Merge pull request #9574 from hmac/hmac/action-cable-logger

Ruby: More Rails modeling

Author: hmac

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -3,6 +3,7 @@
  */
 
 private import codeql.ruby.frameworks.Core
+private import codeql.ruby.frameworks.ActionCable
 private import codeql.ruby.frameworks.ActionController
 private import codeql.ruby.frameworks.ActiveRecord
 private import codeql.ruby.frameworks.ActiveStorage
@@ -11,6 +12,7 @@ private import codeql.ruby.frameworks.ActiveSupport
 private import codeql.ruby.frameworks.Archive
 private import codeql.ruby.frameworks.GraphQL
 private import codeql.ruby.frameworks.Rails
+private import codeql.ruby.frameworks.Railties
 private import codeql.ruby.frameworks.Stdlib
 private import codeql.ruby.frameworks.Files
 private import codeql.ruby.frameworks.HttpClients

ruby/ql/lib/codeql/ruby/frameworks/ActionCable.qll

@@ -0,0 +1,29 @@
+/**
+ * Modeling for `ActionCable`, which is a websocket gem that ships with Rails.
+ * https://rubygems.org/gems/actioncable
+ */
+
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.frameworks.stdlib.Logger::Logger as StdlibLogger
+
+/**
+ * Modeling for `ActionCable`.
+ */
+module ActionCable {
+  /**
+   * `ActionCable::Connection::TaggedLoggerProxy`
+   */
+  module Logger {
+    private class ActionCableLoggerInstantiation extends StdlibLogger::LoggerInstantiation {
+      ActionCableLoggerInstantiation() {
+        this =
+          API::getTopLevelMember("ActionCable")
+              .getMember("Connection")
+              .getMember("TaggedLoggerProxy")
+              .getAnInstantiation()
+      }
+    }
+  }
+}

ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -180,18 +180,31 @@ private class ActionControllerHtmlEscapeCall extends HtmlEscapeCall {
  * specific URL/path or to a different action in this controller.
  */
 class RedirectToCall extends ActionControllerContextCall {
-  RedirectToCall() { this.getMethodName() = "redirect_to" }
+  RedirectToCall() {
+    this.getMethodName() = ["redirect_to", "redirect_back", "redirect_back_or_to"]
+  }
 
   /** Gets the `Expr` representing the URL to redirect to, if any */
-  Expr getRedirectUrl() { result = this.getArgument(0) }
+  Expr getRedirectUrl() {
+    this.getMethodName() = "redirect_back" and result = this.getKeywordArgument("fallback_location")
+    or
+    this.getMethodName() = ["redirect_to", "redirect_back_or_to"] and result = this.getArgument(0)
+  }
 
   /** Gets the `ActionControllerActionMethod` to redirect to, if any */
   ActionControllerActionMethod getRedirectActionMethod() {
-    exists(string methodName |
-      this.getKeywordArgument("action").getConstantValue().isStringlikeValue(methodName) and
-      methodName = result.getName() and
-      result.getEnclosingModule() = this.getControllerClass()
-    )
+    this.getKeywordArgument("action").getConstantValue().isStringlikeValue(result.getName()) and
+    result.getEnclosingModule() = this.getControllerClass()
+  }
+
+  /**
+   * Holds if this method call allows a redirect to an external host.
+   */
+  predicate allowsExternalRedirect() {
+    // Unless the option allow_other_host is explicitly set to false, assume that external redirects are allowed.
+    // TODO: Take into account `config.action_controller.raise_on_open_redirects`.
+    // TODO: Take into account that this option defaults to false in Rails 7.
+    not this.getKeywordArgument("allow_other_host").getConstantValue().isBoolean(false)
   }
 }
 

ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll

@@ -359,7 +359,7 @@ private module Persistence {
   }
 
   /**
-   * Holds if `call` has a keyword argument of with value `value`.
+   * Holds if `call` has a keyword argument with value `value`.
    */
   private predicate keywordArgumentWithValue(DataFlow::CallNode call, DataFlow::ExprNode value) {
     exists(ExprNodes::PairCfgNode pair | pair = call.getArgument(_).asExpr() |
@@ -412,6 +412,28 @@ private module Persistence {
     }
   }
 
+  /**
+   *  A call to `ActiveRecord::Relation#touch_all`, which updates the `updated_at`
+   *  attribute on all records in the relation, setting it to the current time or
+   *  the time specified. If passed additional attribute names, they will also be
+   *  updated with the time.
+   *  Examples:
+   *  ```rb
+   * Person.all.touch_all
+   * Person.where(name: "David").touch_all
+   * Person.all.touch_all(:created_at)
+   * Person.all.touch_all(time: Time.new(2020, 5, 16, 0, 0, 0))
+   * ```
+   */
+  private class TouchAllCall extends DataFlow::CallNode, PersistentWriteAccess::Range {
+    TouchAllCall() {
+      exists(this.asExpr().getExpr().(ActiveRecordModelClassMethodCall).getReceiverClass()) and
+      this.getMethodName() = "touch_all"
+    }
+
+    override DataFlow::Node getValue() { result = this.getKeywordArgument("time") }
+  }
+
   /** A call to e.g. `User.insert_all([{name: "foo"}, {name: "bar"}])` */
   private class InsertAllLikeCall extends DataFlow::CallNode, PersistentWriteAccess::Range {
     private ExprNodes::ArrayLiteralCfgNode arr;

ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll

@@ -7,7 +7,6 @@ private import ruby
 private import codeql.ruby.Concepts
 private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.FlowSummary
-private import codeql.ruby.Concepts
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.frameworks.stdlib.Logger::Logger as StdlibLogger
 

ruby/ql/lib/codeql/ruby/frameworks/Railties.qll

@@ -0,0 +1,62 @@
+/**
+ * Modeling for `railties`, which is a gem containing various internals and utilities for the Rails framework.
+ * https://rubygems.org/gems/railties
+ */
+
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.DataFlow
+private import codeql.ruby.ast.internal.Module
+
+/**
+ * Modeling for `railties`.
+ */
+module Railties {
+  /**
+   * A class which `include`s `Rails::Generators::Actions`.
+   */
+  private class GeneratorsActionsContext extends ClassDeclaration {
+    GeneratorsActionsContext() {
+      exists(IncludeOrPrependCall i |
+        i.getEnclosingModule() = this and
+        i.getArgument(0) =
+          API::getTopLevelMember("Rails")
+              .getMember("Generators")
+              .getMember("Actions")
+              .getAUse()
+              .asExpr()
+              .getExpr()
+      )
+    }
+  }
+
+  /**
+   * A call to `Rails::Generators::Actions#execute_command`.
+   * This method concatenates its first and second arguments and executes the result as a shell command.
+   */
+  private class ExecuteCommandCall extends SystemCommandExecution::Range, DataFlow::CallNode {
+    ExecuteCommandCall() {
+      this.asExpr().getExpr().getEnclosingModule() instanceof GeneratorsActionsContext and
+      this.getMethodName() = "execute_command"
+    }
+
+    override DataFlow::Node getAnArgument() { result = this.getArgument([0, 1]) }
+
+    override predicate isShellInterpreted(DataFlow::Node arg) { any() }
+  }
+
+  /**
+   * A call to a method in `Rails::Generators::Actions` which delegates to `execute_command`.
+   */
+  private class ExecuteCommandWrapperCall extends SystemCommandExecution::Range, DataFlow::CallNode {
+    ExecuteCommandWrapperCall() {
+      this.asExpr().getExpr().getEnclosingModule() instanceof GeneratorsActionsContext and
+      this.getMethodName() = ["rake", "rails_command", "git"]
+    }
+
+    override DataFlow::Node getAnArgument() { result = this.getArgument(0) }
+
+    override predicate isShellInterpreted(DataFlow::Node arg) { any() }
+  }
+}

ruby/ql/lib/codeql/ruby/frameworks/core/internal/IOOrFile.qll

@@ -137,7 +137,7 @@ class IOOrFileWriteMethodCall extends IOOrFileMethodCall {
       receiverKind = "class" and
       api = ["IO", "File"] and
       this = API::getTopLevelMember(api).getAMethodCall(methodName) and
-      methodName = ["binwrite", "write"] and
+      methodName = ["binwrite", "write", "atomic_write"] and
       dataNode = this.getArgument(1)
       or
       // e.g. `{IO,File}.new("foo.txt", "a+).puts("hello")`

ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll

@@ -71,7 +71,9 @@ module UrlRedirect {
           // We exclude any handlers with names containing create/update/destroy, as these are not likely to handle GET requests.
           not exists(method.(ActionControllerActionMethod).getARoute()) and
           not method.getName().regexpMatch(".*(create|update|destroy).*")
-        )
+        ) and
+        // If this redirect is an ActionController method call, it is only vulnerable if it allows external redirects.
+        forall(RedirectToCall c | c = e.asExpr().getExpr() | c.allowsExternalRedirect())
       )
     }
   }

ruby/ql/test/library-tests/concepts/PersistentWriteAccess.expected

@@ -14,6 +14,7 @@
 | app/controllers/users_controller.rb:20:7:20:57 | call to update_attributes | app/controllers/users_controller.rb:20:49:20:55 | call to get_uid |
 | app/controllers/users_controller.rb:23:7:23:42 | call to update_attribute | app/controllers/users_controller.rb:23:37:23:41 | "U13" |
 | app/controllers/users_controller.rb:26:19:26:23 | ... = ... | app/controllers/users_controller.rb:26:19:26:23 | "U14" |
+| app/controllers/users_controller.rb:31:7:31:32 | call to touch_all | app/controllers/users_controller.rb:31:28:31:31 | call to time |
 | app/models/user.rb:4:5:4:28 | call to update | app/models/user.rb:4:23:4:27 | "U15" |
 | app/models/user.rb:5:5:5:23 | call to update | app/models/user.rb:5:18:5:22 | "U16" |
 | app/models/user.rb:6:5:6:56 | call to update_attributes | app/models/user.rb:6:35:6:39 | "U17" |

ruby/ql/test/library-tests/concepts/app/controllers/users_controller.rb

@@ -25,6 +25,10 @@ def create_or_modify
       # AssignAttributeCall
       user.name = "U14"
       user.save
+
+      # TouchAllCall
+      User.touch_all
+      User.touch_all(time: time)
     end
 
     def get_uid