Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruby: Do not distinguish between symbols and strings in hash keys #17880

Merged
merged 2 commits into from
Nov 1, 2024
Merged

Ruby: Do not distinguish between symbols and strings in hash keys #17880

merged 2 commits into from
Nov 1, 2024

Conversation

hvitved
Copy link
Contributor

@hvitved hvitved commented Oct 31, 2024
edited
Loading

Before this PR, we distinguished between symbols and strings in hash keys. So, for example, we would (correctly) not report flow in cases like

hash[:key] = "taint"
sink(hash["key"])

However, doing so meant that the flow summaries for methods such as with_indifferent_access would throw away any known information about the keys, leading to false positive flow.

While we could attempt to improve the summaries for methods like with_indifferent_access, this PR instead simply considers symbol/string hash keys equal when they denote the same value. The only potential downside is false positive flow, like in the example above, but this seems very unlikely in practice. Indeed, DCA confirms that this PR only removes results.

@github-actions github-actions bot added the Ruby label Oct 31, 2024
@hvitved hvitved force-pushed the ruby/symbol-string-key-indifference branch from b54bbcd to 6b60865 Compare October 31, 2024 10:42
@hvitved hvitved added the no-change-note-required This PR does not need a change note label Nov 1, 2024
@hvitved hvitved marked this pull request as ready for review November 1, 2024 08:38
@hvitved hvitved requested a review from a team as a code owner November 1, 2024 08:38
joefarebrother
joefarebrother approved these changes Nov 1, 2024
View reviewed changes
Copy link
Contributor

@joefarebrother joefarebrother left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good 👍

@hvitved hvitved merged commit 03ffaac into github:main Nov 1, 2024
23 checks passed
@hvitved hvitved deleted the ruby/symbol-string-key-indifference branch November 1, 2024 09:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joefarebrother joefarebrother joefarebrother approved these changes

Assignees
No one assigned
Labels
no-change-note-required This PR does not need a change note Ruby
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hvitved @joefarebrother