Add rb/path-injection query

Author: nickrolfe

ruby/ql/lib/codeql/ruby/Concepts.qll

@@ -583,3 +583,21 @@ module OrmInstantiation {
     abstract predicate methodCallMayAccessField(string methodName);
   }
 }
+
+/** Provides classes for modeling path-related APIs. */
+module Path {
+  /**
+   * A data-flow node that performs path sanitization. This is often needed in order
+   * to safely access paths.
+   */
+  class PathSanitization extends DataFlow::Node instanceof PathSanitization::Range { }
+
+  /** Provides a class for modeling new path sanitization APIs. */
+  module PathSanitization {
+    /**
+     * A data-flow node that performs path sanitization. This is often needed in order
+     * to safely access paths.
+     */
+    abstract class Range extends DataFlow::Node { }
+  }
+}

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -4,6 +4,7 @@
 
 private import codeql.ruby.frameworks.ActionController
 private import codeql.ruby.frameworks.ActiveRecord
+private import codeql.ruby.frameworks.ActiveStorage
 private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.StandardLibrary
 private import codeql.ruby.frameworks.Files

ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -64,6 +64,9 @@ predicate summaryElement(DataFlowCallable c, string input, string output, string
 SummaryComponent interpretComponentSpecific(string c) {
   c = "BlockArgument" and
   result = FlowSummary::SummaryComponent::block()
+  or
+  c = "Argument[_]" and
+  result = FlowSummary::SummaryComponent::argument(any(int i | i >= 0))
 }
 
 /** Gets the return kind corresponding to specification `"ReturnValue"`. */

ruby/ql/lib/codeql/ruby/frameworks/ActiveStorage.qll

@@ -0,0 +1,12 @@
+private import codeql.ruby.AST
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+
+class ActiveStorageFilenameSanitizedCall extends Path::PathSanitization::Range, DataFlow::CallNode {
+  ActiveStorageFilenameSanitizedCall() {
+    this.getReceiver() =
+      API::getTopLevelMember("ActiveStorage").getMember("Filename").getAnInstantiation() and
+    this.asExpr().getExpr().(MethodCall).getMethodName() = "sanitized"
+  }
+}

ruby/ql/lib/codeql/ruby/frameworks/Files.qll

@@ -7,6 +7,7 @@ private import codeql.ruby.Concepts
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.DataFlow
 private import codeql.ruby.frameworks.StandardLibrary
+private import codeql.ruby.dataflow.FlowSummary
 
 private DataFlow::Node ioInstanceInstantiation() {
   result = API::getTopLevelMember("IO").getAnInstantiation() or
@@ -253,6 +254,47 @@ module File {
 
     override DataFlow::Node getAPermissionNode() { result = permissionArg }
   }
+
+  /**
+   * Flow summary for several methods on the `File` class that propagate taint
+   * from their first argument to the return value.
+   */
+  class FilePathConversionSummary extends SummarizedCallable {
+    string methodName;
+
+    FilePathConversionSummary() {
+      methodName = ["absolute_path", "dirname", "expand_path", "path", "realdirpath", "realpath"] and
+      this = "File." + methodName
+    }
+
+    override MethodCall getACall() {
+      result = API::getTopLevelMember("File").getAMethodCall(methodName).asExpr().getExpr()
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
+  /**
+   * Flow summary for `File.join`, which propagates taint from every argument to
+   * its return value.
+   */
+  class FileJoinSummary extends SummarizedCallable {
+    FileJoinSummary() { this = "File.join" }
+
+    override MethodCall getACall() {
+      result = API::getTopLevelMember("File").getAMethodCall("join").asExpr().getExpr()
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[_]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll

@@ -0,0 +1,54 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * path injection vulnerabilities, as well as extension points for
+ * adding your own.
+ */
+
+private import ruby
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.CFG
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.BarrierGuards
+private import codeql.ruby.dataflow.RemoteFlowSources
+
+module PathInjection {
+  /**
+   * A data flow source for path injection vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for path injection vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for path injection vulnerabilities.
+   */
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A file system access, considered as a flow sink.
+   */
+  class FileSystemAccessAsSink extends Sink {
+    FileSystemAccessAsSink() { this = any(FileSystemAccess e).getAPathArgument() }
+  }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+
+  /**
+   * An inclusion check against an array of constant strings, considered as a
+   * sanitizer-guard.
+   */
+  class StringConstArrayInclusionCallAsSanitizerGuard extends SanitizerGuard,
+    StringConstArrayInclusionCall { }
+}

ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll

@@ -0,0 +1,31 @@
+/**
+ * Provides a taint tracking configuration for reasoning about
+ * path injection vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `PathInjection::Configuration` is needed, otherwise
+ * `PathInjectionCustomizations` should be imported instead.
+ */
+
+import PathInjectionCustomizations
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+private import codeql.ruby.TaintTracking
+
+/**
+ * A taint-tracking configuration for reasoning about path injection
+ * vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "PathInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof PathInjection::Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof PathInjection::Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Path::PathSanitization }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof PathInjection::SanitizerGuard
+  }
+}

ruby/ql/src/queries/security/cwe-022/PathInjection.qhelp

@@ -0,0 +1,61 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Accessing files using paths constructed from user-controlled data can allow an
+attacker to access unexpected resources. This can result in sensitive
+information being revealed or deleted, or an attacker being able to influence
+behavior by modifying unexpected files.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Validate user input before using it to construct a file path, either using an
+off-the-shelf library like <code>ActiveStorage::Filename#sanitized</code> in
+Rails, or by performing custom validation.
+</p>
+
+<p>
+Ideally, follow these rules:
+</p>
+
+<ul>
+<li>Do not allow more than a single "." character.</li>
+<li>Do not allow directory separators such as "/" or "\" (depending on the file
+system).</li>
+<li>Do not rely on simply replacing problematic sequences such as "../". For
+example, after applying this filter to ".../...//", the resulting string would
+still be "../".</li>
+<li>Use a whitelist of known good patterns.</li>
+</ul>
+</recommendation>
+
+<example>
+<p>
+In the first example, a file name is read from an HTTP request and then used to
+access a file.  However, a malicious user could enter a file name which is an
+absolute path, such as <code>"/etc/passwd"</code>.
+</p>
+
+<p>
+In the second example, it appears that the user is restricted to opening a file
+within the <code>"user"</code> home directory. However, a malicious user could
+enter a file name containing special characters. For example, the string
+<code>"../../etc/passwd"</code> will result in the code reading the file located
+at <code>"/home/user/../../etc/passwd"</code>, which is the system's password
+file. This file would then be sent back to the user, giving them access to all
+the system's passwords.
+</p>
+
+<sample src="examples/tainted_path.rb" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://owasp.org/www-community/attacks/Path_Traversal">Path Traversal</a>.</li>
+<li>Rails: <a href="https://api.rubyonrails.org/classes/ActiveStorage/Filename.html#method-i-sanitized">ActiveStorage::Filename#sanitized</a>.</li>
+</references>
+</qhelp>

ruby/ql/src/queries/security/cwe-022/PathInjection.ql

@@ -0,0 +1,26 @@
+/**
+ * @name Uncontrolled data used in path expression
+ * @description Accessing paths influenced by users can allow an attacker to access
+ *              unexpected resources.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id rb/path-injection
+ * @tags security
+ *       external/cwe/cwe-022
+ *       external/cwe/cwe-023
+ *       external/cwe/cwe-036
+ *       external/cwe/cwe-073
+ *       external/cwe/cwe-099
+ */
+
+import ruby
+import codeql.ruby.security.PathInjectionQuery
+import codeql.ruby.DataFlow
+import DataFlow::PathGraph
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This path depends on $@.", source.getNode(),
+  "a user-provided value"

ruby/ql/src/queries/security/cwe-022/examples/tainted_path.rb

@@ -0,0 +1,11 @@
+class FilesController < ActionController::Base
+  def first_example
+    # BAD: This could read any file on the file system
+    @content = File.read params[:path]
+  end
+
+  def second_example
+    # BAD: This could still read any file on the file system
+    @content = File.read "/home/user/#{ params[:path] }"
+  end
+end