Merge pull request #8354 from aibaars/incomplete-url-string-sanitization

Incomplete url string sanitization

Author: aibaars

config/identical-files.json

@@ -515,6 +515,10 @@
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll"
   ],
+  "IncompleteUrlSubstringSanitization": [
+    "javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
+    "ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll"
+  ],
   "Concepts Python/Ruby/JS": [
     "python/ql/lib/semmle/python/internal/ConceptsShared.qll",
     "ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll",

javascript/ql/lib/semmle/javascript/StringOps.qll

@@ -235,12 +235,12 @@ module StringOps {
    */
   class EndsWith extends DataFlow::Node instanceof EndsWith::Range {
     /**
-     * Gets the `A` in `A.startsWith(B)`.
+     * Gets the `A` in `A.endsWith(B)`.
      */
     DataFlow::Node getBaseString() { result = super.getBaseString() }
 
     /**
-     * Gets the `B` in `A.startsWith(B)`.
+     * Gets the `B` in `A.endsWith(B)`.
      */
     DataFlow::Node getSubstring() { result = super.getSubstring() }
 

javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql

@@ -11,60 +11,4 @@
  *       external/cwe/cwe-020
  */
 
-import javascript
-private import semmle.javascript.dataflow.InferredTypes
-
-/**
- * A check on a string for whether it contains a given substring, possibly with restrictions on the location of the substring.
- */
-class SomeSubstringCheck extends DataFlow::Node {
-  DataFlow::Node substring;
-
-  SomeSubstringCheck() {
-    this.(StringOps::StartsWith).getSubstring() = substring or
-    this.(StringOps::Includes).getSubstring() = substring or
-    this.(StringOps::EndsWith).getSubstring() = substring
-  }
-
-  /**
-   * Gets the substring.
-   */
-  DataFlow::Node getSubstring() { result = substring }
-}
-
-from SomeSubstringCheck check, DataFlow::Node substring, string target, string msg
-where
-  substring = check.getSubstring() and
-  substring.mayHaveStringValue(target) and
-  (
-    // target contains a domain on a common TLD, and perhaps some other URL components
-    target
-        .regexpMatch("(?i)([a-z]*:?//)?\\.?([a-z0-9-]+\\.)+" + RegExpPatterns::getACommonTld() +
-            "(:[0-9]+)?/?")
-    or
-    // target is a HTTP URL to a domain on any TLD
-    target.regexpMatch("(?i)https?://([a-z0-9-]+\\.)+([a-z]+)(:[0-9]+)?/?")
-    or
-    // target is a HTTP URL to a domain on any TLD with path elements, and the check is an includes check
-    check instanceof StringOps::Includes and
-    target.regexpMatch("(?i)https?://([a-z0-9-]+\\.)+([a-z]+)(:[0-9]+)?/[a-z0-9/_-]+")
-  ) and
-  (
-    if check instanceof StringOps::StartsWith
-    then msg = "may be followed by an arbitrary host name"
-    else
-      if check instanceof StringOps::EndsWith
-      then msg = "may be preceded by an arbitrary host name"
-      else msg = "can be anywhere in the URL, and arbitrary hosts may come before or after it"
-  ) and
-  // whitelist
-  not (
-    // the leading dot in a subdomain sequence makes the suffix-check safe (if it is performed on the host of the url)
-    check instanceof StringOps::EndsWith and
-    target.regexpMatch("(?i)\\.([a-z0-9-]+)(\\.[a-z0-9-]+)+")
-    or
-    // the trailing port or slash makes the prefix-check safe
-    check instanceof StringOps::StartsWith and
-    target.regexpMatch(".*(:[0-9]+|/)")
-  )
-select check, "'$@' " + msg + ".", substring, target
+import IncompleteUrlSubstringSanitization

javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll

@@ -0,0 +1,62 @@
+/**
+ * Incomplete URL substring sanitization
+ */
+
+private import IncompleteUrlSubstringSanitizationSpecific
+
+/**
+ * A check on a string for whether it contains a given substring, possibly with restrictions on the location of the substring.
+ */
+class SomeSubstringCheck extends DataFlow::Node {
+  DataFlow::Node substring;
+
+  SomeSubstringCheck() {
+    this.(StringOps::StartsWith).getSubstring() = substring or
+    this.(StringOps::Includes).getSubstring() = substring or
+    this.(StringOps::EndsWith).getSubstring() = substring
+  }
+
+  /**
+   * Gets the substring.
+   */
+  DataFlow::Node getSubstring() { result = substring }
+}
+
+/** Holds if there is an incomplete URL substring sanitization problem */
+query predicate problems(
+  SomeSubstringCheck check, string msg, DataFlow::Node substring, string target
+) {
+  substring = check.getSubstring() and
+  mayHaveStringValue(substring, target) and
+  (
+    // target contains a domain on a common TLD, and perhaps some other URL components
+    target
+        .regexpMatch("(?i)([a-z]*:?//)?\\.?([a-z0-9-]+\\.)+" + RegExpPatterns::getACommonTld() +
+            "(:[0-9]+)?/?")
+    or
+    // target is a HTTP URL to a domain on any TLD
+    target.regexpMatch("(?i)https?://([a-z0-9-]+\\.)+([a-z]+)(:[0-9]+)?/?")
+    or
+    // target is a HTTP URL to a domain on any TLD with path elements, and the check is an includes check
+    check instanceof StringOps::Includes and
+    target.regexpMatch("(?i)https?://([a-z0-9-]+\\.)+([a-z]+)(:[0-9]+)?/[a-z0-9/_-]+")
+  ) and
+  (
+    if check instanceof StringOps::StartsWith
+    then msg = "'$@' may be followed by an arbitrary host name."
+    else
+      if check instanceof StringOps::EndsWith
+      then msg = "'$@' may be preceded by an arbitrary host name."
+      else msg = "'$@' can be anywhere in the URL, and arbitrary hosts may come before or after it."
+  ) and
+  // whitelist
+  not (
+    // the leading dot in a subdomain sequence makes the suffix-check safe (if it is performed on the host of the url)
+    check instanceof StringOps::EndsWith and
+    target.regexpMatch("(?i)\\.([a-z0-9-]+)(\\.[a-z0-9-]+)+")
+    or
+    // the trailing port or slash makes the prefix-check safe
+    check instanceof StringOps::StartsWith and
+    target.regexpMatch(".*(:[0-9]+|/)")
+  )
+}

javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitizationSpecific.qll

@@ -0,0 +1,5 @@
+import javascript
+import semmle.javascript.dataflow.InferredTypes
+
+/** Holds if `node` may evaluate to `value` */
+predicate mayHaveStringValue(DataFlow::Node node, string value) { node.mayHaveStringValue(value) }

ruby/ql/lib/codeql/ruby/InclusionTests.qll

@@ -0,0 +1,134 @@
+/**
+ * Contains classes for recognizing array and string inclusion tests.
+ */
+
+private import ruby
+private import codeql.ruby.DataFlow
+private import codeql.ruby.controlflow.CfgNodes
+
+/**
+ * An expression that checks if an element is contained in an array
+ * or is a substring of another string.
+ *
+ * Examples:
+ * ```
+ * A.include?(B)
+ * A.index(B) != nil
+ * A.index(B) >= 0
+ * ```
+ */
+class InclusionTest extends DataFlow::Node instanceof InclusionTest::Range {
+  /** Gets the `A` in `A.include?(B)`. */
+  final DataFlow::Node getContainerNode() { result = super.getContainerNode() }
+
+  /** Gets the `B` in `A.include?(B)`. */
+  final DataFlow::Node getContainedNode() { result = super.getContainedNode() }
+
+  /**
+   * Gets the polarity of the check.
+   *
+   * If the polarity is `false` the check returns `true` if the container does not contain
+   * the given element.
+   */
+  final boolean getPolarity() { result = super.getPolarity() }
+}
+
+/**
+ * Contains classes for recognizing array and string inclusion tests.
+ */
+module InclusionTest {
+  /**
+   * An expression that is equivalent to `A.include?(B)` or `!A.include?(B)`.
+   *
+   * Note that this also includes calls to the array method named `include?`.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the `A` in `A.include?(B)`. */
+    abstract DataFlow::Node getContainerNode();
+
+    /** Gets the `B` in `A.include?(B)`. */
+    abstract DataFlow::Node getContainedNode();
+
+    /**
+     * Gets the polarity of the check.
+     *
+     * If the polarity is `false` the check returns `true` if the container does not contain
+     * the given element.
+     */
+    boolean getPolarity() { result = true }
+  }
+
+  /**
+   * A call to a method named `include?`, assumed to refer to `String.include?`
+   * or `Array.include?`.
+   */
+  private class Includes_Native extends Range, DataFlow::CallNode {
+    Includes_Native() {
+      this.getMethodName() = "include?" and
+      strictcount(this.getArgument(_)) = 1
+    }
+
+    override DataFlow::Node getContainerNode() { result = this.getReceiver() }
+
+    override DataFlow::Node getContainedNode() { result = this.getArgument(0) }
+  }
+
+  /**
+   * A check of form `A.index(B) != nil`, `A.index(B) >= 0`, or similar.
+   */
+  private class Includes_IndexOfComparison extends Range, DataFlow::Node {
+    private DataFlow::CallNode indexOf;
+    private boolean polarity;
+
+    Includes_IndexOfComparison() {
+      exists(ExprCfgNode index, ExprNodes::ComparisonOperationCfgNode comparison, int value |
+        indexOf.asExpr() = comparison.getAnOperand() and
+        index = comparison.getAnOperand() and
+        this.asExpr() = comparison and
+        // one operand is of the form `whitelist.index(x)`
+        indexOf.getMethodName() = "index" and
+        // and the other one is 0 or -1
+        (
+          value = index.getConstantValue().getInt() and value = 0
+          or
+          index.getConstantValue().isNil() and value = -1
+        )
+      |
+        value = -1 and polarity = false and comparison.getExpr() instanceof CaseEqExpr
+        or
+        value = -1 and polarity = false and comparison.getExpr() instanceof EqExpr
+        or
+        value = -1 and polarity = true and comparison.getExpr() instanceof NEExpr
+        or
+        exists(RelationalOperation op | op = comparison.getExpr() |
+          exists(Expr lesser, Expr greater |
+            op.getLesserOperand() = lesser and
+            op.getGreaterOperand() = greater
+          |
+            polarity = true and
+            greater = indexOf.asExpr().getExpr() and
+            (
+              value = 0 and op.isInclusive()
+              or
+              value = -1 and not op.isInclusive()
+            )
+            or
+            polarity = false and
+            lesser = indexOf.asExpr().getExpr() and
+            (
+              value = -1 and op.isInclusive()
+              or
+              value = 0 and not op.isInclusive()
+            )
+          )
+        )
+      )
+    }
+
+    override DataFlow::Node getContainerNode() { result = indexOf.getReceiver() }
+
+    override DataFlow::Node getContainedNode() { result = indexOf.getArgument(0) }
+
+    override boolean getPolarity() { result = polarity }
+  }
+}