql/ruby/security/XSS.qll b/ruby/ql/lib/codeql/ruby/security/XSS.qll
@@ -324,7 +324,9 @@ module StoredXss {
     OrmFieldAsSource() {
       exists(DataFlow::CallNode subSrc |
         OrmTracking::flow(subSrc, this.getReceiver()) and
-        subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName())
+        subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName()) and
+        this.getNumberOfArguments() = 0 and
+        not exists(this.getBlock())
       )
     }
   }