Merge pull request github#315 from github/hmac-outgoing-http

Model more HTTP clients

Author: hmac

ql/lib/codeql/ruby/Frameworks.qll

@@ -7,4 +7,4 @@ private import codeql.ruby.frameworks.ActiveRecord
 private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.StandardLibrary
 private import codeql.ruby.frameworks.Files
-private import codeql.ruby.frameworks.HTTPClients
+private import codeql.ruby.frameworks.HttpClients

ql/lib/codeql/ruby/frameworks/HTTPClients.qll

@@ -0,0 +1,12 @@
+/**
+ * Helper file that imports all HTTP clients.
+ */
+
+private import codeql.ruby.frameworks.http_clients.NetHttp
+private import codeql.ruby.frameworks.http_clients.Excon
+private import codeql.ruby.frameworks.http_clients.Faraday
+private import codeql.ruby.frameworks.http_clients.RestClient
+private import codeql.ruby.frameworks.http_clients.Httparty
+private import codeql.ruby.frameworks.http_clients.HttpClient
+private import codeql.ruby.frameworks.http_clients.OpenURI
+private import codeql.ruby.frameworks.http_clients.Typhoeus

ql/lib/codeql/ruby/frameworks/HttpClients.qll

@@ -17,11 +17,11 @@ private import codeql.ruby.ApiGraphs
  * TODO: pipelining, streaming responses
  * https://github.com/excon/excon/blob/master/README.md
  */
-class ExconHTTPRequest extends HTTP::Client::Request::Range {
+class ExconHttpRequest extends HTTP::Client::Request::Range {
   DataFlow::Node request;
   DataFlow::CallNode responseBody;
 
-  ExconHTTPRequest() {
+  ExconHttpRequest() {
     exists(API::Node requestNode | request = requestNode.getAnImmediateUse() |
       requestNode =
         [

ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll

@@ -13,11 +13,11 @@ private import codeql.ruby.ApiGraphs
  * connection.get("/").body
  * ```
  */
-class FaradayHTTPRequest extends HTTP::Client::Request::Range {
+class FaradayHttpRequest extends HTTP::Client::Request::Range {
   DataFlow::Node request;
   DataFlow::CallNode responseBody;
 
-  FaradayHTTPRequest() {
+  FaradayHttpRequest() {
     exists(API::Node requestNode |
       requestNode =
         [

ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll

@@ -0,0 +1,40 @@
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+
+/**
+ * A call that makes an HTTP request using `HTTPClient`.
+ * ```ruby
+ * HTTPClient.get("http://example.com").body
+ * HTTPClient.get_content("http://example.com")
+ * ```
+ */
+class HttpClientRequest extends HTTP::Client::Request::Range {
+  DataFlow::Node request;
+  DataFlow::CallNode responseBody;
+
+  HttpClientRequest() {
+    exists(API::Node requestNode, string method |
+      request = requestNode.getAnImmediateUse() and
+      method in [
+          "get", "head", "delete", "options", "post", "put", "trace", "get_content", "post_content"
+        ]
+    |
+      requestNode = API::getTopLevelMember("HTTPClient").getReturn(method) and
+      (
+        // The `get_content` and `post_content` methods return the response body as a string.
+        // The other methods return a `HTTPClient::Message` object which has various methods
+        // that return the response body.
+        method in ["get_content", "post_content"] and responseBody = request
+        or
+        not method in ["get_content", "put_content"] and
+        responseBody = requestNode.getAMethodCall(["body", "http_body", "content", "dump"])
+      ) and
+      this = request.asExpr().getExpr()
+    )
+  }
+
+  override DataFlow::Node getResponseBody() { result = responseBody }
+
+  override string getFramework() { result = "HTTPClient" }
+}

ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll

@@ -0,0 +1,46 @@
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+
+/**
+ * A call that makes an HTTP request using `HTTParty`.
+ * ```ruby
+ * # one-off request - returns the response body
+ * HTTParty.get("http://example.com")
+ *
+ * # TODO: module inclusion
+ * class MyClass
+ *  include HTTParty
+ * end
+ *
+ * MyClass.new("http://example.com")
+ * ```
+ */
+class HttpartyRequest extends HTTP::Client::Request::Range {
+  DataFlow::Node request;
+  DataFlow::CallNode responseBody;
+
+  HttpartyRequest() {
+    exists(API::Node requestNode | request = requestNode.getAnImmediateUse() |
+      requestNode =
+        API::getTopLevelMember("HTTParty")
+            .getReturn(["get", "head", "delete", "options", "post", "put", "patch"]) and
+      (
+        // If HTTParty can recognise the response type, it will parse and return it
+        // directly from the request call. Otherwise, it will return a `HTTParty::Response`
+        // object that has a `#body` method.
+        // So if there's a call to `#body` on the response, treat that as the response body.
+        exists(DataFlow::Node r | r = requestNode.getAMethodCall("body") | responseBody = r)
+        or
+        // Otherwise, treat the response as the response body.
+        not exists(DataFlow::Node r | r = requestNode.getAMethodCall("body")) and
+        responseBody = request
+      ) and
+      this = request.asExpr().getExpr()
+    )
+  }
+
+  override DataFlow::Node getResponseBody() { result = responseBody }
+
+  override string getFramework() { result = "HTTParty" }
+}

ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll

@@ -13,11 +13,11 @@ private import codeql.ruby.dataflow.internal.DataFlowPublic
  * response = req.get("/")
  * ```
  */
-class NetHTTPRequest extends HTTP::Client::Request::Range {
+class NetHttpRequest extends HTTP::Client::Request::Range {
   private DataFlow::CallNode request;
   private DataFlow::Node responseBody;
 
-  NetHTTPRequest() {
+  NetHttpRequest() {
     exists(API::Node requestNode, string method |
       request = requestNode.getAnImmediateUse() and
       this = request.asExpr().getExpr()

ql/lib/codeql/ruby/frameworks/http_clients/NetHTTP.qll renamed to ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll

@@ -0,0 +1,39 @@
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.frameworks.StandardLibrary
+
+/**
+ * A call that makes an HTTP request using `OpenURI`.
+ * ```ruby
+ * Kernel.open("http://example.com").read
+ * URI.open("http://example.com").readlines
+ * URI.parse("http://example.com").open.read
+ * ```
+ */
+class OpenURIRequest extends HTTP::Client::Request::Range {
+  DataFlow::Node request;
+  DataFlow::CallNode responseBody;
+
+  OpenURIRequest() {
+    exists(API::Node requestNode | request = requestNode.getAnImmediateUse() |
+      requestNode =
+        [API::getTopLevelMember("URI"), API::getTopLevelMember("URI").getReturn("parse")]
+            .getReturn("open") and
+      responseBody = requestNode.getAMethodCall(["read", "readlines"]) and
+      this = request.asExpr().getExpr()
+    )
+    or
+    // Kernel.open("http://example.com").read
+    // open("http://example.com").read
+    this instanceof KernelMethodCall and
+    this.getMethodName() = "open" and
+    request.asExpr().getExpr() = this and
+    responseBody.asExpr().getExpr().(MethodCall).getMethodName() in ["read", "readlines"] and
+    request.(DataFlow::LocalSourceNode).flowsTo(responseBody.getReceiver())
+  }
+
+  override DataFlow::Node getResponseBody() { result = responseBody }
+
+  override string getFramework() { result = "OpenURI" }
+}

ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll

@@ -8,11 +8,11 @@ private import codeql.ruby.ApiGraphs
  * RestClient.get("http://example.com").body
  * ```
  */
-class RestClientHTTPRequest extends HTTP::Client::Request::Range {
+class RestClientHttpRequest extends HTTP::Client::Request::Range {
   DataFlow::Node request;
   DataFlow::CallNode responseBody;
 
-  RestClientHTTPRequest() {
+  RestClientHttpRequest() {
     exists(API::Node requestNode |
       requestNode =
         API::getTopLevelMember("RestClient")