diff --git a/ruby/ql/src/experimental/cwe-807/ConditionalBypass.ql b/ruby/ql/src/experimental/cwe-807/ConditionalBypass.ql index 12f9fb0a0117..64e30674506f 100644 --- a/ruby/ql/src/experimental/cwe-807/ConditionalBypass.ql +++ b/ruby/ql/src/experimental/cwe-807/ConditionalBypass.ql @@ -28,40 +28,6 @@ predicate flowsToGuardExpr(DataFlow::Node nd, SensitiveActionGuardConditional gu exists(DataFlow::Node succ | localFlowStep(nd, succ) | flowsToGuardExpr(succ, guard)) } -/** - * A comparison that guards a sensitive action, e.g. the comparison in: - * ```rb - * ok = x == y - * if ok - * login - * end - * ``` - */ -class SensitiveActionGuardComparison extends ComparisonOperation { - SensitiveActionGuardConditional guard; - - SensitiveActionGuardComparison() { - exists(DataFlow::Node node | this = node.asExpr().getExpr() | flowsToGuardExpr(node, guard)) - } - - /** - * Gets the guard that uses this comparison. - */ - SensitiveActionGuardConditional getGuard() { result = guard } -} - -/** - * An intermediary sink to enable reuse of the taint configuration. - * This sink should not be presented to the client of this query. - */ -class SensitiveActionGuardComparisonOperand extends Sink { - SensitiveActionGuardComparison comparison; - - SensitiveActionGuardComparisonOperand() { this.asExpr().getExpr() = comparison.getAnOperand() } - - override SensitiveAction getAction() { result = comparison.getGuard().getAction() } -} - /** * Holds if `sink` guards `action`, and `source` taints `sink`. * @@ -73,8 +39,6 @@ predicate isTaintedGuardForSensitiveAction( SensitiveAction action ) { action = sink.getNode().(Sink).getAction() and - // exclude the intermediary sink - not sink.getNode() instanceof SensitiveActionGuardComparisonOperand and ConditionalBypassFlow::flowPath(source, sink) } diff --git a/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected b/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected index 897e8276049f..f5b786d45a84 100644 --- a/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected +++ b/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected @@ -5,7 +5,6 @@ edges | ConditionalBypass.rb:14:14:14:19 | call to params | ConditionalBypass.rb:14:14:14:27 | ...[...] | provenance | | | ConditionalBypass.rb:25:5:25:5 | p | ConditionalBypass.rb:27:8:27:8 | p | provenance | | | ConditionalBypass.rb:25:10:25:15 | call to params | ConditionalBypass.rb:25:10:25:22 | ...[...] | provenance | | -| ConditionalBypass.rb:25:10:25:15 | call to params | ConditionalBypass.rb:25:10:25:22 | ...[...] | provenance | | | ConditionalBypass.rb:25:10:25:22 | ...[...] | ConditionalBypass.rb:25:5:25:5 | p | provenance | | nodes | ConditionalBypass.rb:3:5:3:9 | check | semmle.label | check | @@ -17,7 +16,6 @@ nodes | ConditionalBypass.rb:25:5:25:5 | p | semmle.label | p | | ConditionalBypass.rb:25:10:25:15 | call to params | semmle.label | call to params | | ConditionalBypass.rb:25:10:25:22 | ...[...] | semmle.label | ...[...] | -| ConditionalBypass.rb:25:10:25:22 | ...[...] | semmle.label | ...[...] | | ConditionalBypass.rb:27:8:27:8 | p | semmle.label | p | subpaths #select