Ruby: Make HttpToFileAccess more specific

hmac · hmac · commit 130d93dded24 · 2022-03-22T11:09:08.000+13:00
Only consider sources from HTTP requests, rather than any remote flow
source.
diff --git a/ruby/ql/lib/codeql/ruby/Concepts.qll b/ruby/ql/lib/codeql/ruby/Concepts.qll
@@ -298,6 +298,11 @@ module HTTP {
      * extend `RequestInputAccess::Range` instead.
      */
     class RequestInputAccess extends DataFlow::Node instanceof RequestInputAccess::Range {
+      /**
+       * Gets a string that describes the type of this input.
+       *
+       *  This is typically the name of the method that gives rise to this input.
+       */
       string getSourceType() { result = super.getSourceType() }
     }
 
@@ -310,6 +315,11 @@ module HTTP {
        * extend `RequestInputAccess` instead.
        */
       abstract class Range extends DataFlow::Node {
+        /**
+         * Gets a string that describes the type of this input.
+         *
+         *  This is typically the name of the method that gives rise to this input.
+         */
         abstract string getSourceType();
       }
     }
diff --git a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll
@@ -9,6 +9,11 @@ import codeql.ruby.DataFlow
 import codeql.ruby.dataflow.RemoteFlowSources
 import codeql.ruby.Concepts
 
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * writing user-controlled data to files, as well as extension points
+ * for adding your own.
+ */
 module HttpToFileAccess {
   /**
    * A data flow source for writing user-controlled data to files.
@@ -25,9 +30,15 @@ module HttpToFileAccess {
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
-  /** A source of remote user input, considered as a flow source for writing user-controlled data to files. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  /**
+   * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
+   */
+  private class RequestInputAccessAsSource extends Source instanceof HTTP::Server::RequestInputAccess {
+  }
+
+  /** A response from an outgoing HTTP request, considered as a flow source for writing user-controlled data to files. */
+  private class HttpResponseAsSource extends Source {
+    HttpResponseAsSource() { this = any(HTTP::Client::Request r).getResponseBody() }
   }
 
   /** A sink that represents file access method (write, append) argument */
