Ruby: add queries for measuring taint sources and sinks

asgerf · asgerf · commit c7c97d5bbb36 · 2022-02-22T14:29:47.000+01:00
diff --git a/ruby/ql/src/queries/meta/TaintSinks.ql b/ruby/ql/src/queries/meta/TaintSinks.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Taint sinks
+ * @description Sinks that are sensitive to untrusted data.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id rb/meta/taint-sinks
+ * @tags meta
+ * @precision very-low
+ */
+
+import internal.TaintMetrics
+
+from string kind
+select relevantTaintSink(kind), kind + " sink"
diff --git a/ruby/ql/src/queries/meta/TaintSources.ql b/ruby/ql/src/queries/meta/TaintSources.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Taint sources
+ * @description Sources of untrusted input.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id rb/meta/taint-sources
+ * @tags meta
+ * @precision very-low
+ */
+
+import internal.TaintMetrics
+
+from string kind
+select relevantTaintSource(kind), kind
diff --git a/ruby/ql/src/queries/meta/internal/TaintMetrics.qll b/ruby/ql/src/queries/meta/internal/TaintMetrics.qll
@@ -0,0 +1,38 @@
+private import codeql.files.FileSystem
+private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.RemoteFlowSources
+private import codeql.ruby.security.CodeInjectionCustomizations
+private import codeql.ruby.security.CommandInjectionCustomizations
+private import codeql.ruby.security.XSS
+private import codeql.ruby.security.PathInjectionCustomizations
+private import codeql.ruby.security.ServerSideRequestForgeryCustomizations
+private import codeql.ruby.security.UnsafeDeserializationCustomizations
+private import codeql.ruby.security.UrlRedirectCustomizations
+
+class RelevantFile extends File {
+  RelevantFile() { not getRelativePath().regexpMatch(".*/test(case)?s?/.*") }
+}
+
+RemoteFlowSource relevantTaintSource(string kind) {
+  result.getLocation().getFile() instanceof RelevantFile and
+  kind = result.getSourceType()
+}
+
+DataFlow::Node relevantTaintSink(string kind) {
+  result.getLocation().getFile() instanceof RelevantFile and
+  (
+    kind = "CodeInjection" and result instanceof CodeInjection::Sink
+    or
+    kind = "CommandInjection" and result instanceof CommandInjection::Sink
+    or
+    kind = "XSS" and result instanceof ReflectedXSS::Sink
+    or
+    kind = "PathInjection" and result instanceof PathInjection::Sink
+    or
+    kind = "ServerSideRequestForgery" and result instanceof ServerSideRequestForgery::Sink
+    or
+    kind = "UnsafeDeserialization" and result instanceof UnsafeDeserialization::Sink
+    or
+    kind = "UrlRedirect" and result instanceof UrlRedirect::Sink
+  )
+}
