Merge pull request github#10746 from alexrford/ruby/activejob-deserialize

Ruby: Add `ActiveJob::Serializers.deserialize` as a code execution sink

Author: alexrford

ruby/ql/lib/change-notes/2022-10-09-activejob-serializers-deserialize.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* `ActiveJob::Serializers.deserialize` is considered to be a code execution sink.

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -5,6 +5,7 @@
 private import codeql.ruby.frameworks.Core
 private import codeql.ruby.frameworks.ActionCable
 private import codeql.ruby.frameworks.ActionController
+private import codeql.ruby.frameworks.ActiveJob
 private import codeql.ruby.frameworks.ActionMailer
 private import codeql.ruby.frameworks.ActiveRecord
 private import codeql.ruby.frameworks.ActiveResource

ruby/ql/lib/codeql/ruby/frameworks/ActiveJob.qll

@@ -0,0 +1,30 @@
+/**
+ * Modeling for `ActiveJob`, a framweork for declaring and enqueueing jobs that
+ * ships with Rails.
+ * https://rubygems.org/gems/activejob
+ */
+
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+
+/** Modeling for `ActiveJob`. */
+module ActiveJob {
+  /**
+   * `ActiveJob::Serializers`
+   */
+  module Serializers {
+    /**
+     * A call to `ActiveJob::Serializers.deserialize`, which interprets part of
+     * its argument as a Ruby constant.
+     */
+    class DeserializeCall extends DataFlow::CallNode, CodeExecution::Range {
+      DeserializeCall() {
+        this =
+          API::getTopLevelMember("ActiveJob").getMember("Serializers").getAMethodCall("deserialize")
+      }
+
+      override DataFlow::Node getCode() { result = this.getArgument(0) }
+    }
+  }
+}

ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll

@@ -8,6 +8,8 @@ private import codeql.ruby.ApiGraphs
 private import codeql.ruby.CFG
 private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.RemoteFlowSources
+private import codeql.ruby.frameworks.ActiveJob
+private import codeql.ruby.frameworks.core.Module
 
 module UnsafeDeserialization {
   /**
@@ -199,4 +201,27 @@ module UnsafeDeserialization {
       toNode = callNode
     )
   }
+
+  /**
+   * A argument in a call to `Module.const_get`, considered as a sink for unsafe
+   * deserialization.
+   *
+   * Calls to `Module.const_get` can return arbitrary classes which can then be
+   * instantiated.
+   */
+  class ConstGetCallArgument extends Sink {
+    ConstGetCallArgument() { this = any(Module::ModuleConstGetCallCodeExecution c).getCode() }
+  }
+
+  /**
+   * A argument in a call to `ActiveJob::Serializers.deserialize`, considered as
+   * a sink for unsafe deserialization.
+   *
+   * This is roughly equivalent to a call to `Module.const_get`.
+   */
+  class ActiveJobSerializersDeserializeArgument extends Sink {
+    ActiveJobSerializersDeserializeArgument() {
+      this = any(ActiveJob::Serializers::DeserializeCall c).getCode()
+    }
+  }
 }

ruby/ql/test/query-tests/security/cwe-094/CodeInjection.expected

@@ -1,29 +1,32 @@
 edges
-| CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:3:12:3:24 | ...[...] :  |
-| CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:6:10:6:13 | code |
-| CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:18:20:18:23 | code |
-| CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:21:21:21:24 | code |
-| CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:27:15:27:18 | code |
-| CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:30:19:30:22 | code |
-| CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:36:24:36:27 | code :  |
-| CodeInjection.rb:36:24:36:27 | code :  | CodeInjection.rb:36:10:36:28 | call to escape |
+| CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:5:12:5:24 | ...[...] :  |
+| CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:8:10:8:13 | code |
+| CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:20:20:20:23 | code |
+| CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:23:21:23:24 | code |
+| CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:29:15:29:18 | code |
+| CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:32:19:32:22 | code |
+| CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:38:24:38:27 | code :  |
+| CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:41:40:41:43 | code |
+| CodeInjection.rb:38:24:38:27 | code :  | CodeInjection.rb:38:10:38:28 | call to escape |
 nodes
-| CodeInjection.rb:3:12:3:17 | call to params :  | semmle.label | call to params :  |
-| CodeInjection.rb:3:12:3:24 | ...[...] :  | semmle.label | ...[...] :  |
-| CodeInjection.rb:6:10:6:13 | code | semmle.label | code |
-| CodeInjection.rb:9:10:9:15 | call to params | semmle.label | call to params |
-| CodeInjection.rb:18:20:18:23 | code | semmle.label | code |
-| CodeInjection.rb:21:21:21:24 | code | semmle.label | code |
-| CodeInjection.rb:27:15:27:18 | code | semmle.label | code |
-| CodeInjection.rb:30:19:30:22 | code | semmle.label | code |
-| CodeInjection.rb:36:10:36:28 | call to escape | semmle.label | call to escape |
-| CodeInjection.rb:36:24:36:27 | code :  | semmle.label | code :  |
+| CodeInjection.rb:5:12:5:17 | call to params :  | semmle.label | call to params :  |
+| CodeInjection.rb:5:12:5:24 | ...[...] :  | semmle.label | ...[...] :  |
+| CodeInjection.rb:8:10:8:13 | code | semmle.label | code |
+| CodeInjection.rb:11:10:11:15 | call to params | semmle.label | call to params |
+| CodeInjection.rb:20:20:20:23 | code | semmle.label | code |
+| CodeInjection.rb:23:21:23:24 | code | semmle.label | code |
+| CodeInjection.rb:29:15:29:18 | code | semmle.label | code |
+| CodeInjection.rb:32:19:32:22 | code | semmle.label | code |
+| CodeInjection.rb:38:10:38:28 | call to escape | semmle.label | call to escape |
+| CodeInjection.rb:38:24:38:27 | code :  | semmle.label | code :  |
+| CodeInjection.rb:41:40:41:43 | code | semmle.label | code |
 subpaths
 #select
-| CodeInjection.rb:6:10:6:13 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:6:10:6:13 | code | This code execution depends on a $@. | CodeInjection.rb:3:12:3:17 | call to params | user-provided value |
-| CodeInjection.rb:9:10:9:15 | call to params | CodeInjection.rb:9:10:9:15 | call to params | CodeInjection.rb:9:10:9:15 | call to params | This code execution depends on a $@. | CodeInjection.rb:9:10:9:15 | call to params | user-provided value |
-| CodeInjection.rb:18:20:18:23 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:18:20:18:23 | code | This code execution depends on a $@. | CodeInjection.rb:3:12:3:17 | call to params | user-provided value |
-| CodeInjection.rb:21:21:21:24 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:21:21:21:24 | code | This code execution depends on a $@. | CodeInjection.rb:3:12:3:17 | call to params | user-provided value |
-| CodeInjection.rb:27:15:27:18 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:27:15:27:18 | code | This code execution depends on a $@. | CodeInjection.rb:3:12:3:17 | call to params | user-provided value |
-| CodeInjection.rb:30:19:30:22 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:30:19:30:22 | code | This code execution depends on a $@. | CodeInjection.rb:3:12:3:17 | call to params | user-provided value |
-| CodeInjection.rb:36:10:36:28 | call to escape | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:36:10:36:28 | call to escape | This code execution depends on a $@. | CodeInjection.rb:3:12:3:17 | call to params | user-provided value |
+| CodeInjection.rb:8:10:8:13 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:8:10:8:13 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
+| CodeInjection.rb:11:10:11:15 | call to params | CodeInjection.rb:11:10:11:15 | call to params | CodeInjection.rb:11:10:11:15 | call to params | This code execution depends on a $@. | CodeInjection.rb:11:10:11:15 | call to params | user-provided value |
+| CodeInjection.rb:20:20:20:23 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:20:20:20:23 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
+| CodeInjection.rb:23:21:23:24 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:23:21:23:24 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
+| CodeInjection.rb:29:15:29:18 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:29:15:29:18 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
+| CodeInjection.rb:32:19:32:22 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:32:19:32:22 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
+| CodeInjection.rb:38:10:38:28 | call to escape | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:38:10:38:28 | call to escape | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
+| CodeInjection.rb:41:40:41:43 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:41:40:41:43 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |

ruby/ql/test/query-tests/security/cwe-094/CodeInjection.rb

@@ -1,3 +1,5 @@
+require 'active_job'
+
 class UsersController < ActionController::Base
   def create
     code = params[:code]
@@ -22,18 +24,21 @@ def create
 
     # GOOD
     Bar.class_eval(code)
-    
+
     # BAD
     const_get(code)
-    
+
     # BAD
     Foo.const_get(code)
-    
+
     # GOOD
     Bar.const_get(code)
 
     # BAD
     eval(Regexp.escape(code))
+
+    # BAD
+    ActiveJob::Serializers.deserialize(code)
   end
 
   def update
@@ -62,8 +67,8 @@ class Bar
   def self.class_eval(x)
     true
   end
-  
+
   def self.const_get(x)
     true
   end
-end
+end