Skip to content

Ruby: Support erb flow for ActionController #15555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Ruby: Support erb flow for ActionController #15555

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
880b35e
Ruby: Allow ORM tracking into ERb templates
hmac Feb 8, 2024
16639bc
Ruby: Model ERB flow for ActionController
hmac Feb 1, 2024
4b31302
Ruby: update test
hmac Mar 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 51 additions & 4 deletions ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ private import codeql.ruby.dataflow.FlowSummary
private import codeql.ruby.dataflow.SSA
private import codeql.util.Boolean
private import codeql.util.Unit
private import codeql.ruby.controlflow.CfgNodes

/**
* A `LocalSourceNode` for a `self` variable. This is the implicit `self`
Expand Down Expand Up @@ -239,6 +240,7 @@ class NormalCall extends DataFlowCall, TNormalCall {
*/
private module ViewComponentRenderModeling {
private import codeql.ruby.frameworks.ViewComponent
private import codeql.ruby.frameworks.ActionController

private class RenderMethod extends SummarizedCallable, LibraryCallableToIncludeInTypeTracking {
RenderMethod() { this = "render view component" }
Expand All @@ -250,12 +252,38 @@ private module ViewComponentRenderModeling {
// use a call-back summary, and adjust it to a method call below
output = "Argument[0].Parameter[self]" and
preservesValue = true
or
input = "Argument[self]" and
output = "Argument[self].Parameter[self]" and
preservesValue = true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we may need to synthesize a new set of render summaries, where we record the name of the ActionControllerActionMethod that calls it. Something like

private class ActionRenderMethod extends SummarizedCallable, LibraryCallableToIncludeInTypeTracking {
    private ActionControllerActionMethod m;

    RenderMethod() { this = "render view component " + m.getName() }

    override MethodCall getACallSimple() { result.getMethodName() = "render" and result.getEnclosingCallable() = m}

    override predicate propagatesFlow(string input, string output, boolean preservesValue) {
      // use a call-back summary, and adjust it to a method call below
      input = "Argument[self]" and
      output = "Argument[self].Parameter[self]" and
      preservesValue = true
  }
}

Then adjustedMethodCall needs to updated to include the name as well, and finally lookupMethodCall can be replaced with something that looks more like the existing Toplevel lookupMethod(ViewComponent::ComponentClass m, string name).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I realize that this may not work because of non-monotonicity.

}
}

private string invokeToplevelName() { result = "__invoke__toplevel__erb__" }

/** Holds if `call` should be adjusted to be a method call to `name` on `receiver`. */
/**
* Holds if `call` should be adjusted to be a method call to `name` on `receiver`.
* `call` is the callback call inside the flow summary.
* Effectively we generate something like
* ```rb
* def render(view)
* # ViewComponent
* view()
* # ActionController
* self()
* end
* ```
*
* And this adjustment changes it to
* ```rb
* def render(view)
* # ViewComponent
* view.__invoke__toplevel__erb__()
* # ActionController
* self.__invoke__toplevel__erb__()
* end
* ```
*/
predicate adjustedMethodCall(DataFlowCall call, FlowSummaryNode receiver, string name) {
exists(RenderMethod render |
call = TSummaryCall(render, receiver.getSummaryNode()) and
Expand All @@ -265,14 +293,29 @@ private module ViewComponentRenderModeling {

/** Holds if `self` belongs to the top-level of an ERB file with matching view class `view`. */
pragma[nomagic]
predicate selfInErbToplevel(SelfVariable self, ViewComponent::ComponentClass view) {
self.getDeclaringScope().(Toplevel).getFile() = view.getTemplate()
predicate selfInErbToplevel(SelfVariable self, Module view) {
self.getDeclaringScope().(Toplevel).getFile() =
[
view.(ViewComponent::ComponentClass).getTemplate(),
view.(ActionControllerClass).getAnAction().getDefaultTemplateFile()
]
}

Toplevel lookupMethod(ViewComponent::ComponentClass m, string name) {
result.getFile() = m.getTemplate() and
name = invokeToplevelName()
}

Toplevel lookupMethodCall(DataFlowCall c, Module mod, DataFlow::Node receiver, string name) {
name = invokeToplevelName() and
exists(ActionControllerActionMethod m, Call summaryCall |
m.getControllerClass() = mod and
result.getFile() = m.getDefaultTemplateFile() and
c.getEnclosingCallable().asLibraryCallable().getACallSimple() = summaryCall and
summaryCall.getEnclosingCallable() = m and
adjustedMethodCall(c, receiver, name)
)
}
}

/** A call for which we want to compute call targets. */
Expand Down Expand Up @@ -801,7 +844,11 @@ private CfgScope lookupInstanceMethodCall(DataFlowCall call, string method, bool
exists(Module tp, DataFlow::Node receiver |
methodCall(call, pragma[only_bind_into](receiver), pragma[only_bind_into](method)) and
receiver = trackInstance(tp, exact) and
result = lookupMethod(tp, pragma[only_bind_into](method), exact)
(
result = lookupMethod(tp, pragma[only_bind_into](method), exact)
or
result = ViewComponentRenderModeling::lookupMethodCall(call, tp, receiver, method)
)
)
}

Expand Down
5 changes: 4 additions & 1 deletion ruby/ql/lib/codeql/ruby/security/XSS.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,10 @@ private module OrmTracking {
Shared::isAdditionalXssFlowStep(node1, node2)
}

predicate isBarrierIn(DataFlow::Node node) { node instanceof DataFlow::SelfParameterNode }
predicate isBarrierIn(DataFlow::Node node) {
node instanceof DataFlow::SelfParameterNode and
not node.getLocation().getFile() instanceof ErbFile
}
}

import DataFlow::Global<Config>
Expand Down
16 changes: 16 additions & 0 deletions ruby/ql/test/library-tests/dataflow/erb/app/controllers/users_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
class UsersController < ActionController::Base
def index
@x = source("index")
render
end

def show
@x = source("show")
# implicit call to `render`
end

def edit
@x = source("edit")
render
end
end
3 changes: 3 additions & 0 deletions ruby/ql/test/library-tests/dataflow/erb/app/views/users/edit.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<%=
sink(@x) # $hasValueFlow=edit
%>
3 changes: 3 additions & 0 deletions ruby/ql/test/library-tests/dataflow/erb/app/views/users/index.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<%=
sink @x # $hasValueFlow=index
%>
3 changes: 3 additions & 0 deletions ruby/ql/test/library-tests/dataflow/erb/app/views/users/show.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<%=
sink @x # $ MISSING: hasValueFlow=show
%>
30 changes: 30 additions & 0 deletions ruby/ql/test/library-tests/dataflow/erb/erb.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,19 @@
testFailures
| app/views/users/edit.html.erb:2:8:2:9 | @x | Unexpected result: hasValueFlow=index |
| app/views/users/index.html.erb:2:8:2:9 | @x | Unexpected result: hasValueFlow=edit |
edges
| app/controllers/users_controller.rb:3:9:3:10 | [post] self [@x] | app/controllers/users_controller.rb:4:9:4:14 | self [@x] | provenance | |
| app/controllers/users_controller.rb:3:14:3:28 | call to source | app/controllers/users_controller.rb:3:9:3:10 | [post] self [@x] | provenance | |
| app/controllers/users_controller.rb:4:9:4:14 | self [@x] | app/views/users/edit.html.erb:2:3:3:1 | self in edit.html.erb [@x] | provenance | |
| app/controllers/users_controller.rb:4:9:4:14 | self [@x] | app/views/users/index.html.erb:2:3:3:1 | self in index.html.erb [@x] | provenance | |
| app/controllers/users_controller.rb:13:9:13:10 | [post] self [@x] | app/controllers/users_controller.rb:14:9:14:14 | self [@x] | provenance | |
| app/controllers/users_controller.rb:13:14:13:27 | call to source | app/controllers/users_controller.rb:13:9:13:10 | [post] self [@x] | provenance | |
| app/controllers/users_controller.rb:14:9:14:14 | self [@x] | app/views/users/edit.html.erb:2:3:3:1 | self in edit.html.erb [@x] | provenance | |
| app/controllers/users_controller.rb:14:9:14:14 | self [@x] | app/views/users/index.html.erb:2:3:3:1 | self in index.html.erb [@x] | provenance | |
| app/views/users/edit.html.erb:2:3:3:1 | self in edit.html.erb [@x] | app/views/users/edit.html.erb:2:8:2:9 | self [@x] | provenance | |
| app/views/users/edit.html.erb:2:8:2:9 | self [@x] | app/views/users/edit.html.erb:2:8:2:9 | @x | provenance | |
| app/views/users/index.html.erb:2:3:3:1 | self in index.html.erb [@x] | app/views/users/index.html.erb:2:8:2:9 | self [@x] | provenance | |
| app/views/users/index.html.erb:2:8:2:9 | self [@x] | app/views/users/index.html.erb:2:8:2:9 | @x | provenance | |
| main.rb:3:9:3:9 | x | main.rb:4:26:4:26 | x | provenance | |
| main.rb:3:13:3:21 | call to source | main.rb:3:9:3:9 | x | provenance | |
| main.rb:4:9:4:12 | view [@x] | main.rb:5:16:5:19 | view [@x] | provenance | |
Expand Down Expand Up @@ -45,6 +59,18 @@ edges
| view3.rb:6:5:8:7 | self in get [@x] | view3.rb:7:9:7:10 | self [@x] | provenance | |
| view3.rb:7:9:7:10 | self [@x] | view3.rb:7:9:7:10 | @x | provenance | |
nodes
| app/controllers/users_controller.rb:3:9:3:10 | [post] self [@x] | semmle.label | [post] self [@x] |
| app/controllers/users_controller.rb:3:14:3:28 | call to source | semmle.label | call to source |
| app/controllers/users_controller.rb:4:9:4:14 | self [@x] | semmle.label | self [@x] |
| app/controllers/users_controller.rb:13:9:13:10 | [post] self [@x] | semmle.label | [post] self [@x] |
| app/controllers/users_controller.rb:13:14:13:27 | call to source | semmle.label | call to source |
| app/controllers/users_controller.rb:14:9:14:14 | self [@x] | semmle.label | self [@x] |
| app/views/users/edit.html.erb:2:3:3:1 | self in edit.html.erb [@x] | semmle.label | self in edit.html.erb [@x] |
| app/views/users/edit.html.erb:2:8:2:9 | @x | semmle.label | @x |
| app/views/users/edit.html.erb:2:8:2:9 | self [@x] | semmle.label | self [@x] |
| app/views/users/index.html.erb:2:3:3:1 | self in index.html.erb [@x] | semmle.label | self in index.html.erb [@x] |
| app/views/users/index.html.erb:2:8:2:9 | @x | semmle.label | @x |
| app/views/users/index.html.erb:2:8:2:9 | self [@x] | semmle.label | self [@x] |
| main.rb:3:9:3:9 | x | semmle.label | x |
| main.rb:3:13:3:21 | call to source | semmle.label | call to source |
| main.rb:4:9:4:12 | view [@x] | semmle.label | view [@x] |
Expand Down Expand Up @@ -98,6 +124,10 @@ subpaths
| view2.html.erb:3:5:3:13 | call to source | view2.rb:6:13:6:13 | x | view2.rb:7:9:7:10 | [post] self [@x] | view2.html.erb:3:1:3:14 | [post] self [@x] |
| view3.html.erb:3:6:3:8 | self [@x] | view3.rb:6:5:8:7 | self in get [@x] | view3.rb:7:9:7:10 | @x | view3.html.erb:3:6:3:8 | call to get |
#select
| app/views/users/edit.html.erb:2:8:2:9 | @x | app/controllers/users_controller.rb:3:14:3:28 | call to source | app/views/users/edit.html.erb:2:8:2:9 | @x | $@ | app/controllers/users_controller.rb:3:14:3:28 | call to source | call to source |
| app/views/users/edit.html.erb:2:8:2:9 | @x | app/controllers/users_controller.rb:13:14:13:27 | call to source | app/views/users/edit.html.erb:2:8:2:9 | @x | $@ | app/controllers/users_controller.rb:13:14:13:27 | call to source | call to source |
| app/views/users/index.html.erb:2:8:2:9 | @x | app/controllers/users_controller.rb:3:14:3:28 | call to source | app/views/users/index.html.erb:2:8:2:9 | @x | $@ | app/controllers/users_controller.rb:3:14:3:28 | call to source | call to source |
| app/views/users/index.html.erb:2:8:2:9 | @x | app/controllers/users_controller.rb:13:14:13:27 | call to source | app/views/users/index.html.erb:2:8:2:9 | @x | $@ | app/controllers/users_controller.rb:13:14:13:27 | call to source | call to source |
| view1.rb:10:14:10:15 | @x | main.rb:3:13:3:21 | call to source | view1.rb:10:14:10:15 | @x | $@ | main.rb:3:13:3:21 | call to source | call to source |
| view1.rb:10:14:10:15 | @x | view1.html.erb:6:5:6:13 | call to source | view1.rb:10:14:10:15 | @x | $@ | view1.html.erb:6:5:6:13 | call to source | call to source |
| view2.rb:3:14:3:15 | @x | view2.html.erb:3:5:3:13 | call to source | view2.rb:3:14:3:15 | @x | $@ | view2.html.erb:3:5:3:13 | call to source | call to source |
Expand Down
Loading
Loading