From b74145349b96fad5a8374eef31f2e623a27a2ae7 Mon Sep 17 00:00:00 2001
From: Joe Farebrother <joefarebrother@github.com>
Date: Fri, 22 Mar 2024 12:34:14 +0000
Subject: [PATCH] Add test cases

---
 .../codeql/ruby/frameworks/ActiveRecord.qll   |  6 +-
 .../security/cwe-915/MassAssignment.expected  | 83 +++++++++++++++++--
 .../test/query-tests/security/cwe-915/test.rb | 26 ++++++
 3 files changed, 105 insertions(+), 10 deletions(-)

diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
index 69c65861990c..f7ae5570e93b 100644
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
@@ -811,9 +811,9 @@ private module MassAssignmentSinks {
           name =
             [
               "build", "create", "create!", "create_with", "create_or_find_by",
-              "create_or_find_by!", "find_or_create_by", "find_or_create_by!", "insert", "insert!",
-              "insert_all", "insert_all!", "instantiate", "new", "update", "update!", "upsert",
-              "upsert_all"
+              "create_or_find_by!", "find_or_create_by", "find_or_create_by!",
+              "find_or_initialize_by", "insert", "insert!", "insert_all", "insert_all!",
+              "instantiate", "new", "update", "update!", "upsert", "upsert_all"
             ] and
           this = call.getArgument(0)
           or
diff --git a/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected b/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected
index 8e9984495d5c..a803f99d6a6e 100644
--- a/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected
+++ b/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected
@@ -1,12 +1,81 @@
 edges
-| test.rb:17:9:17:14 | call to params | test.rb:17:9:17:29 | call to require | provenance |  |
-| test.rb:17:9:17:29 | call to require | test.rb:17:9:17:37 | call to permit! | provenance |  |
-| test.rb:17:9:17:37 | call to permit! | test.rb:8:18:8:28 | call to user_params | provenance |  |
+| test.rb:23:25:23:37 | call to [] [element 0] | test.rb:23:25:23:37 | call to [] | provenance |  |
+| test.rb:23:26:23:36 | call to user_params | test.rb:23:25:23:37 | call to [] [element 0] | provenance |  |
+| test.rb:24:26:24:38 | call to [] [element 0] | test.rb:24:26:24:38 | call to [] | provenance |  |
+| test.rb:24:27:24:37 | call to user_params | test.rb:24:26:24:38 | call to [] [element 0] | provenance |  |
+| test.rb:30:21:30:33 | call to [] [element 0] | test.rb:30:21:30:33 | call to [] | provenance |  |
+| test.rb:30:22:30:32 | call to user_params | test.rb:30:21:30:33 | call to [] [element 0] | provenance |  |
+| test.rb:43:9:43:14 | call to params | test.rb:43:9:43:29 | call to require | provenance |  |
+| test.rb:43:9:43:29 | call to require | test.rb:43:9:43:37 | call to permit! | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:8:18:8:28 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:18:20:18:30 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:19:21:19:31 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:20:22:20:32 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:21:21:21:31 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:22:22:22:32 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:23:26:23:36 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:24:27:24:37 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:25:21:25:31 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:26:24:26:34 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:27:22:27:32 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:28:25:28:35 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:29:21:29:31 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:30:22:30:32 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:31:32:31:42 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:32:33:32:43 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:33:36:33:46 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:34:32:34:42 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:35:33:35:43 | call to user_params | provenance |  |
+| test.rb:43:9:43:37 | call to permit! | test.rb:36:26:36:36 | call to user_params | provenance |  |
 nodes
 | test.rb:8:18:8:28 | call to user_params | semmle.label | call to user_params |
-| test.rb:17:9:17:14 | call to params | semmle.label | call to params |
-| test.rb:17:9:17:29 | call to require | semmle.label | call to require |
-| test.rb:17:9:17:37 | call to permit! | semmle.label | call to permit! |
+| test.rb:18:20:18:30 | call to user_params | semmle.label | call to user_params |
+| test.rb:19:21:19:31 | call to user_params | semmle.label | call to user_params |
+| test.rb:20:22:20:32 | call to user_params | semmle.label | call to user_params |
+| test.rb:21:21:21:31 | call to user_params | semmle.label | call to user_params |
+| test.rb:22:22:22:32 | call to user_params | semmle.label | call to user_params |
+| test.rb:23:25:23:37 | call to [] | semmle.label | call to [] |
+| test.rb:23:25:23:37 | call to [] [element 0] | semmle.label | call to [] [element 0] |
+| test.rb:23:26:23:36 | call to user_params | semmle.label | call to user_params |
+| test.rb:24:26:24:38 | call to [] | semmle.label | call to [] |
+| test.rb:24:26:24:38 | call to [] [element 0] | semmle.label | call to [] [element 0] |
+| test.rb:24:27:24:37 | call to user_params | semmle.label | call to user_params |
+| test.rb:25:21:25:31 | call to user_params | semmle.label | call to user_params |
+| test.rb:26:24:26:34 | call to user_params | semmle.label | call to user_params |
+| test.rb:27:22:27:32 | call to user_params | semmle.label | call to user_params |
+| test.rb:28:25:28:35 | call to user_params | semmle.label | call to user_params |
+| test.rb:29:21:29:31 | call to user_params | semmle.label | call to user_params |
+| test.rb:30:21:30:33 | call to [] | semmle.label | call to [] |
+| test.rb:30:21:30:33 | call to [] [element 0] | semmle.label | call to [] [element 0] |
+| test.rb:30:22:30:32 | call to user_params | semmle.label | call to user_params |
+| test.rb:31:32:31:42 | call to user_params | semmle.label | call to user_params |
+| test.rb:32:33:32:43 | call to user_params | semmle.label | call to user_params |
+| test.rb:33:36:33:46 | call to user_params | semmle.label | call to user_params |
+| test.rb:34:32:34:42 | call to user_params | semmle.label | call to user_params |
+| test.rb:35:33:35:43 | call to user_params | semmle.label | call to user_params |
+| test.rb:36:26:36:36 | call to user_params | semmle.label | call to user_params |
+| test.rb:43:9:43:14 | call to params | semmle.label | call to params |
+| test.rb:43:9:43:29 | call to require | semmle.label | call to require |
+| test.rb:43:9:43:37 | call to permit! | semmle.label | call to permit! |
 subpaths
 #select
-| test.rb:8:18:8:28 | call to user_params | test.rb:17:9:17:14 | call to params | test.rb:8:18:8:28 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:17:9:17:14 | call to params | this remote flow source |
+| test.rb:8:18:8:28 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:8:18:8:28 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:18:20:18:30 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:18:20:18:30 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:19:21:19:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:19:21:19:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:20:22:20:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:20:22:20:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:21:21:21:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:21:21:21:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:22:22:22:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:22:22:22:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:23:25:23:37 | call to [] | test.rb:43:9:43:14 | call to params | test.rb:23:25:23:37 | call to [] | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:24:26:24:38 | call to [] | test.rb:43:9:43:14 | call to params | test.rb:24:26:24:38 | call to [] | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:25:21:25:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:25:21:25:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:26:24:26:34 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:26:24:26:34 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:27:22:27:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:27:22:27:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:28:25:28:35 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:28:25:28:35 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:29:21:29:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:29:21:29:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:30:21:30:33 | call to [] | test.rb:43:9:43:14 | call to params | test.rb:30:21:30:33 | call to [] | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:31:32:31:42 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:31:32:31:42 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:32:33:32:43 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:32:33:32:43 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:33:36:33:46 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:33:36:33:46 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:34:32:34:42 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:34:32:34:42 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:35:33:35:43 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:35:33:35:43 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
+| test.rb:36:26:36:36 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:36:26:36:36 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source |
diff --git a/ruby/ql/test/query-tests/security/cwe-915/test.rb b/ruby/ql/test/query-tests/security/cwe-915/test.rb
index 5dee931761dd..946425e99448 100644
--- a/ruby/ql/test/query-tests/security/cwe-915/test.rb
+++ b/ruby/ql/test/query-tests/security/cwe-915/test.rb
@@ -13,6 +13,32 @@ def create2
         User.new(params[:user].permit(:name,:address))
     end
 
+    def create3
+        # each BAD
+        User.build(user_params)
+        User.create(user_params)
+        User.create!(user_params)
+        User.insert(user_params)
+        User.insert!(user_params)
+        User.insert_all([user_params])
+        User.insert_all!([user_params])
+        User.update(user_params)
+        User.update(7, user_params)
+        User.update!(user_params)
+        User.update!(7, user_params)
+        User.upsert(user_params)
+        User.upsert([user_params])
+        User.find_or_create_by(user_params)
+        User.find_or_create_by!(user_params)
+        User.find_or_initialize_by(user_params)
+        User.create_or_find_by(user_params)
+        User.create_or_find_by!(user_params)
+        User.create_with(user_params)
+
+        user = User.where(name:"abc")
+        user.update(user_params)
+    end
+
     def user_params
         params.require(:user).permit!
     end