Skip to content

Ruby: Block flow into flow sources #15483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Ruby: Block flow into flow sources #15483

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ private module Config implements DataFlow::ConfigSig {

predicate isBarrier(DataFlow::Node node) { node instanceof CL::Sanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }

predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
CL::isAdditionalTaintStep(nodeFrom, nodeTo)
}
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ private module Config implements DataFlow::ConfigSig {

predicate isBarrier(DataFlow::Node node) { node instanceof CS::Sanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }

predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
CS::isAdditionalTaintStep(nodeFrom, nodeTo)
}
Expand Down
2 changes: 1 addition & 1 deletion ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ private module Config implements DataFlow::StateConfigSig {

predicate isBarrier(DataFlow::Node node, FlowState state) { node.(Sanitizer).getAState() = state }

predicate isBarrierIn(DataFlow::Node node) { node instanceof Source }
predicate isBarrierIn(DataFlow::Node node, FlowState label) { isSource(node, label) }

int fieldFlowBranchLimit() { result = 10 }
}
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ private module Config implements DataFlow::ConfigSig {
node instanceof StringConstCompareBarrier or
node instanceof StringConstArrayInclusionCallBarrier
}

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ private module Config implements DataFlow::StateConfigSig {

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate isBarrierIn(DataFlow::Node node, FlowState label) { isSource(node, label) }

predicate isAdditionalFlowStep(
DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
) {
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ deprecated class Configuration extends TaintTracking::Configuration {

override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrierIn(DataFlow::Node node) { this.isSource(node) }

Check warning

Code scanning / CodeQL

Missing override annotation

Configuration.isBarrierIn overrides [Configuration.isBarrierIn](1) but does not have an override annotation.

override predicate isSanitizer(DataFlow::Node node) {
super.isSanitizer(node) or
node instanceof Sanitizer
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ private module InsecureDownloadConfig implements DataFlow::StateConfigSig {
predicate isSink(DataFlow::Node sink, FlowState label) { sink.(Sink).getAFlowLabel() = label }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate isBarrierIn(DataFlow::Node node, FlowState label) { isSource(node, label) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@ private module KernelOpenConfig implements DataFlow::ConfigSig {
node instanceof StringConstArrayInclusionCallBarrier or
node instanceof Sanitizer
}

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,8 @@ private module LogInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ private module PathInjectionConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) {
node instanceof Path::PathSanitization or node instanceof PathInjection::Sanitizer
}

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ private module ReflectedXssConfig implements DataFlow::ConfigSig {

predicate isBarrier(DataFlow::Node node) { node instanceof RX::Sanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }

predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
RX::isAdditionalXssTaintStep(node1, node2)
}
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ private module SensitiveGetQueryConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }

predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ private module ServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
node instanceof StringConstCompareBarrier or
node instanceof StringConstArrayInclusionCallBarrier
}

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ private module SqlInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ private module StackTraceExposureConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ private module StoredXssConfig implements DataFlow::ConfigSig {

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }

predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isAdditionalXssTaintStep(node1, node2)
}
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,6 @@ deprecated class Configuration extends TaintTracking::Configuration {
super.isSanitizer(node) or
node instanceof Sanitizer
}

predicate isBarrierIn(DataFlow::Node node) { this.isSource(node) }

Check warning

Code scanning / CodeQL

Missing override annotation

Configuration.isBarrierIn overrides [Configuration.isBarrierIn](1) but does not have an override annotation.
}
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig {
node instanceof StringConstArrayInclusionCallBarrier
}

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }

// override to require the path doesn't have unmatched return steps
DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserialization::Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof UnsafeDeserialization::Sanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigS
node instanceof StringConstArrayInclusionCallBarrier
}

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }

// override to require the path doesn't have unmatched return steps
DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ private module UrlRedirectConfig implements DataFlow::ConfigSig {

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }

predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
UrlRedirect::isAdditionalTaintStep(node1, node2)
}
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ private module MissingFullAnchorConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ private module RegExpInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof RegExpInjection::Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof RegExpInjection::Sanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/src/queries/security/cwe-611/Xxe.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ private module XxeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }

predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

private module XxeFlow = TaintTracking::Global<XxeConfig>;
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ private module PermissivePermissionsConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
exists(FileSystemPermissionModification mod | mod.getAPermissionNode() = sink)
}

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}

private module PermissivePermissionsFlow = DataFlow::Global<PermissivePermissionsConfig>;
Expand Down
2 changes: 2 additions & 0 deletions ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,8 @@ private module HardcodedCredentialsConfig implements DataFlow::ConfigSig {

predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }

predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(ExprNodes::BinaryOperationCfgNode binop |
(
Expand Down