add archive api file open query and test

thiggy1342 · web-flow · commit 074583eab8c3 · 2022-06-06T21:09:57.000Z
diff --git a/ruby/ql/src/experimental/archive-api-path-traversal/ArchiveApiPathTraversal.ql b/ruby/ql/src/experimental/archive-api-path-traversal/ArchiveApiPathTraversal.ql
@@ -0,0 +1,71 @@
+/**
+ * @name User-controlled filename in archive library
+ * @description User-controlled data that flows into File I/O of archive libraries could be dangerous
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.0
+ * @precision medium
+ * @id rb/user-controlled-path-traversal-archive-library
+ * @tags security external/cwe/cwe-22
+ */
+
+import ruby
+import codeql.ruby.ApiGraphs
+import codeql.ruby.DataFlow
+import codeql.ruby.dataflow.RemoteFlowSources
+import codeql.ruby.dataflow.BarrierGuards
+import codeql.ruby.TaintTracking
+import DataFlow::PathGraph
+
+class ArchiveApiFileOpen extends DataFlow::Node {
+
+    // this should find the first argument of Zlib::Inflate.inflate or Zip::File.extract
+    ArchiveApiFileOpen() {
+        this instanceof RubyZipFileOpen or
+        this instanceof TarReaderFileOpen
+    }
+
+}
+
+class RubyZipFileOpen extends DataFlow::Node {
+    // find any use of Zip::File.open()
+    RubyZipFileOpen() {
+        this = API::getTopLevelMember("Zip").getMember("File").getAMethodCall("open").getArgument(0)
+    }
+}
+
+class TarReaderFileOpen extends DataFlow::Node {
+    // this should find a use of File.open() in context of a block opened in context of Gem::Package::TarReader.new()
+    TarReaderFileOpen() {
+        this = API::getTopLevelMember("File").getAMethodCall("open").getArgument(0) and
+        this.asExpr().getExpr().getParent+() = API::getTopLevelMember("Gem").getMember("Package").getMember("TarReader").getAnInstantiation().asExpr().getExpr()
+    }
+}
+
+class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "ArchiveApiFileOpen" }
+  
+    // this predicate will be used to contstrain our query to find instances where only remote user-controlled data flows to the sink
+    override predicate isSource(DataFlow::Node source) {
+        source instanceof RemoteFlowSource
+    }
+
+    // our Decompression APIs defined above will the the sinks we use for this query
+    override predicate isSink(DataFlow::Node sink) {
+        sink instanceof ArchiveApiFileOpen
+    }
+
+    // I think it would also be helpful to reduce false positives by adding a simple sanitizer config in the event
+    // that the code first checks the file name against a string literal or array of string literals before calling
+    // the decompression API
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+        guard instanceof StringConstCompare or
+        guard instanceof StringConstArrayInclusionCall
+    }
+  }
+  
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This call to $@ appears to extract an archive using user-controlled data $@ to set the filename. If the filename is not properly handled, they could end up writing to unintended places in the filesystem.", sink.getNode().asExpr().getExpr().getParent().toString(), sink.getNode().asExpr().getExpr().getParent().toString(), source.toString(), source.toString()
diff --git a/ruby/ql/test/query-tests/security/archive-api-path-traversal/ArchiveApiPathTraversal.expected b/ruby/ql/test/query-tests/security/archive-api-path-traversal/ArchiveApiPathTraversal.expected
@@ -0,0 +1,24 @@
+edges
+| ArchiveApiPathTraversal.rb:4:26:4:31 | call to params :  | ArchiveApiPathTraversal.rb:4:26:4:42 | ...[...] :  |
+| ArchiveApiPathTraversal.rb:4:26:4:42 | ...[...] :  | ArchiveApiPathTraversal.rb:11:17:11:27 | destination :  |
+| ArchiveApiPathTraversal.rb:8:11:8:16 | call to params :  | ArchiveApiPathTraversal.rb:8:11:8:23 | ...[...] :  |
+| ArchiveApiPathTraversal.rb:8:11:8:23 | ...[...] :  | ArchiveApiPathTraversal.rb:29:13:29:16 | file :  |
+| ArchiveApiPathTraversal.rb:11:17:11:27 | destination :  | ArchiveApiPathTraversal.rb:14:38:14:48 | destination :  |
+| ArchiveApiPathTraversal.rb:14:28:14:67 | call to join :  | ArchiveApiPathTraversal.rb:21:21:21:36 | destination_file |
+| ArchiveApiPathTraversal.rb:14:38:14:48 | destination :  | ArchiveApiPathTraversal.rb:14:28:14:67 | call to join :  |
+| ArchiveApiPathTraversal.rb:29:13:29:16 | file :  | ArchiveApiPathTraversal.rb:30:20:30:23 | file |
+nodes
+| ArchiveApiPathTraversal.rb:4:26:4:31 | call to params :  | semmle.label | call to params :  |
+| ArchiveApiPathTraversal.rb:4:26:4:42 | ...[...] :  | semmle.label | ...[...] :  |
+| ArchiveApiPathTraversal.rb:8:11:8:16 | call to params :  | semmle.label | call to params :  |
+| ArchiveApiPathTraversal.rb:8:11:8:23 | ...[...] :  | semmle.label | ...[...] :  |
+| ArchiveApiPathTraversal.rb:11:17:11:27 | destination :  | semmle.label | destination :  |
+| ArchiveApiPathTraversal.rb:14:28:14:67 | call to join :  | semmle.label | call to join :  |
+| ArchiveApiPathTraversal.rb:14:38:14:48 | destination :  | semmle.label | destination :  |
+| ArchiveApiPathTraversal.rb:21:21:21:36 | destination_file | semmle.label | destination_file |
+| ArchiveApiPathTraversal.rb:29:13:29:16 | file :  | semmle.label | file :  |
+| ArchiveApiPathTraversal.rb:30:20:30:23 | file | semmle.label | file |
+subpaths
+#select
+| ArchiveApiPathTraversal.rb:21:21:21:36 | destination_file | ArchiveApiPathTraversal.rb:4:26:4:31 | call to params :  | ArchiveApiPathTraversal.rb:21:21:21:36 | destination_file | This call to $@ appears to extract an archive using user-controlled data $@ to set the filename. If the filename is not properly handled, they could end up writing to unintended places in the filesystem. | call to open | call to open | call to params :  | call to params :  |
+| ArchiveApiPathTraversal.rb:30:20:30:23 | file | ArchiveApiPathTraversal.rb:8:11:8:16 | call to params :  | ArchiveApiPathTraversal.rb:30:20:30:23 | file | This call to $@ appears to extract an archive using user-controlled data $@ to set the filename. If the filename is not properly handled, they could end up writing to unintended places in the filesystem. | call to open | call to open | call to params :  | call to params :  |
diff --git a/ruby/ql/test/query-tests/security/archive-api-path-traversal/ArchiveApiPathTraversal.qlref b/ruby/ql/test/query-tests/security/archive-api-path-traversal/ArchiveApiPathTraversal.qlref
@@ -0,0 +1 @@
+experimental/archive-api-path-traversal/ArchiveApiPathTraversal.ql
diff --git a/ruby/ql/test/query-tests/security/archive-api-path-traversal/ArchiveApiPathTraversal.rb b/ruby/ql/test/query-tests/security/archive-api-path-traversal/ArchiveApiPathTraversal.rb
@@ -0,0 +1,36 @@
+class TestContoller < ActionController::Base
+  
+  def upload
+    untar params[:file], params[:filename]
+  end
+
+  def unpload_zip
+    unzip params[:file]
+  end
+
+  def untar(io, destination)
+    Gem::Package::TarReader.new io do |tar|
+      tar.each do |tarfile|
+        destination_file = File.join destination, tarfile.full_name
+        
+        if tarfile.directory?
+          FileUtils.mkdir_p destination_file
+        else
+          destination_directory = File.dirname(destination_file)
+          FileUtils.mkdir_p destination_directory unless File.directory?(destination_directory)
+          File.open destination_file, "wb" do |f|
+            f.print tarfile.read
+          end
+        end
+      end
+    end
+  end
+
+  def unzip(file)
+    Zip::File.open(file) do |zip_file|
+      zip_file.each do |entry|
+        entry.extract
+      end
+    end
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/archive-api-path-traversal/ArchiveApiPathTraversal.ql`