Ruby: Block flow into flow sources

hmac · hmac · commit 3ce3fbf0f469 · 2024-01-31T10:24:01.000Z
This restricts alert paths to the minimum necessary.
diff --git a/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll b/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll
@@ -41,6 +41,8 @@ private module Config implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof CL::Sanitizer }
 
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     CL::isAdditionalTaintStep(nodeFrom, nodeTo)
   }
diff --git a/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll b/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll
@@ -40,6 +40,8 @@ private module Config implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof CS::Sanitizer }
 
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     CS::isAdditionalTaintStep(nodeFrom, nodeTo)
   }
diff --git a/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll
@@ -55,6 +55,8 @@ private module Config implements DataFlow::StateConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node, FlowState state) { node.(Sanitizer).getAState() = state }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll
@@ -41,6 +41,8 @@ private module Config implements DataFlow::ConfigSig {
     node instanceof StringConstCompareBarrier or
     node instanceof StringConstArrayInclusionCallBarrier
   }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll b/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll
@@ -54,6 +54,8 @@ private module Config implements DataFlow::StateConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
   predicate isAdditionalFlowStep(
     DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
   ) {
diff --git a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll
@@ -34,6 +34,8 @@ deprecated class Configuration extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
   override predicate isSanitizer(DataFlow::Node node) {
     super.isSanitizer(node) or
     node instanceof Sanitizer
diff --git a/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll b/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll
@@ -42,6 +42,8 @@ private module InsecureDownloadConfig implements DataFlow::StateConfigSig {
   predicate isSink(DataFlow::Node sink, FlowState label) { sink.(Sink).getAFlowLabel() = label }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll b/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll
@@ -85,6 +85,8 @@ private module KernelOpenConfig implements DataFlow::ConfigSig {
     node instanceof StringConstArrayInclusionCallBarrier or
     node instanceof Sanitizer
   }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
@@ -87,6 +87,8 @@ private module LogInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll
@@ -37,6 +37,8 @@ private module PathInjectionConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof Path::PathSanitization or node instanceof PathInjection::Sanitizer
   }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll b/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll
@@ -45,6 +45,8 @@ private module ReflectedXssConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof RX::Sanitizer }
 
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     RX::isAdditionalXssTaintStep(node1, node2)
   }
diff --git a/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll b/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll
@@ -37,6 +37,8 @@ private module SensitiveGetQueryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll
@@ -41,6 +41,8 @@ private module ServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
     node instanceof StringConstCompareBarrier or
     node instanceof StringConstArrayInclusionCallBarrier
   }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll
@@ -27,6 +27,8 @@ private module SqlInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll b/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll
@@ -31,6 +31,8 @@ private module StackTraceExposureConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll b/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll
@@ -52,6 +52,8 @@ private module StoredXssConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     isAdditionalXssTaintStep(node1, node2)
   }
diff --git a/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll b/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll
@@ -40,4 +40,6 @@ deprecated class Configuration extends TaintTracking::Configuration {
     super.isSanitizer(node) or
     node instanceof Sanitizer
   }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll
@@ -44,6 +44,8 @@ private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig {
     node instanceof StringConstArrayInclusionCallBarrier
   }
 
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll
@@ -36,6 +36,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserialization::Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof UnsafeDeserialization::Sanitizer }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll
@@ -47,6 +47,8 @@ private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigS
     node instanceof StringConstArrayInclusionCallBarrier
   }
 
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
diff --git a/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll b/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll
@@ -37,6 +37,8 @@ private module UrlRedirectConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     UrlRedirect::isAdditionalTaintStep(node1, node2)
   }
diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll
@@ -32,6 +32,8 @@ private module MissingFullAnchorConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll
@@ -42,6 +42,8 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll
@@ -31,6 +31,8 @@ private module RegExpInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof RegExpInjection::Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof RegExpInjection::Sanitizer }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 /**
diff --git a/ruby/ql/src/queries/security/cwe-611/Xxe.ql b/ruby/ql/src/queries/security/cwe-611/Xxe.ql
@@ -31,6 +31,8 @@ private module XxeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 private module XxeFlow = TaintTracking::Global<XxeConfig>;
diff --git a/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql b/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
@@ -54,6 +54,8 @@ private module PermissivePermissionsConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(FileSystemPermissionModification mod | mod.getAPermissionNode() = sink)
   }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
 private module PermissivePermissionsFlow = DataFlow::Global<PermissivePermissionsConfig>;
diff --git a/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql b/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql
@@ -136,6 +136,8 @@ private module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
 
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(ExprNodes::BinaryOperationCfgNode binop |
       (

Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,8 @@ private module Config implements DataFlow::ConfigSig {`
`41`	`41`
`42`	`42`	`predicate isBarrier(DataFlow::Node node) { node instanceof CL::Sanitizer }`
`43`	`43`
	`44`	`+ predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
	`45`	`+`
`44`	`46`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`45`	`47`	`CL::isAdditionalTaintStep(nodeFrom, nodeTo)`
`46`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,8 @@ private module Config implements DataFlow::ConfigSig {`
`40`	`40`
`41`	`41`	`predicate isBarrier(DataFlow::Node node) { node instanceof CS::Sanitizer }`
`42`	`42`
	`43`	`+ predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
	`44`	`+`
`43`	`45`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`44`	`46`	`CS::isAdditionalTaintStep(nodeFrom, nodeTo)`
`45`	`47`	`}`
Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,8 @@ private module Config implements DataFlow::StateConfigSig {`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`predicate isBarrier(DataFlow::Node node, FlowState state) { node.(Sanitizer).getAState() = state }`
	`58`	`+`
	`59`	`+ predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
`58`	`60`	`}`
`59`	`61`
`60`	`62`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,8 @@ private module InsecureDownloadConfig implements DataFlow::StateConfigSig {`
`42`	`42`	`predicate isSink(DataFlow::Node sink, FlowState label) { sink.(Sink).getAFlowLabel() = label }`
`43`	`43`
`44`	`44`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`45`	`+`
	`46`	`+ predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
`45`	`47`	`}`
`46`	`48`
`47`	`49`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,8 @@ private module KernelOpenConfig implements DataFlow::ConfigSig {`
`85`	`85`	`node instanceof StringConstArrayInclusionCallBarrier or`
`86`	`86`	`node instanceof Sanitizer`
`87`	`87`	`}`
	`88`	`+`
	`89`	`+ predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
`88`	`90`	`}`
`89`	`91`
`90`	`92`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -87,6 +87,8 @@ private module LogInjectionConfig implements DataFlow::ConfigSig {`
`87`	`87`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`88`	`88`
`89`	`89`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`90`	`+`
	`91`	`+ predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
`90`	`92`	`}`
`91`	`93`
`92`	`94`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,8 @@ private module PathInjectionConfig implements DataFlow::ConfigSig {`
`37`	`37`	`predicate isBarrier(DataFlow::Node node) {`
`38`	`38`	`node instanceof Path::PathSanitization or node instanceof PathInjection::Sanitizer`
`39`	`39`	`}`
	`40`	`+`
	`41`	`+ predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
`40`	`42`	`}`
`41`	`43`
`42`	`44`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,8 @@ private module ReflectedXssConfig implements DataFlow::ConfigSig {`
`45`	`45`
`46`	`46`	`predicate isBarrier(DataFlow::Node node) { node instanceof RX::Sanitizer }`
`47`	`47`
	`48`	`+ predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
	`49`	`+`
`48`	`50`	`predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
`49`	`51`	`RX::isAdditionalXssTaintStep(node1, node2)`
`50`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,8 @@ private module SensitiveGetQueryConfig implements DataFlow::ConfigSig {`
`37`	`37`	`predicate isSource(DataFlow::Node source) { source instanceof Source }`
`38`	`38`
`39`	`39`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
	`40`	`+`
	`41`	`+ predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
`40`	`42`	`}`
`41`	`43`
`42`	`44`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,8 @@ private module ServerSideRequestForgeryConfig implements DataFlow::ConfigSig {`
`41`	`41`	`node instanceof StringConstCompareBarrier or`
`42`	`42`	`node instanceof StringConstArrayInclusionCallBarrier`
`43`	`43`	`}`
	`44`	`+`
	`45`	`+ predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
`44`	`46`	`}`
`45`	`47`
`46`	`48`	`/**`