Merge pull request github#12493 from hmac/ar-sinks

hmac · web-flow · commit aaeb8a0aa0c9 · 2023-03-15T07:59:07.000+13:00
diff --git a/ruby/ql/lib/change-notes/2023-03-13-rails-sinks.md b/ruby/ql/lib/change-notes/2023-03-13-rails-sinks.md
@@ -0,0 +1,6 @@
+---
+ category: minorAnalysis
+---
+* The Active Record query methods `reorder` and `count_by_sql` are now recognised as SQL executions.
+* Calls to `ActiveRecord::Connection#execute`, including those via subclasses, are now recognised as SQL executions.
+* Data flow through `ActionController::Parameters#require` is now tracked properly.
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -632,9 +632,9 @@ private module ParamsSummaries {
         // dig doesn't always return a Parameters instance, but it will if the
         // given key refers to a nested hash parameter.
         "dig", "each", "each_key", "each_pair", "each_value", "except", "keep_if", "merge",
-        "merge!", "permit", "reject", "reject!", "reverse_merge", "reverse_merge!", "select",
-        "select!", "slice", "slice!", "transform_keys", "transform_keys!", "transform_values",
-        "transform_values!", "with_defaults", "with_defaults!"
+        "merge!", "permit", "reject", "reject!", "require", "reverse_merge", "reverse_merge!",
+        "select", "select!", "slice", "slice!", "transform_keys", "transform_keys!",
+        "transform_values", "transform_values!", "with_defaults", "with_defaults!"
       ]
   }
 
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
@@ -31,6 +31,18 @@ private predicate isBuiltInMethodForActiveRecordModelInstance(string methodName)
   methodName = objectInstanceMethodName()
 }
 
+private API::Node activeRecordClassApiNode() {
+  result =
+    // class Foo < ActiveRecord::Base
+    // class Bar < Foo
+    [
+      API::getTopLevelMember("ActiveRecord").getMember("Base"),
+      // In Rails applications `ApplicationRecord` typically extends `ActiveRecord::Base`, but we
+      // treat it separately in case the `ApplicationRecord` definition is not in the database.
+      API::getTopLevelMember("ApplicationRecord")
+    ].getASubclass()
+}
+
 /**
  * A `ClassDeclaration` for a class that inherits from `ActiveRecord::Base`. For example,
  *
@@ -45,15 +57,8 @@ private predicate isBuiltInMethodForActiveRecordModelInstance(string methodName)
  */
 class ActiveRecordModelClass extends ClassDeclaration {
   ActiveRecordModelClass() {
-    // class Foo < ActiveRecord::Base
-    // class Bar < Foo
     this.getSuperclassExpr() =
-      [
-        API::getTopLevelMember("ActiveRecord").getMember("Base"),
-        // In Rails applications `ApplicationRecord` typically extends `ActiveRecord::Base`, but we
-        // treat it separately in case the `ApplicationRecord` definition is not in the database.
-        API::getTopLevelMember("ApplicationRecord")
-      ].getASubclass().getAValueReachableFromSource().asExpr().getExpr()
+      activeRecordClassApiNode().getAValueReachableFromSource().asExpr().getExpr()
   }
 
   // Gets the class declaration for this class and all of its super classes
@@ -116,14 +121,14 @@ private Expr sqlFragmentArgument(MethodCall call) {
         [
           "delete_all", "delete_by", "destroy_all", "destroy_by", "exists?", "find_by", "find_by!",
           "find_or_create_by", "find_or_create_by!", "find_or_initialize_by", "find_by_sql", "from",
-          "group", "having", "joins", "lock", "not", "order", "pluck", "where", "rewhere", "select",
-          "reselect", "update_all"
+          "group", "having", "joins", "lock", "not", "order", "reorder", "pluck", "where",
+          "rewhere", "select", "reselect", "update_all"
         ] and
       result = call.getArgument(0)
       or
       methodName = "calculate" and result = call.getArgument(1)
       or
-      methodName in ["average", "count", "maximum", "minimum", "sum"] and
+      methodName in ["average", "count", "maximum", "minimum", "sum", "count_by_sql"] and
       result = call.getArgument(0)
       or
       // This format was supported until Rails 2.3.8
@@ -208,11 +213,18 @@ class ActiveRecordSqlExecutionRange extends SqlExecution::Range {
     exists(PotentiallyUnsafeSqlExecutingMethodCall mc |
       this.asExpr().getNode() = mc.getSqlFragmentSinkArgument()
     )
+    or
+    this = activeRecordConnectionInstance().getAMethodCall("execute").getArgument(0) and
+    unsafeSqlExpr(this.asExpr().getExpr())
   }
 
   override DataFlow::Node getSql() { result = this }
 }
 
+private API::Node activeRecordConnectionInstance() {
+  result = activeRecordClassApiNode().getReturn("connection")
+}
+
 // TODO: model `ActiveRecord` sanitizers
 // https://api.rubyonrails.org/classes/ActiveRecord/Sanitization/ClassMethods.html
 /**
diff --git a/ruby/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb b/ruby/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb
@@ -90,6 +90,10 @@ def some_request_handler
     # BAD: executes `UPDATE "users" SET #{params[:fields]}`
     # where `params[:fields]` is unsanitized
     User.update_all(params[:fields])
+    
+    User.reorder(params[:direction])
+    
+    User.count_by_sql(params[:custom_sql_query])
   end
 end
 
@@ -151,3 +155,26 @@ def unsafe_action
     users = User.annotate("this is an unsafe annotation:#{params[:comment]}").find_by(user_name: name)
   end
 end
+
+# A regression test
+
+class Regression < ActiveRecord::Base
+end
+
+class RegressionController < ActionController::Base
+  def index
+    my_params = permitted_params
+    query = "SELECT * FROM users WHERE id = #{my_params[:user_id]}"
+    result = Regression.find_by_sql(query)
+  end
+
+  
+  def permitted_params
+    params.require(:my_key).permit(:id, :user_id, :my_type)
+  end
+  
+  def show
+    ActiveRecord::Base.connection.execute("SELECT * FROM users WHERE id = #{permitted_params[:user_id]}")
+    Regression.connection.execute("SELECT * FROM users WHERE id = #{permitted_params[:user_id]}")
+  end
+end
diff --git a/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected
@@ -26,13 +26,27 @@ edges
 | ActiveRecordInjection.rb:84:19:84:24 | call to params :  | ActiveRecordInjection.rb:84:19:84:33 | ...[...] |
 | ActiveRecordInjection.rb:88:18:88:23 | call to params :  | ActiveRecordInjection.rb:88:18:88:35 | ...[...] |
 | ActiveRecordInjection.rb:92:21:92:26 | call to params :  | ActiveRecordInjection.rb:92:21:92:35 | ...[...] |
-| ActiveRecordInjection.rb:98:10:98:15 | call to params :  | ActiveRecordInjection.rb:99:11:99:12 | ps :  |
-| ActiveRecordInjection.rb:99:11:99:12 | ps :  | ActiveRecordInjection.rb:99:11:99:17 | ...[...] :  |
-| ActiveRecordInjection.rb:99:11:99:17 | ...[...] :  | ActiveRecordInjection.rb:104:20:104:32 | ... + ... |
-| ActiveRecordInjection.rb:137:21:137:26 | call to params :  | ActiveRecordInjection.rb:137:21:137:44 | ...[...] :  |
-| ActiveRecordInjection.rb:137:21:137:44 | ...[...] :  | ActiveRecordInjection.rb:20:22:20:30 | condition :  |
-| ActiveRecordInjection.rb:151:59:151:64 | call to params :  | ActiveRecordInjection.rb:151:59:151:74 | ...[...] :  |
-| ActiveRecordInjection.rb:151:59:151:74 | ...[...] :  | ActiveRecordInjection.rb:151:27:151:76 | "this is an unsafe annotation:..." |
+| ActiveRecordInjection.rb:94:18:94:23 | call to params :  | ActiveRecordInjection.rb:94:18:94:35 | ...[...] |
+| ActiveRecordInjection.rb:96:23:96:28 | call to params :  | ActiveRecordInjection.rb:96:23:96:47 | ...[...] |
+| ActiveRecordInjection.rb:102:10:102:15 | call to params :  | ActiveRecordInjection.rb:103:11:103:12 | ps :  |
+| ActiveRecordInjection.rb:103:11:103:12 | ps :  | ActiveRecordInjection.rb:103:11:103:17 | ...[...] :  |
+| ActiveRecordInjection.rb:103:11:103:17 | ...[...] :  | ActiveRecordInjection.rb:108:20:108:32 | ... + ... |
+| ActiveRecordInjection.rb:141:21:141:26 | call to params :  | ActiveRecordInjection.rb:141:21:141:44 | ...[...] :  |
+| ActiveRecordInjection.rb:141:21:141:44 | ...[...] :  | ActiveRecordInjection.rb:20:22:20:30 | condition :  |
+| ActiveRecordInjection.rb:155:59:155:64 | call to params :  | ActiveRecordInjection.rb:155:59:155:74 | ...[...] :  |
+| ActiveRecordInjection.rb:155:59:155:74 | ...[...] :  | ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." |
+| ActiveRecordInjection.rb:166:17:166:32 | call to permitted_params :  | ActiveRecordInjection.rb:167:47:167:55 | my_params :  |
+| ActiveRecordInjection.rb:167:47:167:55 | my_params :  | ActiveRecordInjection.rb:167:47:167:65 | ...[...] :  |
+| ActiveRecordInjection.rb:167:47:167:65 | ...[...] :  | ActiveRecordInjection.rb:168:37:168:41 | query |
+| ActiveRecordInjection.rb:173:5:173:10 | call to params :  | ActiveRecordInjection.rb:173:5:173:27 | call to require :  |
+| ActiveRecordInjection.rb:173:5:173:27 | call to require :  | ActiveRecordInjection.rb:173:5:173:59 | call to permit :  |
+| ActiveRecordInjection.rb:173:5:173:59 | call to permit :  | ActiveRecordInjection.rb:166:17:166:32 | call to permitted_params :  |
+| ActiveRecordInjection.rb:173:5:173:59 | call to permit :  | ActiveRecordInjection.rb:177:77:177:92 | call to permitted_params :  |
+| ActiveRecordInjection.rb:173:5:173:59 | call to permit :  | ActiveRecordInjection.rb:178:69:178:84 | call to permitted_params :  |
+| ActiveRecordInjection.rb:177:77:177:92 | call to permitted_params :  | ActiveRecordInjection.rb:177:77:177:102 | ...[...] :  |
+| ActiveRecordInjection.rb:177:77:177:102 | ...[...] :  | ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." |
+| ActiveRecordInjection.rb:178:69:178:84 | call to permitted_params :  | ActiveRecordInjection.rb:178:69:178:94 | ...[...] :  |
+| ActiveRecordInjection.rb:178:69:178:94 | ...[...] :  | ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." |
 | ArelInjection.rb:4:12:4:17 | call to params :  | ArelInjection.rb:4:12:4:29 | ...[...] :  |
 | ArelInjection.rb:4:12:4:29 | ...[...] :  | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." |
 nodes
@@ -78,23 +92,40 @@ nodes
 | ActiveRecordInjection.rb:88:18:88:35 | ...[...] | semmle.label | ...[...] |
 | ActiveRecordInjection.rb:92:21:92:26 | call to params :  | semmle.label | call to params :  |
 | ActiveRecordInjection.rb:92:21:92:35 | ...[...] | semmle.label | ...[...] |
-| ActiveRecordInjection.rb:98:10:98:15 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:99:11:99:12 | ps :  | semmle.label | ps :  |
-| ActiveRecordInjection.rb:99:11:99:17 | ...[...] :  | semmle.label | ...[...] :  |
-| ActiveRecordInjection.rb:104:20:104:32 | ... + ... | semmle.label | ... + ... |
-| ActiveRecordInjection.rb:137:21:137:26 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:137:21:137:44 | ...[...] :  | semmle.label | ...[...] :  |
-| ActiveRecordInjection.rb:151:27:151:76 | "this is an unsafe annotation:..." | semmle.label | "this is an unsafe annotation:..." |
-| ActiveRecordInjection.rb:151:59:151:64 | call to params :  | semmle.label | call to params :  |
-| ActiveRecordInjection.rb:151:59:151:74 | ...[...] :  | semmle.label | ...[...] :  |
+| ActiveRecordInjection.rb:94:18:94:23 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:94:18:94:35 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:96:23:96:28 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:96:23:96:47 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:102:10:102:15 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:103:11:103:12 | ps :  | semmle.label | ps :  |
+| ActiveRecordInjection.rb:103:11:103:17 | ...[...] :  | semmle.label | ...[...] :  |
+| ActiveRecordInjection.rb:108:20:108:32 | ... + ... | semmle.label | ... + ... |
+| ActiveRecordInjection.rb:141:21:141:26 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:141:21:141:44 | ...[...] :  | semmle.label | ...[...] :  |
+| ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." | semmle.label | "this is an unsafe annotation:..." |
+| ActiveRecordInjection.rb:155:59:155:64 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:155:59:155:74 | ...[...] :  | semmle.label | ...[...] :  |
+| ActiveRecordInjection.rb:166:17:166:32 | call to permitted_params :  | semmle.label | call to permitted_params :  |
+| ActiveRecordInjection.rb:167:47:167:55 | my_params :  | semmle.label | my_params :  |
+| ActiveRecordInjection.rb:167:47:167:65 | ...[...] :  | semmle.label | ...[...] :  |
+| ActiveRecordInjection.rb:168:37:168:41 | query | semmle.label | query |
+| ActiveRecordInjection.rb:173:5:173:10 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:173:5:173:27 | call to require :  | semmle.label | call to require :  |
+| ActiveRecordInjection.rb:173:5:173:59 | call to permit :  | semmle.label | call to permit :  |
+| ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
+| ActiveRecordInjection.rb:177:77:177:92 | call to permitted_params :  | semmle.label | call to permitted_params :  |
+| ActiveRecordInjection.rb:177:77:177:102 | ...[...] :  | semmle.label | ...[...] :  |
+| ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
+| ActiveRecordInjection.rb:178:69:178:84 | call to permitted_params :  | semmle.label | call to permitted_params :  |
+| ActiveRecordInjection.rb:178:69:178:94 | ...[...] :  | semmle.label | ...[...] :  |
 | ArelInjection.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
 | ArelInjection.rb:4:12:4:29 | ...[...] :  | semmle.label | ...[...] :  |
 | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | semmle.label | "SELECT * FROM users WHERE nam..." |
 subpaths
 #select
 | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:23:70:28 | call to params :  | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:23:70:28 | call to params | user-provided value |
 | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:38:70:43 | call to params :  | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:38:70:43 | call to params | user-provided value |
-| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:137:21:137:26 | call to params :  | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:137:21:137:26 | call to params | user-provided value |
+| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:141:21:141:26 | call to params :  | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:141:21:141:26 | call to params | user-provided value |
 | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | ActiveRecordInjection.rb:35:30:35:35 | call to params :  | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:35:30:35:35 | call to params | user-provided value |
 | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | ActiveRecordInjection.rb:39:18:39:23 | call to params :  | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:39:18:39:23 | call to params | user-provided value |
 | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | ActiveRecordInjection.rb:43:29:43:34 | call to params :  | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:43:29:43:34 | call to params | user-provided value |
@@ -108,6 +139,11 @@ subpaths
 | ActiveRecordInjection.rb:84:19:84:33 | ...[...] | ActiveRecordInjection.rb:84:19:84:24 | call to params :  | ActiveRecordInjection.rb:84:19:84:33 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:84:19:84:24 | call to params | user-provided value |
 | ActiveRecordInjection.rb:88:18:88:35 | ...[...] | ActiveRecordInjection.rb:88:18:88:23 | call to params :  | ActiveRecordInjection.rb:88:18:88:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:88:18:88:23 | call to params | user-provided value |
 | ActiveRecordInjection.rb:92:21:92:35 | ...[...] | ActiveRecordInjection.rb:92:21:92:26 | call to params :  | ActiveRecordInjection.rb:92:21:92:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:92:21:92:26 | call to params | user-provided value |
-| ActiveRecordInjection.rb:104:20:104:32 | ... + ... | ActiveRecordInjection.rb:98:10:98:15 | call to params :  | ActiveRecordInjection.rb:104:20:104:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:98:10:98:15 | call to params | user-provided value |
-| ActiveRecordInjection.rb:151:27:151:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:151:59:151:64 | call to params :  | ActiveRecordInjection.rb:151:27:151:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:151:59:151:64 | call to params | user-provided value |
+| ActiveRecordInjection.rb:94:18:94:35 | ...[...] | ActiveRecordInjection.rb:94:18:94:23 | call to params :  | ActiveRecordInjection.rb:94:18:94:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:94:18:94:23 | call to params | user-provided value |
+| ActiveRecordInjection.rb:96:23:96:47 | ...[...] | ActiveRecordInjection.rb:96:23:96:28 | call to params :  | ActiveRecordInjection.rb:96:23:96:47 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:96:23:96:28 | call to params | user-provided value |
+| ActiveRecordInjection.rb:108:20:108:32 | ... + ... | ActiveRecordInjection.rb:102:10:102:15 | call to params :  | ActiveRecordInjection.rb:108:20:108:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:102:10:102:15 | call to params | user-provided value |
+| ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:155:59:155:64 | call to params :  | ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:155:59:155:64 | call to params | user-provided value |
+| ActiveRecordInjection.rb:168:37:168:41 | query | ActiveRecordInjection.rb:173:5:173:10 | call to params :  | ActiveRecordInjection.rb:168:37:168:41 | query | This SQL query depends on a $@. | ActiveRecordInjection.rb:173:5:173:10 | call to params | user-provided value |
+| ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:173:5:173:10 | call to params :  | ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:173:5:173:10 | call to params | user-provided value |
+| ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:173:5:173:10 | call to params :  | ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:173:5:173:10 | call to params | user-provided value |
 | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params :  | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value |

Original file line number	Diff line number	Diff line change
`@@ -632,9 +632,9 @@ private module ParamsSummaries {`
`632`	`632`	`// dig doesn't always return a Parameters instance, but it will if the`
`633`	`633`	`// given key refers to a nested hash parameter.`
`634`	`634`	`"dig", "each", "each_key", "each_pair", "each_value", "except", "keep_if", "merge",`
`635`		`- "merge!", "permit", "reject", "reject!", "reverse_merge", "reverse_merge!", "select",`
`636`		`- "select!", "slice", "slice!", "transform_keys", "transform_keys!", "transform_values",`
`637`		`- "transform_values!", "with_defaults", "with_defaults!"`
	`635`	`+ "merge!", "permit", "reject", "reject!", "require", "reverse_merge", "reverse_merge!",`
	`636`	`+ "select", "select!", "slice", "slice!", "transform_keys", "transform_keys!",`
	`637`	`+ "transform_values", "transform_values!", "with_defaults", "with_defaults!"`
`638`	`638`	`]`
`639`	`639`	`}`
`640`	`640`