Skip to content

Fix #19294, Ruby NetHttpRequest improvements #20101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix #19294, Ruby NetHttpRequest improvements #20101

wants to merge 3 commits into from
+40 −4

Conversation

mschwager
Copy link

This PR makes 3 improvements to the NetHttpRequest class:

@mschwager mschwager requested a review from a team as a code owner July 21, 2025 19:21
@github-actions github-actions bot added the Ruby label Jul 21, 2025
mschwager
mschwager commented Jul 21, 2025
View reviewed changes
ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll
Comment on lines +20 to +24
*
* # connection re-use
* Net::HTTP.start("http://example.com") do |http|
* http.get("/")
* end
Copy link
Author

@mschwager mschwager Jul 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that technically Net::HTTP.new does not open/reuse connections/sessions: https://docs.ruby-lang.org/en/master/Net/HTTP.html#method-c-new

ruby/ql/test/library-tests/frameworks/http_clients/NetHttp.rb
Comment on lines +31 to +33
http = Net::HTTP.new("https://example.com")
root_get = Net::HTTP::Get.new("/")
http.request(root_get)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This case was already detected without the above code modifications, but I wanted to make sure that request objects are also detected correctly.

hvitved
hvitved requested changes Aug 4, 2025
View reviewed changes
Copy link
Contributor

@hvitved hvitved left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for your contribution; changes look good to me, only minor changes needed.

ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll
@@ -12,15 +12,22 @@ private import codeql.ruby.DataFlow
/**
* A `Net::HTTP` call which initiates an HTTP request.
* ```ruby
* # one-off request
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file needs to be auto-formatted, using codeql query format --in-place NetHttp.qll.

ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll
@@ -30,20 +37,27 @@ class NetHttpRequest extends Http::Client::Request::Range instanceof DataFlow::C
|
// Net::HTTP.get(...)
method in ["get", "get_response"] and
requestNode = API::getTopLevelMember("Net").getMember("HTTP").getReturn(method) and
connectionNode = API::getTopLevelMember("Net").getMember("HTTP") and
requestNode = connectionNode.getReturn(method) and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can move requestNode = connectionNode.getReturn(method) up after line 36, and then remove the three duplicated lines.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hvitved hvitved hvitved requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
documentation Ruby
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mschwager @hvitved