Reinstate SQLite3 sanitizer in MaD

owen-mc · owen-mc · commit 4aee99f0ebe2 · 2026-02-17T22:27:08.000Z
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.model.yml b/ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.model.yml
@@ -4,3 +4,8 @@ extensions:
       extensible: summaryModel
     data:
       - ['SQLite3::Database!', 'Method[quote]', 'Argument[0]', 'ReturnValue', 'taint']
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: barrierModel
+    data:
+      - ['SQLite3::Database!', 'Method[quote].ReturnValue', 'sql-injection']
diff --git a/ruby/ql/test/library-tests/frameworks/sqlite3/SqlInjection.expected b/ruby/ql/test/library-tests/frameworks/sqlite3/SqlInjection.expected
@@ -1,25 +1,12 @@
 #select
 | sqlite3.rb:29:16:29:67 | "select * from table where cat..." | sqlite3.rb:25:16:25:21 | call to params | sqlite3.rb:29:16:29:67 | "select * from table where cat..." | This SQL query depends on a $@. | sqlite3.rb:25:16:25:21 | call to params | user-provided value |
-| sqlite3.rb:33:16:33:77 | "select * from table where cat..." | sqlite3.rb:25:16:25:21 | call to params | sqlite3.rb:33:16:33:77 | "select * from table where cat..." | This SQL query depends on a $@. | sqlite3.rb:25:16:25:21 | call to params | user-provided value |
 edges
 | sqlite3.rb:25:5:25:12 | category | sqlite3.rb:29:16:29:67 | "select * from table where cat..." | provenance | AdditionalTaintStep |
-| sqlite3.rb:25:5:25:12 | category | sqlite3.rb:32:50:32:57 | category | provenance |  |
 | sqlite3.rb:25:16:25:21 | call to params | sqlite3.rb:25:16:25:32 | ...[...] | provenance |  |
 | sqlite3.rb:25:16:25:32 | ...[...] | sqlite3.rb:25:5:25:12 | category | provenance |  |
-| sqlite3.rb:32:5:32:22 | sanitized_category | sqlite3.rb:33:16:33:77 | "select * from table where cat..." | provenance | AdditionalTaintStep |
-| sqlite3.rb:32:26:32:58 | call to quote | sqlite3.rb:32:5:32:22 | sanitized_category | provenance |  |
-| sqlite3.rb:32:50:32:57 | category | sqlite3.rb:32:26:32:58 | call to quote | provenance | MaD:1 |
-models
-| 1 | Summary: SQLite3::Database!; Method[quote]; Argument[0]; ReturnValue; taint |
 nodes
 | sqlite3.rb:25:5:25:12 | category | semmle.label | category |
 | sqlite3.rb:25:16:25:21 | call to params | semmle.label | call to params |
 | sqlite3.rb:25:16:25:32 | ...[...] | semmle.label | ...[...] |
 | sqlite3.rb:29:16:29:67 | "select * from table where cat..." | semmle.label | "select * from table where cat..." |
-| sqlite3.rb:32:5:32:22 | sanitized_category | semmle.label | sanitized_category |
-| sqlite3.rb:32:26:32:58 | call to quote | semmle.label | call to quote |
-| sqlite3.rb:32:50:32:57 | category | semmle.label | category |
-| sqlite3.rb:33:16:33:77 | "select * from table where cat..." | semmle.label | "select * from table where cat..." |
 subpaths
-testFailures
-| sqlite3.rb:33:16:33:77 | "select * from table where cat..." | Unexpected result: Alert |
