From 98329daf5887c8debc5b8887bce142d7cf883e5d Mon Sep 17 00:00:00 2001
From: Syed Faraaz Ahmad <faraaz98@live.com>
Date: Sat, 4 Nov 2023 08:12:12 +0530
Subject: [PATCH 1/2] feat: use hash as taint source

---
 lib/tainted/static.rb         | 15 ++++++++++++---
 lib/tainted/version.rb        |  2 +-
 spec/fixtures/params.rb       |  9 +++++++++
 spec/lib/tainted/lint_spec.rb | 12 ++++++++++++
 4 files changed, 34 insertions(+), 4 deletions(-)
 create mode 100644 spec/fixtures/params.rb

diff --git a/lib/tainted/static.rb b/lib/tainted/static.rb
index 32bf01e..6bb20bf 100644
--- a/lib/tainted/static.rb
+++ b/lib/tainted/static.rb
@@ -30,10 +30,17 @@ def visit(node)
 
     def parse_assign(node)
       variable_name = node.target.value.value
-      # pp node.value.class
-      return unless node.value.is_a?(SyntaxTree::CallNode)
 
-      method_name = node.value.message.value
+      method_name =
+        case node.value
+        when SyntaxTree::CallNode
+          node.value.message.value
+        when SyntaxTree::ARef
+          # (aref (vcall (ident "<method_name>")))
+          node.value.collection.value.value
+        end
+
+      return if method_name.nil?
       return unless @sources.include?(method_name&.to_sym)
 
       State.instance.var_dependencies[variable_name.to_sym][:tainted] = true
@@ -45,6 +52,8 @@ def parse_call(node)
       taint_statuses =
         arguments.map { |arg| [arg, taint_status(arg.value.value.to_sym)] }
 
+      pp State.instance.var_dependencies
+      
       method_name = node.message.value
       return unless @sinks.include?(method_name.to_sym)
 
diff --git a/lib/tainted/version.rb b/lib/tainted/version.rb
index dfbd195..7f1e07d 100644
--- a/lib/tainted/version.rb
+++ b/lib/tainted/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Tainted
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end
diff --git a/spec/fixtures/params.rb b/spec/fixtures/params.rb
new file mode 100644
index 0000000..ed57189
--- /dev/null
+++ b/spec/fixtures/params.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+a = params[:insecure]
+b = a + 1
+c = b + 2
+d = b + c
+
+sql = "select * from users where age = #{d};"
+execute(sql)
diff --git a/spec/lib/tainted/lint_spec.rb b/spec/lib/tainted/lint_spec.rb
index ccbc4ce..4d62ed9 100644
--- a/spec/lib/tainted/lint_spec.rb
+++ b/spec/lib/tainted/lint_spec.rb
@@ -14,5 +14,17 @@
         ]
       )
     end
+
+    it "returns issue for sql query from unsanitized param" do
+      file = File.expand_path "#{__dir__}/../../fixtures/params.rb"
+      lint = Tainted::Lint.new(file, %i[params], %i[execute])
+      result = lint.analyze
+
+      expect(result).to eq(
+        [
+          "Method `execute()` consuming tainted variable `sql`",
+        ]
+      )
+    end
   end
 end

From c50530412a17df49d14275187393494544f1a143 Mon Sep 17 00:00:00 2001
From: Syed Faraaz Ahmad <faraaz98@live.com>
Date: Sat, 4 Nov 2023 08:16:59 +0530
Subject: [PATCH 2/2] fix: remove pp

---
 lib/tainted/static.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lib/tainted/static.rb b/lib/tainted/static.rb
index 6bb20bf..4c6b10c 100644
--- a/lib/tainted/static.rb
+++ b/lib/tainted/static.rb
@@ -52,8 +52,6 @@ def parse_call(node)
       taint_statuses =
         arguments.map { |arg| [arg, taint_status(arg.value.value.to_sym)] }
 
-      pp State.instance.var_dependencies
-      
       method_name = node.message.value
       return unless @sinks.include?(method_name.to_sym)