Ruby: IncompleteHostnameRegExp.ql

Author: aibaars

javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.qhelp

@@ -30,7 +30,7 @@
 		<p>
 
 			Escape all meta-characters appropriately when constructing
-			regular expressions for security checks, pay special attention to the
+			regular expressions for security checks, and pay special attention to the
 			<code>.</code> meta-character.
 
 		</p>

python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.qhelp

@@ -30,7 +30,7 @@
         <p>
 
             Escape all meta-characters appropriately when constructing
-            regular expressions for security checks, pay special attention to the
+            regular expressions for security checks, and pay special attention to the
             <code>.</code> meta-character.
 
         </p>

ruby/ql/lib/codeql/ruby/security/performance/RegExpTreeView.qll

@@ -637,6 +637,9 @@ class RegExpGroup extends RegExpTerm, TRegExpGroup {
    */
   int getNumber() { result = re.getGroupNumber(start, end) }
 
+  /** Holds if this is a capture group. */
+  predicate isCapture() { not exists(this.getNumber()) }
+
   /** Holds if this is a named capture group. */
   predicate isNamed() { exists(this.getName()) }
 

ruby/ql/src/change-notes/2022-02-10-incomplete-hostname-regexp.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `rb/incomplete-hostname-regexp`. The query finds instances where a hostname is incompletely sanitized due to an unescaped character in a regular expression.

ruby/ql/src/queries/security/cwe-020/HostnameRegexpShared.qll

@@ -3,7 +3,8 @@
  * that match URLs and hostname patterns.
  */
 
-import javascript
+private import codeql.ruby.security.performance.RegExpTreeView
+private import codeql.ruby.DataFlow
 
 /**
  * Holds if the given constant is unlikely to occur in the origin part of a URL.
@@ -19,7 +20,7 @@ predicate isConstantInvalidInsideOrigin(RegExpConstant term) {
 
 /** Holds if `term` is a dot constant of form `\.` or `[.]`. */
 predicate isDotConstant(RegExpTerm term) {
-  term.(RegExpCharEscape).getValue() = "."
+  term.(RegExpEscape).getValue() = "."
   or
   exists(RegExpCharacterClass cls |
     term = cls and

ruby/ql/src/queries/security/cwe-020/IncompleteHostnameRegExp.qhelp

@@ -30,7 +30,7 @@
 		<p>
 
 			Escape all meta-characters appropriately when constructing
-			regular expressions for security checks, pay special attention to the
+			regular expressions for security checks, and pay special attention to the
 			<code>.</code> meta-character.
 
 		</p>
@@ -46,7 +46,7 @@
 
 		</p>
 
-		<sample src="examples/IncompleteHostnameRegExp.js"/>
+		<sample src="examples/IncompleteHostnameRegExp.rb"/>
 
 		<p>
 
@@ -59,14 +59,13 @@
 		<p>
 
 			Address this vulnerability by escaping <code>.</code>
-			appropriately: <code>let regex = /((www|beta)\.)?example\.com/</code>.
+			appropriately: <code>regex = /((www|beta)\.)?example\.com/</code>.
 
 		</p>
 
 	</example>
 
 	<references>
-		<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions">Regular Expressions</a></li>
 		<li>OWASP: <a href="https://www.owasp.org/index.php/Server_Side_Request_Forgery">SSRF</a></li>
 		<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html">XSS Unvalidated Redirects and Forwards Cheat Sheet</a>.</li>
 	</references>

ruby/ql/src/queries/security/cwe-020/IncompleteHostnameRegExp.ql

@@ -5,15 +5,16 @@
  * @problem.severity warning
  * @security-severity 7.8
  * @precision high
- * @id js/incomplete-hostname-regexp
+ * @id rb/incomplete-hostname-regexp
  * @tags correctness
  *       security
  *       external/cwe/cwe-020
  */
 
-import javascript
-import semmle.javascript.CharacterEscapes
 import HostnameRegexpShared
+import codeql.ruby.security.performance.RegExpTreeView
+import codeql.ruby.DataFlow
+import codeql.ruby.AST as AST
 
 /**
  * Holds if `term` occurs inside a quantifier or alternative (and thus
@@ -102,6 +103,5 @@ where
     ) else (
       kind = "regular expression" and aux = re
     )
-  ) and
-  not CharacterEscapes::hasALikelyRegExpPatternMistake(re)
+  )
 select hostSequence, "This " + kind + " " + msg, aux, "here"

ruby/ql/src/queries/security/cwe-020/examples/IncompleteHostnameRegExp.rb

@@ -1,9 +1,13 @@
-app.get('/some/path', function(req, res) {
-    let url = req.param('url'),
-        host = urlLib.parse(url).host;
-    // BAD: the host of `url` may be controlled by an attacker
-    let regex = /^((www|beta).)?example.com/;
-    if (host.match(regex)) {
-        res.redirect(url);
-    }
-});
+class AppController < ApplicationController
+
+    def index
+        url = params[:url]
+        host = URI(url).host
+        # BAD: the host of `url` may be controlled by an attacker
+        regex = /^((www|beta).)?example.com/
+        if host.match(regex)
+            redirect_to url
+        end
+    end
+
+end

ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected

@@ -1 +1 @@
-Security/CWE-020/IncompleteHostnameRegExp.ql
+queries/security/cwe-020/IncompleteHostnameRegExp.ql