CodeQL library for Ruby
codeql/ruby-all 5.2.2 (changelog, source)
Index
Search

Module LogInjectionQuery

Provides a taint-tracking configuration for reasoning about untrusted user input used in log entries.

Import path

import codeql.ruby.security.LogInjectionQuery

Imports

AST
Concepts

Provides abstract classes representing generic concepts such as file system access or system command execution, for which individual framework libraries provide concrete subclasses.

Core

Provides modeling for the Ruby core libraries.

DataFlow

Provides classes for performing local (intra-procedural) and global (inter-procedural) data flow analyses.

RemoteFlowSources

Provides an extension point for modeling user-controlled data. Such data is often used as data-flow sources in security queries.

TaintTracking

Classes

HtmlEscapingAsSanitizer

A call to an HTML escape method is considered to sanitize its input.

InspectSanitizer

A call to Object#inspect, considered as a sanitizer. This is because inspect will replace newlines in strings with \n.

LoggingSink

An input to a logging mechanism.

RemoteSource

A source of remote user controlled input.

Sanitizer

A sanitizer for malicious user input used in log entries.

Sink

A data flow sink for user input used in log entries.

Source

A data flow source for user input used in log entries.

StringReplaceSanitizer

A call to String#replace that replaces \n is considered to sanitize the replaced string (reduce false positive).

Aliases

LogInjectionFlow

Taint-tracking for untrusted user input used in log entries.