File tree Expand file tree Collapse file tree
ruby/ql/src/experimental/weak-params Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -38,21 +38,16 @@ class ActionControllerRequest extends DataFlow::Node {
3838class WeakParams extends DataFlow:: CallNode {
3939 WeakParams ( ) {
4040 this .getReceiver ( ) instanceof ActionControllerRequest and
41- allParamsAccess ( this .asExpr ( ) .getExpr ( ) )
41+ (
42+ this .getMethodName ( ) = "path_parametes" or
43+ this .getMethodName ( ) = "query_parameters" or
44+ this .getMethodName ( ) = "request_parameters" or
45+ this .getMethodName ( ) = "GET" or
46+ this .getMethodName ( ) = "POST"
47+ )
4248 }
4349}
4450
45- /**
46- * Holds call to a method that exposes or accesses all parameters from an inbound HTTP request
47- */
48- predicate allParamsAccess ( MethodCall call ) {
49- call .getMethodName ( ) = "path_parametes" or
50- call .getMethodName ( ) = "query_parameters" or
51- call .getMethodName ( ) = "request_parameters" or
52- call .getMethodName ( ) = "GET" or
53- call .getMethodName ( ) = "POST"
54- }
55-
5651/**
5752 * A Taint tracking config where the source is a weak params access in a controller and the sink
5853 * is a method call of a model class
You can’t perform that action at this time.
0 commit comments