Fix bad join

github · Apr 3, 2024 · 3c96bf6 · 3c96bf6
1 parent fb19288
commit 3c96bf6
Showing 1 changed file with 21 additions and 21 deletions.
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
@@ -797,30 +797,30 @@ class ActiveRecordScopeCallTarget extends AdditionalCallTarget {
 private module MassAssignmentSinks {
   private import codeql.ruby.security.MassAssignmentCustomizations
 
+  pragma[nomagic]
+  private predicate massAssignmentCall(DataFlow::CallNode call, string name) {
+    call = activeRecordBaseClass().getAMethodCall(name)
+    or
+    call instanceof ActiveRecordInstanceMethodCall and
+    call.getMethodName() = name
+  }
+
   /** A call to a method that sets attributes of an database record using a hash. */
   private class MassAssignmentCall extends MassAssignment::Sink {
     MassAssignmentCall() {
-      exists(DataFlow::CallNode call, string name |
-        (
-          call = activeRecordBaseClass().getAMethodCall(name)
-          or
-          call instanceof ActiveRecordInstanceMethodCall and
-          call.getMethodName() = name
-        ) and
-        (
-          name =
-            [
-              "build", "create", "create!", "create_with", "create_or_find_by",
-              "create_or_find_by!", "find_or_create_by", "find_or_create_by!",
-              "find_or_initialize_by", "insert", "insert!", "insert_all", "insert_all!",
-              "instantiate", "new", "update", "update!", "upsert", "upsert_all"
-            ] and
-          this = call.getArgument(0)
-          or
-          // These methods have an optional first id parameter.
-          name = ["update", "update!"] and
-          this = call.getArgument(1)
-        )
+      exists(DataFlow::CallNode call, string name | massAssignmentCall(call, name) |
+        name =
+          [
+            "build", "create", "create!", "create_with", "create_or_find_by", "create_or_find_by!",
+            "find_or_create_by", "find_or_create_by!", "find_or_initialize_by", "insert", "insert!",
+            "insert_all", "insert_all!", "instantiate", "new", "update", "update!", "upsert",
+            "upsert_all"
+          ] and
+        this = call.getArgument(0)
+        or
+        // These methods have an optional first id parameter.
+        name = ["update", "update!"] and
+        this = call.getArgument(1)
       )
     }
   }