Share TaintedFormatString between Ruby and JS

Author: hmac

config/identical-files.json

@@ -525,5 +525,13 @@
   "ApiGraphModels": [
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
     "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll"
+  ],
+  "TaintedFormatStringQuery Ruby/JS": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",
+    "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll"
+  ],
+  "TaintedFormatStringCustomizations Ruby/JS": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll",
+    "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll"
   ]
-}
+}

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll

@@ -3,10 +3,13 @@
  * format injections, as well as extension points for adding your own.
  */
 
-import javascript
-import semmle.javascript.security.dataflow.DOM
-
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * format injections, as well as extension points for adding your own.
+ */
 module TaintedFormatString {
+  import TaintedFormatStringSpecific
+
   /**
    * A data flow source for format injections.
    */
@@ -23,9 +26,7 @@ module TaintedFormatString {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /** A source of remote user input, considered as a flow source for format injection. */
-  class RemoteSource extends Source {
-    RemoteSource() { this instanceof RemoteFlowSource }
-  }
+  class RemoteSource extends Source instanceof RemoteFlowSource { }
 
   /**
    * A format argument to a printf-like function, considered as a flow sink for format injection.

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll

@@ -8,9 +8,7 @@
  * `TaintedFormatStringCustomizations` should be imported instead.
  */
 
-import javascript
-import semmle.javascript.security.dataflow.DOM
-import TaintedFormatStringCustomizations::TaintedFormatString
+private import TaintedFormatStringCustomizations::TaintedFormatString
 
 /**
  * A taint-tracking configuration for format injections.

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringSpecific.qll

@@ -0,0 +1,6 @@
+/**
+ * Provides JS-specific imports needed for `TaintedFormatStringQuery` and `TaintedFormatStringCustomizations`.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.DOM

ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll

@@ -3,16 +3,13 @@
  * format injections, as well as extension points for adding your own.
  */
 
-private import ruby
-private import codeql.ruby.DataFlow
-private import codeql.ruby.dataflow.RemoteFlowSources
-private import codeql.ruby.ApiGraphs
-
 /**
  * Provides default sources, sinks and sanitizers for reasoning about
  * format injections, as well as extension points for adding your own.
  */
 module TaintedFormatString {
+  import TaintedFormatStringSpecific
+
   /**
    * A data flow source for format injections.
    */
@@ -36,63 +33,11 @@ module TaintedFormatString {
    */
   class FormatSink extends Sink {
     FormatSink() {
-      exists(PrintfCall printf |
+      exists(PrintfStyleCall printf |
         this = printf.getFormatString() and
         // exclude trivial case where there are no arguments to interpolate
         exists(printf.getFormatArgument(_))
       )
     }
   }
-
-  /**
-   * A call to `printf` or `sprintf`.
-   */
-  abstract class PrintfCall extends DataFlow::CallNode {
-    // We assume that most printf-like calls have the signature f(format_string, args...)
-    /**
-     * Gets the format string of this call.
-     */
-    DataFlow::Node getFormatString() { result = this.getArgument(0) }
-
-    /**
-     * Gets then `n`th formatted argument of this call.
-     */
-    DataFlow::Node getFormatArgument(int n) { n > 0 and result = this.getArgument(n) }
-  }
-
-  /**
-   * A call to `Kernel.printf`.
-   */
-  class KernelPrintfCall extends PrintfCall {
-    KernelPrintfCall() {
-      this = API::getTopLevelMember("Kernel").getAMethodCall("printf")
-      or
-      this.asExpr().getExpr() instanceof UnknownMethodCall and
-      this.getMethodName() = "printf"
-    }
-
-    // Kernel#printf supports two signatures:
-    //   printf(io, string, ...)
-    //   printf(string, ...)
-    override DataFlow::Node getFormatString() { result = this.getArgument([0, 1]) }
-  }
-
-  /**
-   * A call to `Kernel.sprintf`.
-   */
-  class KernelSprintfCall extends PrintfCall {
-    KernelSprintfCall() {
-      this = API::getTopLevelMember("Kernel").getAMethodCall("sprintf")
-      or
-      this.asExpr().getExpr() instanceof UnknownMethodCall and
-      this.getMethodName() = "sprintf"
-    }
-  }
-
-  /**
-   * A call to `IO#printf`.
-   */
-  class IOPrintfCall extends PrintfCall {
-    IOPrintfCall() { this = API::getTopLevelMember("IO").getInstance().getAMethodCall("printf") }
-  }
 }

ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll

@@ -8,10 +8,7 @@
  * `TaintedFormatStringCustomizations` should be imported instead.
  */
 
-import ruby
-import codeql.ruby.DataFlow
-import codeql.ruby.TaintTracking
-import TaintedFormatStringCustomizations::TaintedFormatString
+private import TaintedFormatStringCustomizations::TaintedFormatString
 
 /**
  * A taint-tracking configuration for format injections.

ruby/ql/lib/codeql/ruby/security/TaintedFormatStringSpecific.qll

@@ -0,0 +1,61 @@
+/**
+ * Provides Ruby-specific imports and classes needed for `TaintedFormatStringQuery` and `TaintedFormatStringCustomizations`.
+ */
+
+import ruby
+import codeql.ruby.DataFlow
+import codeql.ruby.dataflow.RemoteFlowSources
+import codeql.ruby.ApiGraphs
+import codeql.ruby.TaintTracking
+
+/**
+ * A call to `printf` or `sprintf`.
+ */
+abstract class PrintfStyleCall extends DataFlow::CallNode {
+  // We assume that most printf-like calls have the signature f(format_string, args...)
+  /**
+   * Gets the format string of this call.
+   */
+  DataFlow::Node getFormatString() { result = this.getArgument(0) }
+
+  /**
+   * Gets then `n`th formatted argument of this call.
+   */
+  DataFlow::Node getFormatArgument(int n) { n > 0 and result = this.getArgument(n) }
+}
+
+/**
+ * A call to `Kernel.printf`.
+ */
+class KernelPrintfCall extends PrintfStyleCall {
+  KernelPrintfCall() {
+    this = API::getTopLevelMember("Kernel").getAMethodCall("printf")
+    or
+    this.asExpr().getExpr() instanceof UnknownMethodCall and
+    this.getMethodName() = "printf"
+  }
+
+  // Kernel#printf supports two signatures:
+  //   printf(io, string, ...)
+  //   printf(string, ...)
+  override DataFlow::Node getFormatString() { result = this.getArgument([0, 1]) }
+}
+
+/**
+ * A call to `Kernel.sprintf`.
+ */
+class KernelSprintfCall extends PrintfStyleCall {
+  KernelSprintfCall() {
+    this = API::getTopLevelMember("Kernel").getAMethodCall("sprintf")
+    or
+    this.asExpr().getExpr() instanceof UnknownMethodCall and
+    this.getMethodName() = "sprintf"
+  }
+}
+
+/**
+ * A call to `IO#printf`.
+ */
+class IOPrintfCall extends PrintfStyleCall {
+  IOPrintfCall() { this = API::getTopLevelMember("IO").getInstance().getAMethodCall("printf") }
+}

ruby/ql/src/queries/security/cwe-134/TaintedFormatString.ql

@@ -11,6 +11,7 @@
  */
 
 import ruby
+import codeql.ruby.DataFlow
 import codeql.ruby.security.TaintedFormatStringQuery
 import DataFlow::PathGraph