Ruby: Restrict request methods to user-controlled

hmac · hmac · commit 9eff4936cf1f · 2022-10-13T13:24:16.000+13:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -203,10 +203,7 @@ private module Request {
 
   /** A method call on `request` which returns part or all of the request path. */
   private class PathCall extends RequestInputAccess {
-    PathCall() {
-      this.getMethodName() =
-        ["fullpath", "original_fullpath", "original_url", "url", "path", "filtered_path"]
-    }
+    PathCall() { this.getMethodName() = ["path", "filtered_path"] }
   }
 
   /** A method call on `request` which returns a specific request header. */
@@ -216,8 +213,13 @@ private module Request {
         [
           "authorization", "script_name", "path_info", "user_agent", "referer", "referrer",
           "host_authority", "content_type", "host", "hostname", "accept_encoding",
-          "accept_language", "if_none_match", "if_none_match_etags", "get_header", "fetch_header"
+          "accept_language", "if_none_match", "if_none_match_etags"
         ]
+      or
+      // Request headers are prefixed with `HTTP_` to distinguish them from
+      // "headers" supplied by Rack middleware.
+      this.getMethodName() = ["get_header", "fetch_header"] and
+      this.getArgument(0).asExpr().getExpr().getConstantValue().getString().regexpMatch("^HTTP_.+")
     }
   }
 
@@ -254,7 +256,10 @@ private module Request {
 
   /** A method call on `request` which returns the rack env. */
   private class EnvCall extends RequestInputAccess {
-    EnvCall() { this.getMethodName() = ["env", "filtered_env"] }
+    EnvCall() {
+      this.getMethodName() = ["env", "filtered_env"] and
+      this.getArgument(0).asExpr().getExpr().getConstantValue().getString().regexpMatch("^HTTP_.+")
+    }
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -203,10 +203,7 @@ private module Request {`
`203`	`203`
`204`	`204`	/** A method call on `request` which returns part or all of the request path. */
`205`	`205`	`private class PathCall extends RequestInputAccess {`
`206`		`- PathCall() {`
`207`		`- this.getMethodName() =`
`208`		`- ["fullpath", "original_fullpath", "original_url", "url", "path", "filtered_path"]`
`209`		`- }`
	`206`	`+ PathCall() { this.getMethodName() = ["path", "filtered_path"] }`
`210`	`207`	`}`
`211`	`208`
`212`	`209`	/** A method call on `request` which returns a specific request header. */
`@@ -216,8 +213,13 @@ private module Request {`
`216`	`213`	`[`
`217`	`214`	`"authorization", "script_name", "path_info", "user_agent", "referer", "referrer",`
`218`	`215`	`"host_authority", "content_type", "host", "hostname", "accept_encoding",`
`219`		`- "accept_language", "if_none_match", "if_none_match_etags", "get_header", "fetch_header"`
	`216`	`+ "accept_language", "if_none_match", "if_none_match_etags"`
`220`	`217`	`]`
	`218`	`+ or`
	`219`	+ // Request headers are prefixed with `HTTP_` to distinguish them from
	`220`	`+ // "headers" supplied by Rack middleware.`
	`221`	`+ this.getMethodName() = ["get_header", "fetch_header"] and`
	`222`	`+ this.getArgument(0).asExpr().getExpr().getConstantValue().getString().regexpMatch("^HTTP_.+")`
`221`	`223`	`}`
`222`	`224`	`}`
`223`	`225`
`@@ -254,7 +256,10 @@ private module Request {`
`254`	`256`
`255`	`257`	/** A method call on `request` which returns the rack env. */
`256`	`258`	`private class EnvCall extends RequestInputAccess {`
`257`		`- EnvCall() { this.getMethodName() = ["env", "filtered_env"] }`
	`259`	`+ EnvCall() {`
	`260`	`+ this.getMethodName() = ["env", "filtered_env"] and`
	`261`	`+ this.getArgument(0).asExpr().getExpr().getConstantValue().getString().regexpMatch("^HTTP_.+")`
	`262`	`+ }`
`258`	`263`	`}`
`259`	`264`	`}`
`260`	`265`