Improve Mysql2 test

owen-mc · owen-mc · commit fc429c175799 · 2026-02-17T22:27:00.000Z
diff --git a/ruby/ql/test/library-tests/frameworks/mysql2/Mysql2.rb b/ruby/ql/test/library-tests/frameworks/mysql2/Mysql2.rb
@@ -1,6 +1,6 @@
 class UsersController < ActionController::Base
   def mysql2_handler(event:, context:)
-    name = params[:user_name]
+    name = params[:user_name] # $ Source[rb/sql-injection]
 
     conn = Mysql2::Client.new(
         host: "127.0.0.1",
@@ -10,7 +10,7 @@ def mysql2_handler(event:, context:)
     results1 = conn.query("SELECT * FROM users")
 
     # BAD: SQL statement constructed from user input
-    results2 = conn.query("SELECT * FROM users WHERE username='#{name}'")
+    results2 = conn.query("SELECT * FROM users WHERE username='#{name}'") # $ Alert[rb/sql-injection]
 
     # GOOD: user input is escaped
     escaped = Mysql2::Client.escape(name)
@@ -21,10 +21,10 @@ def mysql2_handler(event:, context:)
     results4 = statement1.execute(1, name, :as => :array)
 
     # BAD: SQL statement constructed from user input
-    statement2 = conn.prepare("SELECT * FROM users WHERE username='#{name}' AND password = ?")
+    statement2 = conn.prepare("SELECT * FROM users WHERE username='#{name}' AND password = ?") # $ Alert[rb/sql-injection]
     results4 = statement2.execute("password", :as => :array)
 
     # NOT EXECUTED
     statement3 = conn.prepare("SELECT * FROM users WHERE username = ?")
   end
-end
+end
diff --git a/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.expected b/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.expected
@@ -0,0 +1,15 @@
+#select
+| Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | This SQL query depends on a $@. | Mysql2.rb:3:12:3:17 | call to params | user-provided value |
+| Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | This SQL query depends on a $@. | Mysql2.rb:3:12:3:17 | call to params | user-provided value |
+edges
+| Mysql2.rb:3:5:3:8 | name | Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | provenance | AdditionalTaintStep |
+| Mysql2.rb:3:5:3:8 | name | Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | provenance | AdditionalTaintStep |
+| Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:3:12:3:29 | ...[...] | provenance |  |
+| Mysql2.rb:3:12:3:29 | ...[...] | Mysql2.rb:3:5:3:8 | name | provenance |  |
+nodes
+| Mysql2.rb:3:5:3:8 | name | semmle.label | name |
+| Mysql2.rb:3:12:3:17 | call to params | semmle.label | call to params |
+| Mysql2.rb:3:12:3:29 | ...[...] | semmle.label | ...[...] |
+| Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | semmle.label | "SELECT * FROM users WHERE use..." |
+| Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | semmle.label | "SELECT * FROM users WHERE use..." |
+subpaths
diff --git a/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.qlref b/ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.qlref
@@ -0,0 +1,4 @@
+query: queries/security/cwe-089/SqlInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
