Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruby scanning not working in JS version of Semgrep VSCode Extension #138

Open
skeymeulen opened this issue May 17, 2024 · 7 comments
Open

Ruby scanning not working in JS version of Semgrep VSCode Extension #138

skeymeulen opened this issue May 17, 2024 · 7 comments
Labels
bug Something isn't working

Comments

@skeymeulen
Copy link

Detection of issues in Ruby files is not working when running the JS version of the extension. This occurs both when running the extension on Mac in JS mode and when using the extension on Windows.

Extension version: v1.7.1

Expected behaviour: Scanning a Ruby file should detect the same issues in JS and non-JS mode
Current Behavior: No issues are being detected in Ruby files when running in JS mode

How to reproduce
Create a file index.rb with the following content

require 'active_record'
require 'models/restaurant'

def show(event:, context:)
  ActiveRecord::Base.establish_connection(
    adapter: 'mysql2',
    host: ENV['RDS_HOST'],
    username: ENV['RDS_USERNAME'],
    password: ENV['RDS_PASSWORD'],
    database: ENV['RDS_DATABASE']
  )

  query = "SELECT * FROM customers INNER JOIN orders ON customers.id = %{id}" % {id: event["id"]}
  # ruleid: activerecord-sqli
  result = Platform.find_by_sql(query)

  # ok: activerecord-sqli
  result2 = Smth.find_by_sql("SELECT * FROM customers INNER JOIN orders ON customers.id = %{id}", {id: event["id"]})
  
  {
    body: [result, resul2]
  }
end

When running in non-JS mode, an issue is detected on line 13 (ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string).
When switching to JS mode using the Semgrep: Use JS extension setting or when running on Windows, no issues are being detected.

In the Semgrep Output window, I can see an error that I expect is causing the issue

found 0 matches, 1 errors

there were 0 skipped targets

Semgrep errors: Failure("Pattern parse error")

Testing on different Ruby files with different rulesets, still results in this same error.
@ajbt200128
Copy link
Contributor

Thanks for the report! When we released LSP.js we did have some issues with Ruby, so we have a good idea of what this is. Let me see if there were any regressions

@ajbt200128 ajbt200128 mentioned this issue May 28, 2024
Closed
3 tasks
@ajbt200128
Copy link
Contributor

looks like this is indeed a regression, will add to my todos to get to at some point

@ajbt200128
Copy link
Contributor

Ok, it's on our roadmap for sometime in the next month or two, as we have a major refactor we need to do before we can get to this

@ajbt200128
Copy link
Contributor

This should be fixed in 1.79.0 most likely!

@skeymeulen
Copy link
Author

Could you confirm this should be fix @ajbt200128? I retested with the latest version of the extension, I'm not seeing the error anymore, but I am also not seeing the expected result.

@ajbt200128
Copy link
Contributor

Let me see if I can repro

@ajbt200128 ajbt200128 added the bug Something isn't working label Aug 28, 2024
@ajbt200128
Copy link
Contributor

yea looks like this is a bug, will add it to the backlog, but not sure if we will be able to get to it anytime soon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@skeymeulen @ajbt200128