Ruby: Add support for Grape Framework#20427
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces comprehensive CodeQL modeling support for the Ruby Grape API framework. The implementation identifies Grape API classes, their endpoints, and various sources of user input including parameters, headers, cookies, route parameters, and request objects.
Key changes:
- New
Grape.qlllibrary with classes to model Grape API structure and taint sources - Framework integration by importing Grape in the main Ruby frameworks library
- Comprehensive test coverage with vulnerability detection validation
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
ruby/ql/lib/codeql/ruby/frameworks/Grape.qll |
Core Grape framework modeling with API class detection and taint source definitions |
ruby/ql/lib/codeql/ruby/Frameworks.qll |
Integration of Grape framework into main Ruby frameworks library |
ruby/ql/test/library-tests/frameworks/grape/Grape.ql |
Query predicates for testing Grape framework modeling |
ruby/ql/test/library-tests/frameworks/grape/app.rb |
Test application demonstrating various Grape API patterns |
ruby/ql/test/library-tests/frameworks/grape/Grape.expected |
Expected test results for Grape framework modeling |
ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb |
Additional vulnerability test cases using Grape taint sources |
ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected |
Updated expected results including Grape-based SQL injection detection |
ruby/ql/lib/change-notes/2025-09-15-grape-framework-support.md |
Release notes documenting the new Grape framework support |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
… ruby-framework-grape
- added unit tests for flow using inline format - removed grape from Arel tests (temporary)
hvitved
left a comment
hvitved
left a comment
There was a problem hiding this comment.
Thanks a lot for the contribution.
…o a simplified GrapeHelperMethodTarget extends AdditionalCallTarget
- should not impact extracted application code
…ity; add getHelperSelf method to retrieve self parameter in helpers block.
…method call checks
…erse dataflow instead of AST - add tests to check for nested helpers
…ce calls for headers, request, route_param, and cookies
Same, appreciate the extreme review detail and code contributions to guide me in the right direction! All changes have been applied and tests to add/update coverage have been confirmed. Please re-review when you get a moment @hvitved |
hvitved
left a comment
hvitved
left a comment
There was a problem hiding this comment.
LGTM, but we need to commit ruby/ql/test/library-tests/frameworks/grape/CONSISTENCY/VariablesConsistency.expected as well. It can be generated via
codeql test run ruby/ql/test/library-tests/frameworks/grape --consistency-queries ruby/ql/consistency-queries --learn
I have also started a final DCA run.
Looks good now! |
2 participants
This pull request adds modeling support for the Grape Ruby API framework to the CodeQL library. It introduces a new
Grape.qlllibrary that models Grape API classes, endpoints, and sources of user input such as parameters, headers, cookies, and route parameters.The changes are validated with new framework and vulnerability tests and expected outputs, and Grape is now imported in the main Ruby frameworks library.
Vulnerable tests verified: https://github.com/vulna-felickz/ruby-grape-sqli/blob/main/app/api/potato_api.rb
