Merge pull request #358 from github/external-control-file-path

nickrolfe · web-flow · commit 3851a27fc190 · 2021-10-22T15:38:39.000+01:00
Add rb/path-injection query
diff --git a/ruby/change-notes/2021-10-20-path-injection.md b/ruby/change-notes/2021-10-20-path-injection.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* A new query (`rb/path-injection`) has been added. The query finds file operations using paths that derive from user input without being sanitized.
diff --git a/ruby/ql/lib/codeql/ruby/Concepts.qll b/ruby/ql/lib/codeql/ruby/Concepts.qll
@@ -583,3 +583,21 @@ module OrmInstantiation {
     abstract predicate methodCallMayAccessField(string methodName);
   }
 }
+
+/** Provides classes for modeling path-related APIs. */
+module Path {
+  /**
+   * A data-flow node that performs path sanitization. This is often needed in order
+   * to safely access paths.
+   */
+  class PathSanitization extends DataFlow::Node instanceof PathSanitization::Range { }
+
+  /** Provides a class for modeling new path sanitization APIs. */
+  module PathSanitization {
+    /**
+     * A data-flow node that performs path sanitization. This is often needed in order
+     * to safely access paths.
+     */
+    abstract class Range extends DataFlow::Node { }
+  }
+}
diff --git a/ruby/ql/lib/codeql/ruby/Frameworks.qll b/ruby/ql/lib/codeql/ruby/Frameworks.qll
@@ -4,6 +4,7 @@
 
 private import codeql.ruby.frameworks.ActionController
 private import codeql.ruby.frameworks.ActiveRecord
+private import codeql.ruby.frameworks.ActiveStorage
 private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.StandardLibrary
 private import codeql.ruby.frameworks.Files
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll b/ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll
@@ -6,7 +6,9 @@ private import internal.FlowSummaryImpl as Impl
 private import internal.DataFlowDispatch
 
 // import all instances below
-private module Summaries { }
+private module Summaries {
+  private import codeql.ruby.Frameworks
+}
 
 class SummaryComponent = Impl::Public::SummaryComponent;
 
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -398,7 +398,7 @@ private module ParameterNodes {
 
     override DataFlowCallable getEnclosingCallable() { result = sc }
 
-    override Location getLocationImpl() { none() }
+    override EmptyLocation getLocationImpl() { any() }
 
     override string toStringImpl() { result = "parameter " + pos + " of " + sc }
   }
@@ -417,7 +417,7 @@ private class SummaryNode extends NodeImpl, TSummaryNode {
 
   override DataFlowCallable getEnclosingCallable() { result = c }
 
-  override Location getLocationImpl() { none() }
+  override EmptyLocation getLocationImpl() { any() }
 
   override string toStringImpl() { result = "[summary] " + state + " in " + c }
 }
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImplSpecific.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -64,6 +64,9 @@ predicate summaryElement(DataFlowCallable c, string input, string output, string
 SummaryComponent interpretComponentSpecific(string c) {
   c = "BlockArgument" and
   result = FlowSummary::SummaryComponent::block()
+  or
+  c = "Argument[_]" and
+  result = FlowSummary::SummaryComponent::argument(any(int i | i >= 0))
 }
 
 /** Gets the return kind corresponding to specification `"ReturnValue"`. */
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveStorage.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveStorage.qll
@@ -0,0 +1,55 @@
+private import codeql.ruby.AST
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.FlowSummary
+
+/** Defines calls to  `ActiveStorage::Filename#sanitized` as path sanitizers. */
+class ActiveStorageFilenameSanitizedCall extends Path::PathSanitization::Range, DataFlow::CallNode {
+  ActiveStorageFilenameSanitizedCall() {
+    this.getReceiver() =
+      API::getTopLevelMember("ActiveStorage").getMember("Filename").getAnInstantiation() and
+    this.asExpr().getExpr().(MethodCall).getMethodName() = "sanitized"
+  }
+}
+
+/** Taint summary for `ActiveStorage::Filename.new`. */
+class ActiveStorageFilenameNewSummary extends SummarizedCallable {
+  ActiveStorageFilenameNewSummary() { this = "ActiveStorage::Filename.new" }
+
+  override MethodCall getACall() {
+    result =
+      API::getTopLevelMember("ActiveStorage")
+          .getMember("Filename")
+          .getAnInstantiation()
+          .asExpr()
+          .getExpr()
+  }
+
+  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+    input = "Argument[0]" and
+    output = "ReturnValue" and
+    preservesValue = false
+  }
+}
+
+/** Taint summary for `ActiveStorage::Filename#sanitized`. */
+class ActiveStorageFilenameSanitizedSummary extends SummarizedCallable {
+  ActiveStorageFilenameSanitizedSummary() { this = "ActiveStorage::Filename#sanitized" }
+
+  override MethodCall getACall() {
+    result =
+      API::getTopLevelMember("ActiveStorage")
+          .getMember("Filename")
+          .getInstance()
+          .getAMethodCall("sanitized")
+          .asExpr()
+          .getExpr()
+  }
+
+  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+    input = "Argument[-1]" and
+    output = "ReturnValue" and
+    preservesValue = false
+  }
+}
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Files.qll b/ruby/ql/lib/codeql/ruby/frameworks/Files.qll
@@ -7,6 +7,7 @@ private import codeql.ruby.Concepts
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.DataFlow
 private import codeql.ruby.frameworks.StandardLibrary
+private import codeql.ruby.dataflow.FlowSummary
 
 private DataFlow::Node ioInstanceInstantiation() {
   result = API::getTopLevelMember("IO").getAnInstantiation() or
@@ -253,6 +254,47 @@ module File {
 
     override DataFlow::Node getAPermissionNode() { result = permissionArg }
   }
+
+  /**
+   * Flow summary for several methods on the `File` class that propagate taint
+   * from their first argument to the return value.
+   */
+  class FilePathConversionSummary extends SummarizedCallable {
+    string methodName;
+
+    FilePathConversionSummary() {
+      methodName = ["absolute_path", "dirname", "expand_path", "path", "realdirpath", "realpath"] and
+      this = "File." + methodName
+    }
+
+    override MethodCall getACall() {
+      result = API::getTopLevelMember("File").getAMethodCall(methodName).asExpr().getExpr()
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
+  /**
+   * Flow summary for `File.join`, which propagates taint from every argument to
+   * its return value.
+   */
+  class FileJoinSummary extends SummarizedCallable {
+    FileJoinSummary() { this = "File.join" }
+
+    override MethodCall getACall() {
+      result = API::getTopLevelMember("File").getAMethodCall("join").asExpr().getExpr()
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[_]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll
@@ -0,0 +1,54 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * path injection vulnerabilities, as well as extension points for
+ * adding your own.
+ */
+
+private import ruby
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.CFG
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.BarrierGuards
+private import codeql.ruby.dataflow.RemoteFlowSources
+
+module PathInjection {
+  /**
+   * A data flow source for path injection vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for path injection vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for path injection vulnerabilities.
+   */
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A file system access, considered as a flow sink.
+   */
+  class FileSystemAccessAsSink extends Sink {
+    FileSystemAccessAsSink() { this = any(FileSystemAccess e).getAPathArgument() }
+  }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+
+  /**
+   * An inclusion check against an array of constant strings, considered as a
+   * sanitizer-guard.
+   */
+  class StringConstArrayInclusionCallAsSanitizerGuard extends SanitizerGuard,
+    StringConstArrayInclusionCall { }
+}
diff --git a/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll
@@ -0,0 +1,31 @@
+/**
+ * Provides a taint tracking configuration for reasoning about
+ * path injection vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `PathInjection::Configuration` is needed, otherwise
+ * `PathInjectionCustomizations` should be imported instead.
+ */
+
+import PathInjectionCustomizations
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+private import codeql.ruby.TaintTracking
+
+/**
+ * A taint-tracking configuration for reasoning about path injection
+ * vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "PathInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof PathInjection::Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof PathInjection::Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Path::PathSanitization }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof PathInjection::SanitizerGuard
+  }
+}
diff --git a/ruby/ql/src/queries/security/cwe-022/PathInjection.qhelp b/ruby/ql/src/queries/security/cwe-022/PathInjection.qhelp
@@ -0,0 +1,61 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Accessing files using paths constructed from user-controlled data can allow an
+attacker to access unexpected resources. This can result in sensitive
+information being revealed or deleted, or an attacker being able to influence
+behavior by modifying unexpected files.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Validate user input before using it to construct a file path, either using an
+off-the-shelf library like <code>ActiveStorage::Filename#sanitized</code> in
+Rails, or by performing custom validation.
+</p>
+
+<p>
+Ideally, follow these rules:
+</p>
+
+<ul>
+<li>Do not allow more than a single "." character.</li>
+<li>Do not allow directory separators such as "/" or "\" (depending on the file
+system).</li>
+<li>Do not rely on simply replacing problematic sequences such as "../". For
+example, after applying this filter to ".../...//", the resulting string would
+still be "../".</li>
+<li>Use a whitelist of known good patterns.</li>
+</ul>
+</recommendation>
+
+<example>
+<p>
+In the first example, a file name is read from an HTTP request and then used to
+access a file.  However, a malicious user could enter a file name which is an
+absolute path, such as <code>"/etc/passwd"</code>.
+</p>
+
+<p>
+In the second example, it appears that the user is restricted to opening a file
+within the <code>"user"</code> home directory. However, a malicious user could
+enter a file name containing special characters. For example, the string
+<code>"../../etc/passwd"</code> will result in the code reading the file located
+at <code>"/home/user/../../etc/passwd"</code>, which is the system's password
+file. This file would then be sent back to the user, giving them access to all
+the system's passwords.
+</p>
+
+<sample src="examples/tainted_path.rb" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://owasp.org/www-community/attacks/Path_Traversal">Path Traversal</a>.</li>
+<li>Rails: <a href="https://api.rubyonrails.org/classes/ActiveStorage/Filename.html#method-i-sanitized">ActiveStorage::Filename#sanitized</a>.</li>
+</references>
+</qhelp>
diff --git a/ruby/ql/src/queries/security/cwe-022/PathInjection.ql b/ruby/ql/src/queries/security/cwe-022/PathInjection.ql
@@ -0,0 +1,26 @@
+/**
+ * @name Uncontrolled data used in path expression
+ * @description Accessing paths influenced by users can allow an attacker to access
+ *              unexpected resources.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id rb/path-injection
+ * @tags security
+ *       external/cwe/cwe-022
+ *       external/cwe/cwe-023
+ *       external/cwe/cwe-036
+ *       external/cwe/cwe-073
+ *       external/cwe/cwe-099
+ */
+
+import ruby
+import codeql.ruby.security.PathInjectionQuery
+import codeql.ruby.DataFlow
+import DataFlow::PathGraph
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This path depends on $@.", source.getNode(),
+  "a user-provided value"
diff --git a/ruby/ql/src/queries/security/cwe-022/examples/tainted_path.rb b/ruby/ql/src/queries/security/cwe-022/examples/tainted_path.rb
@@ -0,0 +1,11 @@
+class FilesController < ActionController::Base
+  def first_example
+    # BAD: This could read any file on the file system
+    @content = File.read params[:path]
+  end
+
+  def second_example
+    # BAD: This could still read any file on the file system
+    @content = File.read "/home/user/#{ params[:path] }"
+  end
+end
diff --git a/ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected b/ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected
diff --git a/ruby/ql/test/query-tests/security/cwe-022/PathInjection.qlref b/ruby/ql/test/query-tests/security/cwe-022/PathInjection.qlref
diff --git a/ruby/ql/test/query-tests/security/cwe-022/tainted_path.rb b/ruby/ql/test/query-tests/security/cwe-022/tainted_path.rb

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* A new query (`rb/path-injection`) has been added. The query finds file operations using paths that derive from user input without being sanitized.
Original file line number	Diff line number	Diff line change
`@@ -398,7 +398,7 @@ private module ParameterNodes {`
`398`	`398`
`399`	`399`	`override DataFlowCallable getEnclosingCallable() { result = sc }`
`400`	`400`
`401`		`- override Location getLocationImpl() { none() }`
	`401`	`+ override EmptyLocation getLocationImpl() { any() }`
`402`	`402`
`403`	`403`	`override string toStringImpl() { result = "parameter " + pos + " of " + sc }`
`404`	`404`	`}`
`@@ -417,7 +417,7 @@ private class SummaryNode extends NodeImpl, TSummaryNode {`
`417`	`417`
`418`	`418`	`override DataFlowCallable getEnclosingCallable() { result = c }`
`419`	`419`
`420`		`- override Location getLocationImpl() { none() }`
	`420`	`+ override EmptyLocation getLocationImpl() { any() }`
`421`	`421`
`422`	`422`	`override string toStringImpl() { result = "[summary] " + state + " in " + c }`
`423`	`423`	`}`
Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,9 @@ predicate summaryElement(DataFlowCallable c, string input, string output, string`
`64`	`64`	`SummaryComponent interpretComponentSpecific(string c) {`
`65`	`65`	`c = "BlockArgument" and`
`66`	`66`	`result = FlowSummary::SummaryComponent::block()`
	`67`	`+ or`
	`68`	`+ c = "Argument[_]" and`
	`69`	`+ result = FlowSummary::SummaryComponent::argument(any(int i \| i >= 0))`
`67`	`70`	`}`
`68`	`71`
`69`	`72`	/** Gets the return kind corresponding to specification `"ReturnValue"`. */