Merge pull request #10538 from hmac/hmac/actioncontroller-parameters

Ruby: Model flow through ActionController::Parameters

Author: hmac

ruby/ql/lib/change-notes/2022-09-27-actioncontroller-parameters.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Taint flow through `ActionController::Parameters` is tracked more accurately.

ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -382,3 +382,123 @@ private class SendFile extends FileSystemAccess::Range, DataFlow::CallNode {
 
   override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
 }
+
+private module ParamsSummaries {
+  private import codeql.ruby.dataflow.FlowSummary
+
+  /**
+   * An instance of `ActionController::Parameters`, including those returned
+   * from method calls on other instances.
+   */
+  private class ParamsInstance extends DataFlow::Node {
+    ParamsInstance() {
+      this.asExpr().getExpr() instanceof ParamsCall
+      or
+      this =
+        any(DataFlow::CallNode call |
+          call.getReceiver() instanceof ParamsInstance and
+          call.getMethodName() = paramsMethodReturningParamsInstance()
+        )
+      or
+      exists(ParamsInstance prev | prev.(DataFlow::LocalSourceNode).flowsTo(this))
+    }
+  }
+
+  /**
+   * Methods on `ActionController::Parameters` that return an instance of
+   * `ActionController::Parameters`.
+   */
+  string paramsMethodReturningParamsInstance() {
+    result =
+      [
+        "concat", "concat!", "compact_blank", "deep_dup", "deep_transform_keys", "delete_if",
+        // dig doesn't always return a Parameters instance, but it will if the
+        // given key refers to a nested hash parameter.
+        "dig", "each", "each_key", "each_pair", "each_value", "except", "keep_if", "merge",
+        "merge!", "permit", "reject", "reject!", "reverse_merge", "reverse_merge!", "select",
+        "select!", "slice", "slice!", "transform_keys", "transform_keys!", "transform_values",
+        "transform_values!", "with_defaults", "with_defaults!"
+      ]
+  }
+
+  /**
+   * Methods on `ActionController::Parameters` that propagate taint from
+   * receiver to return value.
+   */
+  string methodReturnsTaintFromSelf() {
+    result =
+      [
+        "as_json", "permit", "require", "required", "deep_dup", "deep_transform_keys",
+        "deep_transform_keys!", "delete_if", "extract!", "keep_if", "select", "select!", "reject",
+        "reject!", "to_h", "to_hash", "to_query", "to_param", "to_unsafe_h", "to_unsafe_hash",
+        "transform_keys", "transform_keys!", "transform_values", "transform_values!", "values_at"
+      ]
+  }
+
+  /**
+   * A flow summary for methods on `ActionController::Parameters` which
+   * propagate taint from receiver to return value.
+   */
+  private class MethodsReturningParamsInstanceSummary extends SummarizedCallable {
+    MethodsReturningParamsInstanceSummary() { this = "ActionController::Parameters#<various>" }
+
+    override MethodCall getACall() {
+      any(ParamsInstance i).asExpr().getExpr() = result.getReceiver() and
+      result.getMethodName() = methodReturnsTaintFromSelf()
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
+  /**
+   * `#merge`
+   * Returns a new ActionController::Parameters with all keys from other_hash merged into current hash.
+   * `#reverse_merge`
+   * `#with_defaults`
+   * Returns a new ActionController::Parameters with all keys from current hash merged into other_hash.
+   */
+  private class MergeSummary extends SummarizedCallable {
+    MergeSummary() { this = "ActionController::Parameters#merge" }
+
+    override MethodCall getACall() {
+      result.getMethodName() = ["merge", "reverse_merge", "with_defaults"] and
+      exists(ParamsInstance i |
+        i.asExpr().getExpr() = [result.getReceiver(), result.getArgument(0)]
+      )
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = ["Argument[self]", "Argument[0]"] and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
+  /**
+   * `#merge!`
+   * Returns current ActionController::Parameters instance with current hash merged into other_hash.
+   * `#reverse_merge!`
+   * `#with_defaults!`
+   * Returns a new ActionController::Parameters with all keys from current hash merged into other_hash.
+   */
+  private class MergeBangSummary extends SummarizedCallable {
+    MergeBangSummary() { this = "ActionController::Parameters#merge!" }
+
+    override MethodCall getACall() {
+      result.getMethodName() = ["merge!", "reverse_merge!", "with_defaults!"] and
+      exists(ParamsInstance i |
+        i.asExpr().getExpr() = [result.getReceiver(), result.getArgument(0)]
+      )
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = ["Argument[self]", "Argument[0]"] and
+      output = ["ReturnValue", "Argument[self]"] and
+      preservesValue = false
+    }
+  }
+}

ruby/ql/test/library-tests/frameworks/ActionController.expected

@@ -1,4 +1,5 @@
 actionControllerControllerClasses
+| action_controller/params_flow.rb:1:1:151:3 | MyController |
 | active_record/ActiveRecord.rb:23:1:39:3 | FooController |
 | active_record/ActiveRecord.rb:41:1:64:3 | BarController |
 | active_record/ActiveRecord.rb:66:1:98:3 | BazController |
@@ -11,6 +12,39 @@ actionControllerControllerClasses
 | app/controllers/tags_controller.rb:1:1:2:3 | TagsController |
 | app/controllers/users/notifications_controller.rb:2:3:5:5 | NotificationsController |
 actionControllerActionMethods
+| action_controller/params_flow.rb:2:3:4:5 | m1 |
+| action_controller/params_flow.rb:6:3:8:5 | m2 |
+| action_controller/params_flow.rb:10:3:12:5 | m2 |
+| action_controller/params_flow.rb:14:3:16:5 | m3 |
+| action_controller/params_flow.rb:18:3:20:5 | m4 |
+| action_controller/params_flow.rb:22:3:24:5 | m5 |
+| action_controller/params_flow.rb:26:3:28:5 | m6 |
+| action_controller/params_flow.rb:30:3:32:5 | m7 |
+| action_controller/params_flow.rb:34:3:36:5 | m8 |
+| action_controller/params_flow.rb:38:3:40:5 | m9 |
+| action_controller/params_flow.rb:42:3:44:5 | m10 |
+| action_controller/params_flow.rb:46:3:48:5 | m11 |
+| action_controller/params_flow.rb:50:3:52:5 | m12 |
+| action_controller/params_flow.rb:54:3:56:5 | m13 |
+| action_controller/params_flow.rb:58:3:60:5 | m14 |
+| action_controller/params_flow.rb:62:3:64:5 | m15 |
+| action_controller/params_flow.rb:66:3:68:5 | m16 |
+| action_controller/params_flow.rb:70:3:72:5 | m17 |
+| action_controller/params_flow.rb:74:3:76:5 | m18 |
+| action_controller/params_flow.rb:78:3:80:5 | m19 |
+| action_controller/params_flow.rb:82:3:84:5 | m20 |
+| action_controller/params_flow.rb:86:3:88:5 | m21 |
+| action_controller/params_flow.rb:90:3:92:5 | m22 |
+| action_controller/params_flow.rb:94:3:96:5 | m23 |
+| action_controller/params_flow.rb:98:3:100:5 | m24 |
+| action_controller/params_flow.rb:102:3:104:5 | m25 |
+| action_controller/params_flow.rb:106:3:108:5 | m26 |
+| action_controller/params_flow.rb:110:3:113:5 | m27 |
+| action_controller/params_flow.rb:115:3:118:5 | m28 |
+| action_controller/params_flow.rb:120:3:123:5 | m29 |
+| action_controller/params_flow.rb:125:3:132:5 | m30 |
+| action_controller/params_flow.rb:134:3:141:5 | m31 |
+| action_controller/params_flow.rb:143:3:150:5 | m32 |
 | active_record/ActiveRecord.rb:27:3:38:5 | some_request_handler |
 | active_record/ActiveRecord.rb:42:3:47:5 | some_other_request_handler |
 | active_record/ActiveRecord.rb:49:3:63:5 | safe_paths |
@@ -39,6 +73,48 @@ actionControllerActionMethods
 | app/controllers/posts_controller.rb:8:3:9:5 | upvote |
 | app/controllers/users/notifications_controller.rb:3:5:4:7 | mark_as_read |
 paramsCalls
+| action_controller/params_flow.rb:3:10:3:15 | call to params |
+| action_controller/params_flow.rb:7:10:7:15 | call to params |
+| action_controller/params_flow.rb:11:10:11:15 | call to params |
+| action_controller/params_flow.rb:15:10:15:15 | call to params |
+| action_controller/params_flow.rb:19:10:19:15 | call to params |
+| action_controller/params_flow.rb:23:10:23:15 | call to params |
+| action_controller/params_flow.rb:27:10:27:15 | call to params |
+| action_controller/params_flow.rb:31:10:31:15 | call to params |
+| action_controller/params_flow.rb:35:10:35:15 | call to params |
+| action_controller/params_flow.rb:39:10:39:15 | call to params |
+| action_controller/params_flow.rb:43:10:43:15 | call to params |
+| action_controller/params_flow.rb:47:10:47:15 | call to params |
+| action_controller/params_flow.rb:51:10:51:15 | call to params |
+| action_controller/params_flow.rb:55:10:55:15 | call to params |
+| action_controller/params_flow.rb:59:10:59:15 | call to params |
+| action_controller/params_flow.rb:63:10:63:15 | call to params |
+| action_controller/params_flow.rb:67:10:67:15 | call to params |
+| action_controller/params_flow.rb:71:10:71:15 | call to params |
+| action_controller/params_flow.rb:75:10:75:15 | call to params |
+| action_controller/params_flow.rb:79:10:79:15 | call to params |
+| action_controller/params_flow.rb:83:10:83:15 | call to params |
+| action_controller/params_flow.rb:87:10:87:15 | call to params |
+| action_controller/params_flow.rb:91:10:91:15 | call to params |
+| action_controller/params_flow.rb:95:10:95:15 | call to params |
+| action_controller/params_flow.rb:99:10:99:15 | call to params |
+| action_controller/params_flow.rb:103:10:103:15 | call to params |
+| action_controller/params_flow.rb:107:10:107:15 | call to params |
+| action_controller/params_flow.rb:111:10:111:15 | call to params |
+| action_controller/params_flow.rb:112:23:112:28 | call to params |
+| action_controller/params_flow.rb:116:10:116:15 | call to params |
+| action_controller/params_flow.rb:117:31:117:36 | call to params |
+| action_controller/params_flow.rb:121:10:121:15 | call to params |
+| action_controller/params_flow.rb:122:31:122:36 | call to params |
+| action_controller/params_flow.rb:126:10:126:15 | call to params |
+| action_controller/params_flow.rb:127:24:127:29 | call to params |
+| action_controller/params_flow.rb:130:14:130:19 | call to params |
+| action_controller/params_flow.rb:135:10:135:15 | call to params |
+| action_controller/params_flow.rb:136:32:136:37 | call to params |
+| action_controller/params_flow.rb:139:22:139:27 | call to params |
+| action_controller/params_flow.rb:144:10:144:15 | call to params |
+| action_controller/params_flow.rb:145:32:145:37 | call to params |
+| action_controller/params_flow.rb:148:22:148:27 | call to params |
 | active_record/ActiveRecord.rb:28:30:28:35 | call to params |
 | active_record/ActiveRecord.rb:29:29:29:34 | call to params |
 | active_record/ActiveRecord.rb:30:31:30:36 | call to params |
@@ -71,6 +147,48 @@ paramsCalls
 | app/controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
 | app/views/foo/bars/show.html.erb:5:9:5:14 | call to params |
 paramsSources
+| action_controller/params_flow.rb:3:10:3:15 | call to params |
+| action_controller/params_flow.rb:7:10:7:15 | call to params |
+| action_controller/params_flow.rb:11:10:11:15 | call to params |
+| action_controller/params_flow.rb:15:10:15:15 | call to params |
+| action_controller/params_flow.rb:19:10:19:15 | call to params |
+| action_controller/params_flow.rb:23:10:23:15 | call to params |
+| action_controller/params_flow.rb:27:10:27:15 | call to params |
+| action_controller/params_flow.rb:31:10:31:15 | call to params |
+| action_controller/params_flow.rb:35:10:35:15 | call to params |
+| action_controller/params_flow.rb:39:10:39:15 | call to params |
+| action_controller/params_flow.rb:43:10:43:15 | call to params |
+| action_controller/params_flow.rb:47:10:47:15 | call to params |
+| action_controller/params_flow.rb:51:10:51:15 | call to params |
+| action_controller/params_flow.rb:55:10:55:15 | call to params |
+| action_controller/params_flow.rb:59:10:59:15 | call to params |
+| action_controller/params_flow.rb:63:10:63:15 | call to params |
+| action_controller/params_flow.rb:67:10:67:15 | call to params |
+| action_controller/params_flow.rb:71:10:71:15 | call to params |
+| action_controller/params_flow.rb:75:10:75:15 | call to params |
+| action_controller/params_flow.rb:79:10:79:15 | call to params |
+| action_controller/params_flow.rb:83:10:83:15 | call to params |
+| action_controller/params_flow.rb:87:10:87:15 | call to params |
+| action_controller/params_flow.rb:91:10:91:15 | call to params |
+| action_controller/params_flow.rb:95:10:95:15 | call to params |
+| action_controller/params_flow.rb:99:10:99:15 | call to params |
+| action_controller/params_flow.rb:103:10:103:15 | call to params |
+| action_controller/params_flow.rb:107:10:107:15 | call to params |
+| action_controller/params_flow.rb:111:10:111:15 | call to params |
+| action_controller/params_flow.rb:112:23:112:28 | call to params |
+| action_controller/params_flow.rb:116:10:116:15 | call to params |
+| action_controller/params_flow.rb:117:31:117:36 | call to params |
+| action_controller/params_flow.rb:121:10:121:15 | call to params |
+| action_controller/params_flow.rb:122:31:122:36 | call to params |
+| action_controller/params_flow.rb:126:10:126:15 | call to params |
+| action_controller/params_flow.rb:127:24:127:29 | call to params |
+| action_controller/params_flow.rb:130:14:130:19 | call to params |
+| action_controller/params_flow.rb:135:10:135:15 | call to params |
+| action_controller/params_flow.rb:136:32:136:37 | call to params |
+| action_controller/params_flow.rb:139:22:139:27 | call to params |
+| action_controller/params_flow.rb:144:10:144:15 | call to params |
+| action_controller/params_flow.rb:145:32:145:37 | call to params |
+| action_controller/params_flow.rb:148:22:148:27 | call to params |
 | active_record/ActiveRecord.rb:28:30:28:35 | call to params |
 | active_record/ActiveRecord.rb:29:29:29:34 | call to params |
 | active_record/ActiveRecord.rb:30:31:30:36 | call to params |