Skip to content

Ruby: Accept MaD sanitizers for queries with MaD sinks and convert some existing sanitizers#21341

Open
owen-mc wants to merge 16 commits intogithub:mainfrom
owen-mc:rb/accept-mad-sanitizers
Open

Ruby: Accept MaD sanitizers for queries with MaD sinks and convert some existing sanitizers#21341
owen-mc wants to merge 16 commits intogithub:mainfrom
owen-mc:rb/accept-mad-sanitizers

Conversation

@owen-mc
Copy link
Contributor

@owen-mc owen-mc commented Feb 17, 2026

Note that in the process of converting Shellwords.escape and Shellwords.shellescape, I have added a summary model for them as well as a command injection sanitizer, so as an upshot they will now propagate taint for all other queries.

owen-mc added 13 commits February 17, 2026 12:48
@owen-mc
Accept MaD sanitizers for queries with MaD sinks
3dc465f
@owen-mc
Change how sql-injection barriers are accepted
1d7a39a
@owen-mc
Improve Mysql2 test
fc429c1
@owen-mc
Move Mysql2 flow model to MaD and remove ql sanitizer
3e4f42f
@owen-mc
Reinstate Mysql2 sanitizer in MaD
d4bb92b
@owen-mc
Improve Sqlite3 test
1fa183e
@owen-mc
Move SQLite3 flow model to MaD and remove ql sanitizer
5df695b
@owen-mc
Reinstate SQLite3 sanitizer in MaD
4aee99f
@owen-mc
Remove Shellwords sanitizer in ql
6294c3b 
Note that some sanitizers had no effect because flow through those functions wasn't modeled.
@owen-mc
Model flow through Shellwords escape and shellescape
b3681f7
@owen-mc
Add MaD barriers for Shellwords.escape and shellescape
de5470a 
Note that this will only block flow for queries that use the kind `command-injection`.
@owen-mc
Reinstate ql model for String#shellescape
eb7f198
@owen-mc
Add change note
1bff7a3
Copilot AI review requested due to automatic review settings February 17, 2026 22:32
@owen-mc owen-mc requested a review from a team as a code owner February 17, 2026 22:32
Copilot AI reviewed Feb 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enables Ruby security queries to accept MaD (Models as Data) sanitizers and converts several existing QL-based sanitizers to MaD models. The change improves consistency across the codebase and enables better reuse of sanitizer models. As a side benefit, Shellwords.escape and Shellwords.shellescape now propagate taint for all queries except command injection (where they act as sanitizers).

Changes:

  • Added ExternalXXXSanitizer classes to six security query customization files to accept MaD barrier models
  • Converted three existing sanitizers (SQLite3::Database.quote, Mysql2::Client.escape, and Shellwords.escape/shellescape) from QL code to MaD models
  • Updated tests for sqlite3 and mysql2 frameworks with proper inline expectations and SQL injection query references

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated no comments.

Show a summary per file
File Description
ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll Added ExternalUrlRedirectSanitizer to accept MaD barrier models for url-redirection
ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryCustomizations.qll Added ExternalRequestForgerySanitizer to accept MaD barrier models for request-forgery
ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll Added ExternalPathInjectionSanitizer to accept MaD barrier models for path-injection
ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll Added ExternalLogInjectionSanitizer to accept MaD barrier models for log-injection
ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll Added ExternalCommandInjectionSanitizer; updated ShellwordsEscapeAsSanitizer to only handle String#shellescape instance method
ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll Added ExternalCodeInjectionSanitizer to accept MaD barrier models for code-injection
ruby/ql/lib/codeql/ruby/Concepts.qll Added ExternalSqlInjectionSanitizer to accept MaD barrier models for sql-injection; added import for ApiGraphModels
ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.qll Removed SQLite3QuoteSanitization class and QuoteSummary; now handled by MaD model
ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.model.yml Created MaD model with summary (taint flow) and barrier (sql-injection) for SQLite3::Database.quote
ruby/ql/lib/codeql/ruby/frameworks/Mysql2.qll Removed Mysql2EscapeSanitization class and EscapeSummary; now handled by MaD model
ruby/ql/lib/codeql/ruby/frameworks/Mysql2.model.yml Created MaD model with summary (taint flow) and barrier (sql-injection) for Mysql2::Client.escape
ruby/ql/lib/codeql/ruby/frameworks/stdlib/Shellwords.model.yml Created MaD model with summary (taint flow) and barrier (command-injection) for Shellwords.escape and shellescape
ruby/ql/test/library-tests/frameworks/sqlite3/sqlite3.rb Updated test with ActionController example demonstrating SQLite3::Database.quote as sanitizer
ruby/ql/test/library-tests/frameworks/sqlite3/SqlInjection.qlref Created query reference file for SqlInjection test
ruby/ql/test/library-tests/frameworks/sqlite3/SqlInjection.expected Generated expected results showing SQL injection detection and proper sanitization
ruby/ql/test/library-tests/frameworks/mysql2/Mysql2.rb Added inline expectations for SQL injection sources and alerts
ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.qlref Created query reference file for SqlInjection test
ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.expected Generated expected results showing SQL injection detection with Mysql2::Client.escape as sanitizer
ruby/ql/lib/change-notes/2026-02-17-flow-through-shellwords-escape-shellescape.md Documented that taint now flows through Shellwords.escape/shellescape for all queries except command injection

hvitved
hvitved requested changes Feb 18, 2026
View reviewed changes
Copy link
Contributor

@hvitved hvitved left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some tests are failing, otherwise LGTM. Also, remember to run DCA.

@owen-mc
Update other test in same folder
f577e97
@owen-mc
Update taintstep test for models becoming MaD
05d681f
@owen-mc
Use postprocessing queries for unrelated test
1d6b8c5 
Need to do this because the model numbering was changing. At the same
time we may as well use inline expectations.
@owen-mc
Copy link
Contributor Author

owen-mc commented Feb 19, 2026

Test results updated. DCA run. I haven't interpreted Ruby DCA runs before - the average analysis time looks fine, but there's quite a bit of spread, and I don't know if that's normal or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hvitved hvitved hvitved requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

documentation Ruby

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@owen-mc @hvitved

Comments