Merge pull request github#8658 from hmac/hmac/insecure-download

Ruby: Add InsecureDownload query

Author: hmac

ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll

@@ -21,9 +21,10 @@ private import codeql.ruby.DataFlow
 class NetHttpRequest extends HTTP::Client::Request::Range {
   private DataFlow::CallNode request;
   private DataFlow::Node responseBody;
+  private API::Node requestNode;
 
   NetHttpRequest() {
-    exists(API::Node requestNode, string method |
+    exists(string method |
       request = requestNode.getAnImmediateUse() and
       this = request.asExpr().getExpr()
     |
@@ -48,10 +49,19 @@ class NetHttpRequest extends HTTP::Client::Request::Range {
   }
 
   /**
-   * Gets the node representing the URL of the request.
-   * Currently unused, but may be useful in future, e.g. to filter out certain requests.
+   * Gets a node that contributes to the URL of the request.
    */
-  override DataFlow::Node getAUrlPart() { result = request.getArgument(0) }
+  override DataFlow::Node getAUrlPart() {
+    result = request.getArgument(0)
+    or
+    // Net::HTTP.new(...).get(...)
+    exists(API::Node new |
+      new = API::getTopLevelMember("Net").getMember("HTTP").getInstance() and
+      requestNode = new.getReturn(_)
+    |
+      result = new.getAnImmediateUse().(DataFlow::CallNode).getArgument(0)
+    )
+  }
 
   override DataFlow::Node getResponseBody() { result = responseBody }
 

ruby/ql/lib/codeql/ruby/security/InsecureDownloadCustomizations.qll

@@ -0,0 +1,197 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * download of sensitive file through insecure connection, as well as
+ * extension points for adding your own.
+ */
+
+private import ruby
+private import codeql.ruby.DataFlow
+private import codeql.ruby.Concepts
+private import codeql.ruby.typetracking.TypeTracker
+private import codeql.ruby.frameworks.Files
+
+/**
+ * Classes and predicates for reasoning about download of sensitive file through insecure connection vulnerabilities.
+ */
+module InsecureDownload {
+  /**
+   * A data flow source for download of sensitive file through insecure connection.
+   */
+  abstract class Source extends DataFlow::Node {
+    /**
+     * Gets a flow-label for this source.
+     */
+    abstract DataFlow::FlowState getALabel();
+  }
+
+  /**
+   * A data flow sink for download of sensitive file through insecure connection.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets the call that downloads the sensitive file.
+     */
+    abstract DataFlow::Node getDownloadCall();
+
+    /**
+     * Gets a flow-label where this sink is vulnerable.
+     */
+    abstract DataFlow::FlowState getALabel();
+  }
+
+  /**
+   * A sanitizer for download of sensitive file through insecure connection.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * Flow-labels for reasoning about download of sensitive file through insecure connection.
+   */
+  module Label {
+    /**
+     * A flow-label for a URL that is downloaded over an insecure connection.
+     */
+    class Insecure extends DataFlow::FlowState {
+      Insecure() { this = "insecure" }
+    }
+
+    /**
+     * A flow-label for a URL that is sensitive.
+     */
+    class Sensitive extends DataFlow::FlowState {
+      Sensitive() { this = "sensitive" }
+    }
+
+    /**
+     * A flow-label for file URLs that are both sensitive and downloaded over an insecure connection.
+     */
+    class SensitiveInsecure extends DataFlow::FlowState {
+      SensitiveInsecure() { this = "sensitiveInsecure" }
+    }
+  }
+
+  /**
+   * A HTTP or FTP URL.
+   */
+  class InsecureUrl extends DataFlow::Node {
+    string str;
+
+    InsecureUrl() {
+      str = this.asExpr().getConstantValue().getString() and
+      str.regexpMatch("http://.*|ftp://.*")
+    }
+  }
+
+  /**
+   * A HTTP or FTP URL that refers to a file with a sensitive file extension,
+   * seen as a source for downloads of sensitive files through an insecure connection.
+   */
+  class InsecureFileUrl extends Source, InsecureUrl {
+    override DataFlow::FlowState getALabel() {
+      result instanceof Label::Insecure
+      or
+      hasUnsafeExtension(str) and
+      result instanceof Label::SensitiveInsecure
+    }
+  }
+
+  /**
+   * A string containing a sensitive file extension,
+   * seen as a source for downloads of sensitive files through an insecure connection.
+   */
+  class SensitiveFileName extends Source {
+    SensitiveFileName() { hasUnsafeExtension(this.asExpr().getConstantValue().getString()) }
+
+    override DataFlow::FlowState getALabel() { result instanceof Label::Sensitive }
+  }
+
+  /**
+   * Holds if `str` is a string that ends with an unsafe file extension.
+   */
+  bindingset[str]
+  predicate hasUnsafeExtension(string str) {
+    exists(string suffix | suffix = unsafeExtension() |
+      str.suffix(str.length() - suffix.length() - 1).toLowerCase() = "." + suffix
+    )
+  }
+
+  /**
+   * Gets a file-extension that can potentially be dangerous.
+   *
+   * Archives are included, because they often contain source-code.
+   */
+  string unsafeExtension() {
+    result =
+      [
+        "exe", "dmg", "pkg", "tar.gz", "zip", "sh", "bat", "cmd", "app", "apk", "msi", "dmg",
+        "tar.gz", "zip", "js", "py", "jar", "war"
+      ]
+  }
+
+  /**
+   * A response from an outgoing HTTP request.
+   * This is a sink if there are both insecure and sensitive parts of the URL.
+   * In other words, if the URL is HTTP and the extension is in `unsafeExtension()`.
+   */
+  private class HttpResponseAsSink extends Sink {
+    private HTTP::Client::Request req;
+
+    HttpResponseAsSink() {
+      this = req.getAUrlPart() and
+      // If any part of the URL has an unsafe extension, we consider all parts of the URL to be sinks.
+      hasUnsafeExtension(req.getAUrlPart().asExpr().getConstantValue().getString())
+    }
+
+    override DataFlow::Node getDownloadCall() { result.asExpr().getExpr() = req }
+
+    override DataFlow::FlowState getALabel() {
+      result instanceof Label::SensitiveInsecure
+      or
+      any(req.getAUrlPart()) instanceof InsecureUrl and result instanceof Label::Sensitive
+    }
+  }
+
+  /**
+   * Gets a node for the response from `request`, type-tracked using `t`.
+   */
+  DataFlow::LocalSourceNode clientRequestResponse(TypeTracker t, HTTP::Client::Request request) {
+    t.start() and
+    result = request.getResponseBody()
+    or
+    exists(TypeTracker t2 | result = clientRequestResponse(t2, request).track(t2, t))
+  }
+
+  /**
+   * A url that is downloaded through an insecure connection, where the result ends up being saved to a sensitive location.
+   */
+  class FileWriteSink extends Sink {
+    HTTP::Client::Request request;
+
+    FileWriteSink() {
+      // For example, in:
+      //
+      // ```rb
+      // f = File.open("foo.exe")
+      // f.write(Excon.get(...).body) # $BAD=
+      // ```
+      //
+      // `f` is the `FileSystemAccess` and the call `f.write` is the `IO::FileWriter`.
+      // The call `Excon.get` is the `HTTP::Client::Request`.
+      //
+      // The `file = write` alternative models this case:
+      // ```rb
+      // File.write("foo.exe", Excon.get(...).body)
+      // ```
+      exists(IO::FileWriter write, FileSystemAccess file |
+        this = request.getAUrlPart() and
+        clientRequestResponse(TypeTracker::end(), request).flowsTo(write.getADataNode()) and
+        (file.(DataFlow::LocalSourceNode).flowsTo(write.getReceiver()) or file = write) and
+        hasUnsafeExtension(file.getAPathArgument().asExpr().getConstantValue().getString())
+      )
+    }
+
+    override DataFlow::FlowState getALabel() { result instanceof Label::Insecure }
+
+    override DataFlow::Node getDownloadCall() { result.asExpr().getExpr() = request }
+  }
+}

ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll

@@ -0,0 +1,31 @@
+/**
+ * Provides a dataflow configuration for reasoning about the download of sensitive file through insecure connection.
+ *
+ * Note, for performance reasons: only import this file if
+ * `InsecureDownload::Configuration` is needed, otherwise
+ * `InsecureDownloadCustomizations` should be imported instead.
+ */
+
+private import ruby
+private import codeql.ruby.DataFlow
+import InsecureDownloadCustomizations::InsecureDownload
+
+/**
+ * A taint tracking configuration for download of sensitive file through insecure connection.
+ */
+class Configuration extends DataFlow::Configuration {
+  Configuration() { this = "InsecureDownload" }
+
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowState label) {
+    source.(Source).getALabel() = label
+  }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState label) {
+    sink.(Sink).getALabel() = label
+  }
+
+  override predicate isBarrier(DataFlow::Node node) {
+    super.isBarrier(node) or
+    node instanceof Sanitizer
+  }
+}

ruby/ql/src/change-notes/2022-04-14-rb-insecure-download.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `rb/insecure-download`. The query finds cases where executables and other sensitive files are downloaded over an insecure connection, which may allow for man-in-the-middle attacks.

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+	<overview>
+		<p>
+			Downloading executeables or other sensitive files over an unencrypted connection 
+			can leave a server open to man-in-the-middle attacks (MITM). 
+			Such an attack can allow an attacker to insert arbitrary content 
+			into the downloaded file, and in the worst case, allow the attacker to execute 
+			arbitrary code on the vulnerable system.
+		</p>
+	</overview>
+	<recommendation>
+		<p>
+			Use a secure transfer protocol when downloading executables or other sensitive files.
+		</p>
+	</recommendation>
+	<example>
+		<p>
+			In this example, a server downloads a shell script from a remote URL and then executes the script. 
+		</p>
+		<sample src="examples/insecure_download.rb" />
+		<p>
+			The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded
+			shell script with arbitrary code, which gives the attacker complete control over the system.
+		</p>
+		<p>
+			The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.
+		</p>
+		<sample src="examples/secure_download.rb" />
+	</example>
+
+	<references>
+		<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">Man-in-the-middle attack</a></li>
+	</references>
+</qhelp>

ruby/ql/src/queries/security/cwe-829/InsecureDownload.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Download of sensitive file through insecure connection
+ * @description Downloading executables and other sensitive files over an insecure connection
+ *              may allow man-in-the-middle attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.1
+ * @precision high
+ * @id rb/insecure-download
+ * @tags security
+ *       external/cwe/cwe-829
+ */
+
+import ruby
+import codeql.ruby.DataFlow
+import codeql.ruby.security.InsecureDownloadQuery
+import DataFlow::PathGraph
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ of sensitive file from $@.",
+  sink.getNode().(Sink).getDownloadCall(), "Download", source.getNode(), "HTTP source"

ruby/ql/src/queries/security/cwe-829/examples/insecure_download.rb

@@ -0,0 +1,4 @@
+require "net/http"
+
+script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
+system(script)

ruby/ql/src/queries/security/cwe-829/examples/secure_download.rb

@@ -0,0 +1,4 @@
+require "net/http"
+
+script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
+system(script)

ruby/ql/test/library-tests/frameworks/http_clients/HttpClients.expected

@@ -48,9 +48,13 @@
 | NetHttp.rb:6:8:6:50 | call to post | Net::HTTP | NetHttp.rb:6:23:6:36 | call to parse | NetHttp.rb:7:1:7:9 | call to body |
 | NetHttp.rb:6:8:6:50 | call to post | Net::HTTP | NetHttp.rb:6:23:6:36 | call to parse | NetHttp.rb:8:1:8:14 | call to read_body |
 | NetHttp.rb:6:8:6:50 | call to post | Net::HTTP | NetHttp.rb:6:23:6:36 | call to parse | NetHttp.rb:9:1:9:11 | call to entity |
+| NetHttp.rb:13:6:13:17 | call to get | Net::HTTP | NetHttp.rb:11:21:11:41 | "https://example.com" | NetHttp.rb:18:1:18:7 | call to body |
 | NetHttp.rb:13:6:13:17 | call to get | Net::HTTP | NetHttp.rb:13:14:13:16 | "/" | NetHttp.rb:18:1:18:7 | call to body |
+| NetHttp.rb:14:6:14:18 | call to post | Net::HTTP | NetHttp.rb:11:21:11:41 | "https://example.com" | NetHttp.rb:19:1:19:12 | call to read_body |
 | NetHttp.rb:14:6:14:18 | call to post | Net::HTTP | NetHttp.rb:14:15:14:17 | "/" | NetHttp.rb:19:1:19:12 | call to read_body |
+| NetHttp.rb:15:6:15:17 | call to put | Net::HTTP | NetHttp.rb:11:21:11:41 | "https://example.com" | NetHttp.rb:20:1:20:9 | call to entity |
 | NetHttp.rb:15:6:15:17 | call to put | Net::HTTP | NetHttp.rb:15:14:15:16 | "/" | NetHttp.rb:20:1:20:9 | call to entity |
+| NetHttp.rb:24:3:24:33 | call to get | Net::HTTP | NetHttp.rb:24:17:24:22 | domain | NetHttp.rb:27:1:27:28 | call to body |
 | NetHttp.rb:24:3:24:33 | call to get | Net::HTTP | NetHttp.rb:24:29:24:32 | path | NetHttp.rb:27:1:27:28 | call to body |
 | OpenURI.rb:3:9:3:41 | call to open | OpenURI | OpenURI.rb:3:21:3:40 | "http://example.com" | OpenURI.rb:4:1:4:10 | call to read |
 | OpenURI.rb:6:9:6:34 | call to open | OpenURI | OpenURI.rb:6:14:6:33 | "http://example.com" | OpenURI.rb:7:1:7:15 | call to readlines |

ruby/ql/test/query-tests/security/cwe-829/InsecureDownload.expected

@@ -0,0 +1,27 @@
+failures
+edges
+| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | insecure_download.rb:33:15:33:17 | url |
+| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | insecure_download.rb:33:15:33:17 | url |
+nodes
+| insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | semmle.label | "http://example.org/unsafe.APK" |
+| insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | semmle.label | "http://example.org/unsafe.APK" |
+| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | semmle.label | "http://example.org/unsafe.APK" :  |
+| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | semmle.label | "http://example.org/unsafe.APK" :  |
+| insecure_download.rb:33:15:33:17 | url | semmle.label | url |
+| insecure_download.rb:33:15:33:17 | url | semmle.label | url |
+| insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | semmle.label | "http://example.org/unsafe" |
+| insecure_download.rb:41:37:41:63 | "http://example.org/unsafe" | semmle.label | "http://example.org/unsafe" |
+| insecure_download.rb:43:22:43:56 | "http://example.org/unsafe.unk..." | semmle.label | "http://example.org/unsafe.unk..." |
+| insecure_download.rb:53:65:53:78 | "/myscript.sh" | semmle.label | "/myscript.sh" |
+subpaths
+#select
+| insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | $@ | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | "http://example.org/unsafe.APK" |
+| insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | $@ | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | "http://example.org/unsafe.APK" |
+| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | "http://example.org/unsafe.APK" :  |
+| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | "http://example.org/unsafe.APK" :  |
+| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:33:15:33:17 | url | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:33:15:33:17 | url | url |
+| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:33:15:33:17 | url | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:33:15:33:17 | url | url |
+| insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | $@ | insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | "http://example.org/unsafe" |
+| insecure_download.rb:41:37:41:63 | "http://example.org/unsafe" | insecure_download.rb:41:37:41:63 | "http://example.org/unsafe" | insecure_download.rb:41:37:41:63 | "http://example.org/unsafe" | $@ | insecure_download.rb:41:37:41:63 | "http://example.org/unsafe" | "http://example.org/unsafe" |
+| insecure_download.rb:43:22:43:56 | "http://example.org/unsafe.unk..." | insecure_download.rb:43:22:43:56 | "http://example.org/unsafe.unk..." | insecure_download.rb:43:22:43:56 | "http://example.org/unsafe.unk..." | $@ | insecure_download.rb:43:22:43:56 | "http://example.org/unsafe.unk..." | "http://example.org/unsafe.unk..." |
+| insecure_download.rb:53:65:53:78 | "/myscript.sh" | insecure_download.rb:53:65:53:78 | "/myscript.sh" | insecure_download.rb:53:65:53:78 | "/myscript.sh" | $@ | insecure_download.rb:53:65:53:78 | "/myscript.sh" | "/myscript.sh" |