Ruby: Implement new disablesCertificateValidation for all HTTP client models

Sadly most alert text changed, but the two important changes are:

1. The request on RestClient.rb:19 now has an expanded alert text,
   highlighting where the origin of the value that disables certificate
   validation comes from. (in this case, it's trivial since it's the
   line right above)
2. We handle passing `false`/`OpenSSL::SSL::VERIFY_NONE` the same in the
   argument passing examples in Faraday.rb

Author: RasmusWL

ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll

@@ -7,6 +7,7 @@ private import codeql.ruby.CFG
 private import codeql.ruby.Concepts
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.internal.DataFlowImplForLibraries as DataFlowImplForLibraries
 
 /**
  * A call that makes an HTTP request using `Excon`.
@@ -61,96 +62,87 @@ class ExconHttpRequest extends HTTP::Client::Request::Range, DataFlow::CallNode
     result = connectionUse.(DataFlow::CallNode).getArgument(0)
   }
 
-  override predicate disablesCertificateValidation(DataFlow::Node disablingNode) {
-    // Check for `ssl_verify_peer: false` in the options hash.
-    exists(DataFlow::Node arg, int i |
-      i > 0 and
-      arg = connectionNode.getAValueReachableFromSource().(DataFlow::CallNode).getArgument(i)
-    |
-      argSetsVerifyPeer(arg, false, disablingNode)
-    )
-    or
-    // Or we see a call to `Excon.defaults[:ssl_verify_peer] = false` before the
-    // request, and no `ssl_verify_peer: true` in the explicit options hash for
-    // the request call.
-    exists(DataFlow::CallNode disableCall |
-      setsDefaultVerification(disableCall, false) and
-      disableCall.asExpr().getASuccessor+() = this.asExpr() and
-      disablingNode = disableCall and
-      not exists(DataFlow::Node arg, int i |
-        i > 0 and
-        arg = connectionNode.getAValueReachableFromSource().(DataFlow::CallNode).getArgument(i)
+  /** Gets the value that controls certificate validation, if any. */
+  DataFlow::Node getCertificateValidationControllingValue() {
+    exists(DataFlow::CallNode newCall | newCall = connectionNode.getAValueReachableFromSource() |
+      // Check for `ssl_verify_peer: false`
+      result = newCall.getKeywordArgument("ssl_verify_peer")
+      or
+      // using a hashliteral
+      exists(
+        DataFlow::LocalSourceNode optionsNode, CfgNodes::ExprNodes::PairCfgNode p,
+        DataFlow::Node key
       |
-        argSetsVerifyPeer(arg, true, _)
+        // can't flow to argument 0, since that's the URL
+        optionsNode.flowsTo(newCall.getArgument(any(int i | i > 0))) and
+        p = optionsNode.asExpr().(CfgNodes::ExprNodes::HashLiteralCfgNode).getAKeyValuePair() and
+        key.asExpr() = p.getKey() and
+        key.getALocalSource()
+            .asExpr()
+            .getExpr()
+            .getConstantValue()
+            .isStringlikeValue("ssl_verify_peer") and
+        result.asExpr() = p.getValue()
       )
     )
   }
 
   override predicate disablesCertificateValidation(
     DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
   ) {
-    disablesCertificateValidation(disablingNode) and
-    argumentOrigin = disablingNode
+    any(ExconDisablesCertificateValidationConfiguration config)
+        .hasFlow(argumentOrigin, disablingNode) and
+    disablingNode = this.getCertificateValidationControllingValue()
+    or
+    // We set `Excon.defaults[:ssl_verify_peer]` or `Excon.ssl_verify_peer` = false`
+    // before the request, and no `ssl_verify_peer: true` in the explicit options hash
+    // for the request call.
+    exists(DataFlow::CallNode disableCall, BooleanLiteral value |
+      // Excon.defaults[:ssl_verify_peer]
+      disableCall = API::getTopLevelMember("Excon").getReturn("defaults").getAMethodCall("[]=") and
+      disableCall
+          .getArgument(0)
+          .getALocalSource()
+          .asExpr()
+          .getExpr()
+          .getConstantValue()
+          .isStringlikeValue("ssl_verify_peer") and
+      disablingNode = disableCall.getArgument(1) and
+      argumentOrigin = disablingNode.getALocalSource() and
+      value = argumentOrigin.asExpr().getExpr()
+      or
+      // Excon.ssl_verify_peer
+      disableCall = API::getTopLevelMember("Excon").getAMethodCall("ssl_verify_peer=") and
+      disablingNode = disableCall.getArgument(0) and
+      argumentOrigin = disablingNode.getALocalSource() and
+      value = argumentOrigin.asExpr().getExpr()
+    |
+      value.getValue() = false and
+      disableCall.asExpr().getASuccessor+() = this.asExpr() and
+      // no `ssl_verify_peer: true` in the request call.
+      not this.getCertificateValidationControllingValue()
+          .getALocalSource()
+          .asExpr()
+          .getExpr()
+          .(BooleanLiteral)
+          .getValue() = true
+    )
   }
 
   override string getFramework() { result = "Excon" }
 }
 
-/**
- * Holds if `arg` represents an options hash that contains the key
- * `:ssl_verify_peer` with `value`, where `kvNode` is the data-flow node for
- * this key-value pair.
- */
-predicate argSetsVerifyPeer(DataFlow::Node arg, boolean value, DataFlow::Node kvNode) {
-  // Either passed as an individual key:value argument, e.g.:
-  // Excon.get(..., ssl_verify_peer: false)
-  isSslVerifyPeerPair(arg.asExpr(), value) and
-  kvNode = arg
-  or
-  // Or as a single hash argument, e.g.:
-  // Excon.get(..., { ssl_verify_peer: false, ... })
-  exists(DataFlow::LocalSourceNode optionsNode, CfgNodes::ExprNodes::PairCfgNode p |
-    p = optionsNode.asExpr().(CfgNodes::ExprNodes::HashLiteralCfgNode).getAKeyValuePair() and
-    isSslVerifyPeerPair(p, value) and
-    optionsNode.flowsTo(arg) and
-    kvNode.asExpr() = p
-  )
-}
-
-/**
- * Holds if `callNode` sets `Excon.defaults[:ssl_verify_peer]` or
- * `Excon.ssl_verify_peer` to `value`.
- */
-private predicate setsDefaultVerification(DataFlow::CallNode callNode, boolean value) {
-  callNode = API::getTopLevelMember("Excon").getReturn("defaults").getAMethodCall("[]=") and
-  isSslVerifyPeerLiteral(callNode.getArgument(0)) and
-  hasBooleanValue(callNode.getArgument(1), value)
-  or
-  callNode = API::getTopLevelMember("Excon").getAMethodCall("ssl_verify_peer=") and
-  hasBooleanValue(callNode.getArgument(0), value)
-}
-
-private predicate isSslVerifyPeerLiteral(DataFlow::Node node) {
-  exists(DataFlow::LocalSourceNode literal |
-    literal.asExpr().getExpr().getConstantValue().isStringlikeValue("ssl_verify_peer") and
-    literal.flowsTo(node)
-  )
-}
+/** A configuration to track values that can disable certificate validation for Excon. */
+private class ExconDisablesCertificateValidationConfiguration extends DataFlowImplForLibraries::Configuration {
+  ExconDisablesCertificateValidationConfiguration() {
+    this = "ExconDisablesCertificateValidationConfiguration"
+  }
 
-/** Holds if `node` can contain `value`. */
-private predicate hasBooleanValue(DataFlow::Node node, boolean value) {
-  exists(DataFlow::LocalSourceNode literal |
-    literal.asExpr().getExpr().(BooleanLiteral).getValue() = value and
-    literal.flowsTo(node)
-  )
-}
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr().getExpr().(BooleanLiteral).isFalse()
+  }
 
-/** Holds if `p` is the pair `ssl_verify_peer: <value>`. */
-private predicate isSslVerifyPeerPair(CfgNodes::ExprNodes::PairCfgNode p, boolean value) {
-  exists(DataFlow::Node key, DataFlow::Node valueNode |
-    key.asExpr() = p.getKey() and
-    valueNode.asExpr() = p.getValue() and
-    isSslVerifyPeerLiteral(key) and
-    hasBooleanValue(valueNode, value)
-  )
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(ExconHttpRequest req).getCertificateValidationControllingValue()
+  }
 }

ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll

@@ -7,6 +7,7 @@ private import codeql.ruby.CFG
 private import codeql.ruby.Concepts
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.internal.DataFlowImplForLibraries as DataFlowImplForLibraries
 
 /**
  * A call that makes an HTTP request using `Faraday`.
@@ -49,119 +50,66 @@ class FaradayHttpRequest extends HTTP::Client::Request::Range, DataFlow::CallNod
     result = connectionUse.(DataFlow::CallNode).getKeywordArgument("url")
   }
 
-  override predicate disablesCertificateValidation(DataFlow::Node disablingNode) {
+  /** Gets the value that controls certificate validation, if any, with argument name `name`. */
+  DataFlow::Node getCertificateValidationControllingValue(string argName) {
     // `Faraday::new` takes an options hash as its second argument, and we're
     // looking for
     // `{ ssl: { verify: false } }`
     // or
     // `{ ssl: { verify_mode: OpenSSL::SSL::VERIFY_NONE } }`
-    exists(DataFlow::Node arg, int i |
-      i > 0 and
-      arg = connectionNode.getAValueReachableFromSource().(DataFlow::CallNode).getArgument(i)
-    |
-      // Either passed as an individual key:value argument, e.g.:
-      // Faraday.new(..., ssl: {...})
-      isSslOptionsPairDisablingValidation(arg.asExpr()) and
-      disablingNode = arg
+    argName in ["verify", "verify_mode"] and
+    exists(DataFlow::Node sslValue, DataFlow::CallNode newCall |
+      newCall = connectionNode.getAValueReachableFromSource() and
+      sslValue = newCall.getKeywordArgument("ssl")
       or
-      // Or as a single hash argument, e.g.:
-      // Faraday.new(..., { ssl: {...} })
-      exists(DataFlow::LocalSourceNode optionsNode, CfgNodes::ExprNodes::PairCfgNode p |
+      // using a hashliteral
+      exists(
+        DataFlow::LocalSourceNode optionsNode, CfgNodes::ExprNodes::PairCfgNode p,
+        DataFlow::Node key
+      |
+        // can't flow to argument 0, since that's the URL
+        optionsNode.flowsTo(newCall.getArgument(any(int i | i > 0))) and
         p = optionsNode.asExpr().(CfgNodes::ExprNodes::HashLiteralCfgNode).getAKeyValuePair() and
-        isSslOptionsPairDisablingValidation(p) and
-        optionsNode.flowsTo(arg) and
-        disablingNode.asExpr() = p
+        key.asExpr() = p.getKey() and
+        key.getALocalSource().asExpr().getExpr().getConstantValue().isStringlikeValue("ssl") and
+        sslValue.asExpr() = p.getValue()
+      )
+    |
+      exists(CfgNodes::ExprNodes::PairCfgNode p, DataFlow::Node key |
+        p = sslValue.asExpr().(CfgNodes::ExprNodes::HashLiteralCfgNode).getAKeyValuePair() and
+        key.asExpr() = p.getKey() and
+        key.getALocalSource().asExpr().getExpr().getConstantValue().isStringlikeValue(argName) and
+        result.asExpr() = p.getValue()
       )
     )
   }
 
   override predicate disablesCertificateValidation(
     DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
   ) {
-    disablesCertificateValidation(disablingNode) and
-    argumentOrigin = disablingNode
+    any(FaradayDisablesCertificateValidationConfiguration config)
+        .hasFlow(argumentOrigin, disablingNode) and
+    disablingNode = this.getCertificateValidationControllingValue(_)
   }
 
   override string getFramework() { result = "Faraday" }
 }
 
-/**
- * Holds if the pair `p` contains the key `:ssl` for which the value is a hash
- * containing either `verify: false` or
- * `verify_mode: OpenSSL::SSL::VERIFY_NONE`.
- */
-private predicate isSslOptionsPairDisablingValidation(CfgNodes::ExprNodes::PairCfgNode p) {
-  exists(DataFlow::Node key, DataFlow::Node value |
-    key.asExpr() = p.getKey() and
-    value.asExpr() = p.getValue() and
-    isSymbolLiteral(key, "ssl") and
-    (isHashWithVerifyFalse(value) or isHashWithVerifyModeNone(value))
-  )
-}
-
-/** Holds if `node` represents the symbol literal with the given `valueText`. */
-private predicate isSymbolLiteral(DataFlow::Node node, string valueText) {
-  exists(DataFlow::LocalSourceNode literal |
-    literal.asExpr().getExpr().getConstantValue().isStringlikeValue(valueText) and
-    literal.flowsTo(node)
-  )
-}
-
-/**
- * Holds if `node` represents a hash containing the key-value pair
- * `verify: false`.
- */
-private predicate isHashWithVerifyFalse(DataFlow::Node node) {
-  exists(DataFlow::LocalSourceNode hash |
-    isVerifyFalsePair(hash.asExpr().(CfgNodes::ExprNodes::HashLiteralCfgNode).getAKeyValuePair()) and
-    hash.flowsTo(node)
-  )
-}
-
-/**
- * Holds if `node` represents a hash containing the key-value pair
- * `verify_mode: OpenSSL::SSL::VERIFY_NONE`.
- */
-private predicate isHashWithVerifyModeNone(DataFlow::Node node) {
-  exists(DataFlow::LocalSourceNode hash |
-    isVerifyModeNonePair(hash.asExpr().(CfgNodes::ExprNodes::HashLiteralCfgNode).getAKeyValuePair()) and
-    hash.flowsTo(node)
-  )
-}
-
-/**
- * Holds if the pair `p` has the key `:verify_mode` and the value
- * `OpenSSL::SSL::VERIFY_NONE`.
- */
-private predicate isVerifyModeNonePair(CfgNodes::ExprNodes::PairCfgNode p) {
-  exists(DataFlow::Node key, DataFlow::Node value |
-    key.asExpr() = p.getKey() and
-    value.asExpr() = p.getValue() and
-    isSymbolLiteral(key, "verify_mode") and
-    value =
-      API::getTopLevelMember("OpenSSL")
-          .getMember("SSL")
-          .getMember("VERIFY_NONE")
-          .getAValueReachableFromSource()
-  )
-}
+/** A configuration to track values that can disable certificate validation for Faraday. */
+private class FaradayDisablesCertificateValidationConfiguration extends DataFlowImplForLibraries::Configuration {
+  FaradayDisablesCertificateValidationConfiguration() {
+    this = "FaradayDisablesCertificateValidationConfiguration"
+  }
 
-/**
- * Holds if the pair `p` has the key `:verify` and the value `false`.
- */
-private predicate isVerifyFalsePair(CfgNodes::ExprNodes::PairCfgNode p) {
-  exists(DataFlow::Node key, DataFlow::Node value |
-    key.asExpr() = p.getKey() and
-    value.asExpr() = p.getValue() and
-    isSymbolLiteral(key, "verify") and
-    isFalse(value)
-  )
-}
+  override predicate isSource(DataFlow::Node source, DataFlowImplForLibraries::FlowState state) {
+    source.asExpr().getExpr().(BooleanLiteral).isFalse() and
+    state = "verify"
+    or
+    source = API::getTopLevelMember("OpenSSL").getMember("SSL").getMember("VERIFY_NONE").asSource() and
+    state = "verify_mode"
+  }
 
-/** Holds if `node` can contain the Boolean value `false`. */
-private predicate isFalse(DataFlow::Node node) {
-  exists(DataFlow::LocalSourceNode literal |
-    literal.asExpr().getExpr().(BooleanLiteral).isFalse() and
-    literal.flowsTo(node)
-  )
+  override predicate isSink(DataFlow::Node sink, DataFlowImplForLibraries::FlowState state) {
+    sink = any(FaradayHttpRequest req).getCertificateValidationControllingValue(state)
+  }
 }