Ruby: add taint steps from case value to variables in patterns

Author: aibaars

ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll

@@ -30,6 +30,16 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { n
  */
 cached
 predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  // value of `case` expression into variables in patterns
+  exists(VariableWriteAccess varDef, CaseExpr case, InClause clause, CfgNode nodeToCfg |
+    clause = case.getABranch() and
+    varDef.getParent*() = clause.getPattern() and
+    nodeFrom.asExpr().getExpr() = case.getValue() and
+    nodeToCfg = nodeTo.(SsaDefinitionNode).getDefinition().getControlFlowNode() and
+    nodeToCfg = nodeFrom.asExpr().getASuccessor+() and
+    nodeToCfg.getNode() = varDef
+  )
+  or
   // operation involving `nodeFrom`
   exists(CfgNodes::ExprNodes::OperationCfgNode op |
     op = nodeTo.asExpr() and

ruby/ql/test/library-tests/dataflow/local/DataflowStep.expected

@@ -70,6 +70,13 @@
 | local_dataflow.rb:50:18:50:18 | [post] x | local_dataflow.rb:51:20:51:20 | x |
 | local_dataflow.rb:50:18:50:18 | x | local_dataflow.rb:51:20:51:20 | x |
 | local_dataflow.rb:51:9:51:15 | "break" | local_dataflow.rb:51:3:51:15 | break |
+| local_dataflow.rb:60:1:86:3 | self (test_case) | local_dataflow.rb:78:12:78:20 | self |
+| local_dataflow.rb:60:1:86:3 | self in test_case | local_dataflow.rb:78:12:78:20 | self |
+| local_dataflow.rb:60:1:86:3 | self in test_case | local_dataflow.rb:79:18:79:24 | self |
+| local_dataflow.rb:60:1:86:3 | self in test_case | local_dataflow.rb:80:22:80:28 | self |
+| local_dataflow.rb:60:1:86:3 | self in test_case | local_dataflow.rb:82:6:82:12 | self |
+| local_dataflow.rb:60:1:86:3 | self in test_case | local_dataflow.rb:83:6:83:12 | self |
+| local_dataflow.rb:60:1:86:3 | self in test_case | local_dataflow.rb:84:6:84:12 | self |
 | local_dataflow.rb:60:15:60:15 | x | local_dataflow.rb:60:15:60:15 | x |
 | local_dataflow.rb:60:15:60:15 | x | local_dataflow.rb:61:12:61:12 | x |
 | local_dataflow.rb:61:7:68:5 | case ... | local_dataflow.rb:61:3:68:5 | ... = ... |
@@ -100,3 +107,27 @@
 | local_dataflow.rb:73:7:73:7 | x | local_dataflow.rb:72:7:73:7 | then ... |
 | local_dataflow.rb:74:3:75:6 | else ... | local_dataflow.rb:69:7:76:5 | case ... |
 | local_dataflow.rb:75:6:75:6 | x | local_dataflow.rb:74:3:75:6 | else ... |
+| local_dataflow.rb:78:7:85:5 | case ... | local_dataflow.rb:78:3:85:5 | ... = ... |
+| local_dataflow.rb:78:12:78:20 | [post] self | local_dataflow.rb:79:18:79:24 | self |
+| local_dataflow.rb:78:12:78:20 | [post] self | local_dataflow.rb:80:22:80:28 | self |
+| local_dataflow.rb:78:12:78:20 | [post] self | local_dataflow.rb:82:6:82:12 | self |
+| local_dataflow.rb:78:12:78:20 | self | local_dataflow.rb:79:18:79:24 | self |
+| local_dataflow.rb:78:12:78:20 | self | local_dataflow.rb:80:22:80:28 | self |
+| local_dataflow.rb:78:12:78:20 | self | local_dataflow.rb:82:6:82:12 | self |
+| local_dataflow.rb:79:11:79:11 | b | local_dataflow.rb:79:23:79:23 | b |
+| local_dataflow.rb:79:13:79:43 | then ... | local_dataflow.rb:78:7:85:5 | case ... |
+| local_dataflow.rb:79:18:79:24 | call to sink | local_dataflow.rb:79:13:79:43 | then ... |
+| local_dataflow.rb:80:6:80:6 | a | local_dataflow.rb:80:11:80:11 | a |
+| local_dataflow.rb:80:11:80:11 | [post] a | local_dataflow.rb:80:27:80:27 | a |
+| local_dataflow.rb:80:11:80:11 | a | local_dataflow.rb:80:27:80:27 | a |
+| local_dataflow.rb:80:17:80:47 | then ... | local_dataflow.rb:78:7:85:5 | case ... |
+| local_dataflow.rb:80:22:80:28 | call to sink | local_dataflow.rb:80:17:80:47 | then ... |
+| local_dataflow.rb:81:7:81:7 | c | local_dataflow.rb:82:11:82:11 | c |
+| local_dataflow.rb:81:11:81:11 | d | local_dataflow.rb:83:11:83:11 | d |
+| local_dataflow.rb:81:14:81:14 | e | local_dataflow.rb:84:11:84:11 | e |
+| local_dataflow.rb:81:18:84:32 | then ... | local_dataflow.rb:78:7:85:5 | case ... |
+| local_dataflow.rb:81:23:84:13 | call to [] | local_dataflow.rb:81:18:84:32 | then ... |
+| local_dataflow.rb:82:6:82:12 | [post] self | local_dataflow.rb:83:6:83:12 | self |
+| local_dataflow.rb:82:6:82:12 | self | local_dataflow.rb:83:6:83:12 | self |
+| local_dataflow.rb:83:6:83:12 | [post] self | local_dataflow.rb:84:6:84:12 | self |
+| local_dataflow.rb:83:6:83:12 | self | local_dataflow.rb:84:6:84:12 | self |

ruby/ql/test/library-tests/dataflow/local/Nodes.expected

@@ -12,7 +12,7 @@ ret
 | local_dataflow.rb:50:3:50:13 | next |
 | local_dataflow.rb:51:3:51:15 | break |
 | local_dataflow.rb:52:3:52:10 | "normal" |
-| local_dataflow.rb:69:3:76:5 | ... = ... |
+| local_dataflow.rb:78:3:85:5 | ... = ... |
 arg
 | local_dataflow.rb:3:8:3:10 | self | local_dataflow.rb:3:8:3:10 | call to p | self |
 | local_dataflow.rb:3:10:3:10 | a | local_dataflow.rb:3:8:3:10 | call to p | position 0 |
@@ -49,3 +49,21 @@ arg
 | local_dataflow.rb:55:6:55:6 | 1 | local_dataflow.rb:55:5:55:13 | call to [] | position 0 |
 | local_dataflow.rb:55:9:55:9 | 2 | local_dataflow.rb:55:5:55:13 | call to [] | position 1 |
 | local_dataflow.rb:55:12:55:12 | 3 | local_dataflow.rb:55:5:55:13 | call to [] | position 2 |
+| local_dataflow.rb:78:12:78:20 | self | local_dataflow.rb:78:12:78:20 | call to source | self |
+| local_dataflow.rb:78:19:78:19 | 1 | local_dataflow.rb:78:12:78:20 | call to source | position 0 |
+| local_dataflow.rb:79:18:79:24 | self | local_dataflow.rb:79:18:79:24 | call to sink | self |
+| local_dataflow.rb:79:23:79:23 | b | local_dataflow.rb:79:18:79:24 | call to sink | position 0 |
+| local_dataflow.rb:80:11:80:11 | a | local_dataflow.rb:80:11:80:15 | ... > ... | self |
+| local_dataflow.rb:80:15:80:15 | 0 | local_dataflow.rb:80:11:80:15 | ... > ... | position 0 |
+| local_dataflow.rb:80:22:80:28 | self | local_dataflow.rb:80:22:80:28 | call to sink | self |
+| local_dataflow.rb:80:27:80:27 | a | local_dataflow.rb:80:22:80:28 | call to sink | position 0 |
+| local_dataflow.rb:81:23:84:13 | Array | local_dataflow.rb:81:23:84:13 | call to [] | self |
+| local_dataflow.rb:82:6:82:12 | call to sink | local_dataflow.rb:81:23:84:13 | call to [] | position 0 |
+| local_dataflow.rb:82:6:82:12 | self | local_dataflow.rb:82:6:82:12 | call to sink | self |
+| local_dataflow.rb:82:11:82:11 | c | local_dataflow.rb:82:6:82:12 | call to sink | position 0 |
+| local_dataflow.rb:83:6:83:12 | call to sink | local_dataflow.rb:81:23:84:13 | call to [] | position 1 |
+| local_dataflow.rb:83:6:83:12 | self | local_dataflow.rb:83:6:83:12 | call to sink | self |
+| local_dataflow.rb:83:11:83:11 | d | local_dataflow.rb:83:6:83:12 | call to sink | position 0 |
+| local_dataflow.rb:84:6:84:12 | call to sink | local_dataflow.rb:81:23:84:13 | call to [] | position 2 |
+| local_dataflow.rb:84:6:84:12 | self | local_dataflow.rb:84:6:84:12 | call to sink | self |
+| local_dataflow.rb:84:11:84:11 | e | local_dataflow.rb:84:6:84:12 | call to sink | position 0 |

ruby/ql/test/library-tests/dataflow/local/TaintflowStep.expected

@@ -0,0 +1,21 @@
+failures
+edges
+| local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:79:23:79:23 | b |
+| local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:80:27:80:27 | a |
+| local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:82:11:82:11 | c |
+| local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:83:11:83:11 | d |
+| local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:84:11:84:11 | e |
+nodes
+| local_dataflow.rb:78:12:78:20 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:79:23:79:23 | b | semmle.label | b |
+| local_dataflow.rb:80:27:80:27 | a | semmle.label | a |
+| local_dataflow.rb:82:11:82:11 | c | semmle.label | c |
+| local_dataflow.rb:83:11:83:11 | d | semmle.label | d |
+| local_dataflow.rb:84:11:84:11 | e | semmle.label | e |
+subpaths
+#select
+| local_dataflow.rb:79:23:79:23 | b | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:79:23:79:23 | b | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
+| local_dataflow.rb:80:27:80:27 | a | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:80:27:80:27 | a | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
+| local_dataflow.rb:82:11:82:11 | c | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:82:11:82:11 | c | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
+| local_dataflow.rb:83:11:83:11 | d | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:83:11:83:11 | d | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
+| local_dataflow.rb:84:11:84:11 | e | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:84:11:84:11 | e | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |

ruby/ql/test/library-tests/dataflow/local/TaintflowStep.ql

@@ -0,0 +1,11 @@
+/**
+ * @kind path-problem
+ */
+
+import ruby
+import TestUtilities.InlineFlowTest
+import PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, DefaultTaintFlowConf conf
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()

ruby/ql/test/library-tests/dataflow/local/local_dataflow.rb

@@ -74,5 +74,14 @@ def test_case x
   else
      x
   end
+
+  z = case source(1)
+  in 5 => b then sink(b) # $ hasTaintFlow=1
+  in a if a > 0 then sink(a) # $ hasTaintFlow=1
+  in [c, *d, e ] then [
+     sink(c), # $ hasTaintFlow=1
+     sink(d), # $ hasTaintFlow=1
+     sink(e)] # $ hasTaintFlow=1
+  end
 end
-    
+