Merge pull request #9974 from hmac/hmac/active-resource

Ruby: Model ActiveResource

Author: hmac

ruby/ql/lib/change-notes/2022-08-16-active-resource.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Accesses of ActiveResource models are now recognized as HTTP requests.

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -6,6 +6,7 @@ private import codeql.ruby.frameworks.Core
 private import codeql.ruby.frameworks.ActionCable
 private import codeql.ruby.frameworks.ActionController
 private import codeql.ruby.frameworks.ActiveRecord
+private import codeql.ruby.frameworks.ActiveResource
 private import codeql.ruby.frameworks.ActiveStorage
 private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.ActiveSupport

ruby/ql/lib/codeql/ruby/controlflow/CfgNodes.qll

@@ -711,6 +711,19 @@ module ExprNodes {
     final CfgNode getReceiver() { e.hasCfgChild(e.getReceiver(), this, result) }
   }
 
+  private class SelfVariableAccessMapping extends ExprChildMapping, SelfVariableAccess {
+    override predicate relevantChild(AstNode n) { none() }
+  }
+
+  /** A control-flow node that wraps a `SelfVariableAccess` AST expression. */
+  class SelfVariableAccessCfgNode extends ExprCfgNode {
+    final override string getAPrimaryQlClass() { result = "SelfVariableAccessCfgNode" }
+
+    override SelfVariableAccessMapping e;
+
+    override SelfVariableAccess getExpr() { result = ExprCfgNode.super.getExpr() }
+  }
+
   /** A control-flow node that wraps a `VariableWriteAccess` AST expression. */
   class VariableWriteAccessCfgNode extends ExprCfgNode {
     override string getAPrimaryQlClass() { result = "VariableWriteAccessCfgNode" }

ruby/ql/lib/codeql/ruby/frameworks/ActiveResource.qll

@@ -0,0 +1,292 @@
+/**
+ * Provides modeling for the `ActiveResource` library.
+ * Version: 6.0.0.
+ */
+
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.controlflow.CfgNodes
+private import codeql.ruby.ast.internal.Module
+private import codeql.ruby.DataFlow
+private import codeql.ruby.ApiGraphs
+
+/**
+ * Provides modeling for the `ActiveResource` library.
+ * Version: 6.0.0.
+ */
+module ActiveResource {
+  /**
+   * An ActiveResource model class. This is any (transitive) subclass of ActiveResource.
+   */
+  private API::Node modelApiNode() {
+    result = API::getTopLevelMember("ActiveResource").getMember("Base").getASubclass+()
+  }
+
+  /**
+   * An ActiveResource class.
+   *
+   * ```rb
+   * class Person < ActiveResource::Base
+   * end
+   * ```
+   */
+  class ModelClass extends ClassDeclaration {
+    API::Node model;
+
+    ModelClass() {
+      model = modelApiNode() and
+      this.getSuperclassExpr() = model.getAValueReachableFromSource().asExpr().getExpr()
+    }
+
+    /** Gets the API node for this model */
+    API::Node getModelApiNode() { result = model }
+
+    /** Gets a call to `site=`, which sets the base URL for this model. */
+    SiteAssignCall getASiteAssignment() { result.getModelClass() = this }
+
+    /** Holds if `c` sets a base URL which does not use HTTPS. */
+    predicate disablesCertificateValidation(SiteAssignCall c) {
+      c = this.getASiteAssignment() and
+      c.disablesCertificateValidation()
+    }
+  }
+
+  /**
+   * A call to a class method on an ActiveResource model class.
+   *
+   * ```rb
+   * class Person < ActiveResource::Base
+   * end
+   *
+   * Person.find(1)
+   * ```
+   */
+  class ModelClassMethodCall extends DataFlow::CallNode {
+    API::Node model;
+
+    ModelClassMethodCall() {
+      model = modelApiNode() and
+      this = classMethodCall(model, _)
+    }
+
+    /** Gets the model class for this call. */
+    ModelClass getModelClass() { result.getModelApiNode() = model }
+  }
+
+  /**
+   * A call to `site=` on an ActiveResource model class.
+   * This sets the base URL for all HTTP requests made by this class.
+   */
+  private class SiteAssignCall extends DataFlow::CallNode {
+    API::Node model;
+
+    SiteAssignCall() { model = modelApiNode() and this = classMethodCall(model, "site=") }
+
+    /**
+     * Gets a node that contributes to the URLs used for HTTP requests by the parent
+     * class.
+     */
+    DataFlow::Node getAUrlPart() { result = this.getArgument(0) }
+
+    /** Gets the model class for this call. */
+    ModelClass getModelClass() { result.getModelApiNode() = model }
+
+    /** Holds if this site value specifies HTTP rather than HTTPS. */
+    predicate disablesCertificateValidation() {
+      this.getAUrlPart()
+          .asExpr()
+          .(ExprNodes::AssignExprCfgNode)
+          .getRhs()
+          .getConstantValue()
+          .getString()
+          .regexpMatch("^http[^s].+")
+    }
+  }
+
+  /**
+   * A call to the `find` class method, which returns an ActiveResource model
+   * object.
+   *
+   * ```rb
+   * alice = Person.find(1)
+   * ```
+   */
+  class FindCall extends ModelClassMethodCall {
+    FindCall() { this.getMethodName() = "find" }
+  }
+
+  /**
+   * A call to the `create(!)` class method, which returns an ActiveResource model
+   * object.
+   *
+   * ```rb
+   * alice = Person.create(name: "alice")
+   * ```
+   */
+  class CreateCall extends ModelClassMethodCall {
+    CreateCall() { this.getMethodName() = ["create", "create!"] }
+  }
+
+  /**
+   * A call to a method that sends a custom HTTP request outside of the
+   * ActiveResource conventions. This typically returns an ActiveResource model
+   * object. It may return a collection, but we don't currently model that.
+   *
+   * ```rb
+   * alice = Person.get(:active)
+   * ```
+   */
+  class CustomHttpCall extends ModelClassMethodCall {
+    CustomHttpCall() { this.getMethodName() = ["get", "post", "put", "patch", "delete"] }
+  }
+
+  /**
+   * An ActiveResource model object.
+   */
+  class ModelInstance extends DataFlow::Node {
+    ModelClass cls;
+
+    ModelInstance() {
+      exists(API::Node model | model = modelApiNode() |
+        this = model.getInstance().getAValueReachableFromSource() and
+        cls.getModelApiNode() = model
+      )
+      or
+      exists(FindCall call | call.flowsTo(this) | cls = call.getModelClass())
+      or
+      exists(CreateCall call | call.flowsTo(this) | cls = call.getModelClass())
+      or
+      exists(CustomHttpCall call | call.flowsTo(this) | cls = call.getModelClass())
+      or
+      exists(CollectionCall call |
+        call.getMethodName() = ["first", "last"] and
+        call.flowsTo(this)
+      |
+        cls = call.getCollection().getModelClass()
+      )
+    }
+
+    /** Gets the model class for this instance. */
+    ModelClass getModelClass() { result = cls }
+  }
+
+  /**
+   * A call to a method on an ActiveResource model object.
+   */
+  class ModelInstanceMethodCall extends DataFlow::CallNode {
+    ModelInstance i;
+
+    ModelInstanceMethodCall() { this.getReceiver() = i }
+
+    /** Gets the model instance for this call. */
+    ModelInstance getInstance() { result = i }
+
+    /** Gets the model class for this call. */
+    ModelClass getModelClass() { result = i.getModelClass() }
+  }
+
+  /**
+   * A collection of ActiveResource model objects.
+   */
+  class Collection extends DataFlow::Node {
+    ModelClassMethodCall classMethodCall;
+
+    Collection() {
+      classMethodCall.flowsTo(this) and
+      (
+        classMethodCall.getMethodName() = "all"
+        or
+        classMethodCall.getMethodName() = "find" and
+        classMethodCall.getArgument(0).asExpr().getConstantValue().isStringlikeValue("all")
+      )
+    }
+
+    /** Gets the model class for this collection. */
+    ModelClass getModelClass() { result = classMethodCall.getModelClass() }
+  }
+
+  /**
+   * A method call on a collection.
+   */
+  class CollectionCall extends DataFlow::CallNode {
+    CollectionCall() { this.getReceiver() instanceof Collection }
+
+    /** Gets the collection for this call. */
+    Collection getCollection() { result = this.getReceiver() }
+  }
+
+  private class ModelClassMethodCallAsHttpRequest extends HTTP::Client::Request::Range {
+    ModelClassMethodCall call;
+    ModelClass cls;
+
+    ModelClassMethodCallAsHttpRequest() {
+      this = call.asExpr().getExpr() and
+      call.getModelClass() = cls and
+      call.getMethodName() = ["all", "build", "create", "create!", "find", "first", "last"]
+    }
+
+    override string getFramework() { result = "ActiveResource" }
+
+    override predicate disablesCertificateValidation(DataFlow::Node disablingNode) {
+      cls.disablesCertificateValidation(disablingNode)
+    }
+
+    override DataFlow::Node getAUrlPart() { result = cls.getASiteAssignment().getAUrlPart() }
+
+    override DataFlow::Node getResponseBody() { result = call }
+  }
+
+  private class ModelInstanceMethodCallAsHttpRequest extends HTTP::Client::Request::Range {
+    ModelInstanceMethodCall call;
+    ModelClass cls;
+
+    ModelInstanceMethodCallAsHttpRequest() {
+      this = call.asExpr().getExpr() and
+      call.getModelClass() = cls and
+      call.getMethodName() =
+        [
+          "exists?", "reload", "save", "save!", "destroy", "delete", "get", "patch", "post", "put",
+          "update_attribute", "update_attributes"
+        ]
+    }
+
+    override string getFramework() { result = "ActiveResource" }
+
+    override predicate disablesCertificateValidation(DataFlow::Node disablingNode) {
+      cls.disablesCertificateValidation(disablingNode)
+    }
+
+    override DataFlow::Node getAUrlPart() { result = cls.getASiteAssignment().getAUrlPart() }
+
+    override DataFlow::Node getResponseBody() { result = call }
+  }
+
+  /**
+   * A call to a class method.
+   *
+   * TODO: is this general enough to be useful elsewhere?
+   *
+   * Examples:
+   * ```rb
+   * class A
+   *   def self.m; end
+   *
+   *   m # call
+   * end
+   *
+   * A.m # call
+   * ```
+   */
+  private DataFlow::CallNode classMethodCall(API::Node classNode, string methodName) {
+    // A.m
+    result = classNode.getAMethodCall(methodName)
+    or
+    // class A
+    //   A.m
+    //  end
+    result.getReceiver().asExpr() instanceof ExprNodes::SelfVariableAccessCfgNode and
+    result.asExpr().getExpr().getEnclosingModule().(ClassDeclaration).getSuperclassExpr() =
+      classNode.getAValueReachableFromSource().asExpr().getExpr() and
+    result.getMethodName() = methodName
+  }
+}

ruby/ql/test/library-tests/frameworks/active_resource/ActiveResource.expected

@@ -0,0 +1,52 @@
+modelClasses
+| active_resource.rb:1:1:3:3 | Person | active_resource.rb:2:3:2:11 | call to site= | false |
+| active_resource.rb:29:1:31:3 | Post | active_resource.rb:30:3:30:11 | call to site= | true |
+modelClassMethodCalls
+| active_resource.rb:2:3:2:11 | call to site= |
+| active_resource.rb:5:9:5:33 | call to new |
+| active_resource.rb:8:9:8:22 | call to find |
+| active_resource.rb:16:1:16:23 | call to new |
+| active_resource.rb:18:1:18:22 | call to get |
+| active_resource.rb:23:10:23:19 | call to all |
+| active_resource.rb:24:10:24:26 | call to find |
+| active_resource.rb:30:3:30:11 | call to site= |
+modelInstances
+| active_resource.rb:5:1:5:33 | ... = ... |
+| active_resource.rb:5:1:5:33 | ... = ... |
+| active_resource.rb:5:9:5:33 | call to new |
+| active_resource.rb:6:1:6:5 | alice |
+| active_resource.rb:8:1:8:22 | ... = ... |
+| active_resource.rb:8:1:8:22 | ... = ... |
+| active_resource.rb:8:9:8:22 | call to find |
+| active_resource.rb:9:1:9:5 | alice |
+| active_resource.rb:10:1:10:5 | alice |
+| active_resource.rb:12:1:12:5 | alice |
+| active_resource.rb:16:1:16:23 | call to new |
+| active_resource.rb:17:1:17:5 | alice |
+| active_resource.rb:18:1:18:22 | call to get |
+| active_resource.rb:19:1:19:5 | alice |
+| active_resource.rb:24:1:24:26 | ... = ... |
+| active_resource.rb:24:1:24:26 | ... = ... |
+| active_resource.rb:24:10:24:26 | call to find |
+| active_resource.rb:26:1:26:20 | ... = ... |
+| active_resource.rb:26:1:26:20 | ... = ... |
+| active_resource.rb:26:9:26:14 | people |
+| active_resource.rb:26:9:26:20 | call to first |
+| active_resource.rb:27:1:27:5 | alice |
+modelInstanceMethodCalls
+| active_resource.rb:6:1:6:10 | call to save |
+| active_resource.rb:9:1:9:13 | call to address= |
+| active_resource.rb:10:1:10:10 | call to save |
+| active_resource.rb:12:1:12:13 | call to destroy |
+| active_resource.rb:16:1:16:39 | call to post |
+| active_resource.rb:17:1:17:19 | call to put |
+| active_resource.rb:19:1:19:19 | call to delete |
+| active_resource.rb:26:9:26:20 | call to first |
+| active_resource.rb:27:1:27:10 | call to save |
+collections
+| active_resource.rb:23:1:23:19 | ... = ... |
+| active_resource.rb:23:10:23:19 | call to all |
+| active_resource.rb:24:1:24:26 | ... = ... |
+| active_resource.rb:24:1:24:26 | ... = ... |
+| active_resource.rb:24:10:24:26 | call to find |
+| active_resource.rb:26:9:26:14 | people |

ruby/ql/test/library-tests/frameworks/active_resource/ActiveResource.ql

@@ -0,0 +1,20 @@
+import ruby
+import codeql.ruby.DataFlow
+import codeql.ruby.frameworks.ActiveResource
+
+query predicate modelClasses(
+  ActiveResource::ModelClass c, DataFlow::Node siteAssignCall, boolean disablesCertificateValidation
+) {
+  c.getASiteAssignment() = siteAssignCall and
+  if c.disablesCertificateValidation(siteAssignCall)
+  then disablesCertificateValidation = true
+  else disablesCertificateValidation = false
+}
+
+query predicate modelClassMethodCalls(ActiveResource::ModelClassMethodCall c) { any() }
+
+query predicate modelInstances(ActiveResource::ModelInstance c) { any() }
+
+query predicate modelInstanceMethodCalls(ActiveResource::ModelInstanceMethodCall c) { any() }
+
+query predicate collections(ActiveResource::Collection c) { any() }