Ruby: Add InsecureDownload query

This query finds cases where a potentially unsafe file is downloaded
over an unsecured connection.

Author: hmac

ruby/ql/lib/codeql/ruby/security/InsecureDownloadCustomizations.qll

@@ -0,0 +1,201 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * download of sensitive file through insecure connection, as well as
+ * extension points for adding your own.
+ */
+
+private import ruby
+private import codeql.ruby.DataFlow
+private import codeql.ruby.Concepts
+private import codeql.ruby.typetracking.TypeTracker
+private import codeql.ruby.frameworks.Files
+
+/**
+ * Classes and predicates for reasoning about download of sensitive file through insecure connection vulnerabilities.
+ */
+module InsecureDownload {
+  /**
+   * A data flow source for download of sensitive file through insecure connection.
+   */
+  abstract class Source extends DataFlow::Node {
+    /**
+     * Gets a flow-label for this source.
+     */
+    abstract DataFlow::FlowState getALabel();
+  }
+
+  /**
+   * A data flow sink for download of sensitive file through insecure connection.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets the call that downloads the sensitive file.
+     */
+    abstract DataFlow::Node getDownloadCall();
+
+    /**
+     * Gets a flow-label where this sink is vulnerable.
+     */
+    abstract DataFlow::FlowState getALabel();
+  }
+
+  /**
+   * A sanitizer for download of sensitive file through insecure connection.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * Flow-labels for reasoning about download of sensitive file through insecure connection.
+   */
+  module Label {
+    /**
+     * A flow-label for a URL that is downloaded over an insecure connection.
+     */
+    class Insecure extends DataFlow::FlowState {
+      Insecure() { this = "insecure" }
+    }
+
+    /**
+     * A flow-label for a URL that is sensitive.
+     */
+    class Sensitive extends DataFlow::FlowState {
+      Sensitive() { this = "sensitive" }
+    }
+
+    /**
+     * A flow-label for file URLs that are both sensitive and downloaded over an insecure connection.
+     */
+    class SensitiveInsecure extends DataFlow::FlowState {
+      SensitiveInsecure() { this = "sensitiveInsecure" }
+    }
+  }
+
+  /**
+   * A HTTP or FTP url.
+   */
+  class InsecureUrl extends DataFlow::Node {
+    string str;
+
+    InsecureUrl() {
+      str = this.asExpr().getConstantValue().getString() and
+      str.regexpMatch("http://.*|ftp://.*")
+    }
+  }
+
+  /**
+   * A HTTP or FTP URL that refers to a file with a sensitive file extension,
+   * seen as a source for downloads of sensitive files through an insecure connection.
+   */
+  class InsecureFileUrl extends Source, InsecureUrl {
+    override DataFlow::FlowState getALabel() {
+      result instanceof Label::Insecure
+      or
+      hasUnsafeExtension(str) and
+      result instanceof Label::SensitiveInsecure
+    }
+  }
+
+  /**
+   * A string containing a sensitive file extension,
+   * seen as a source for downloads of sensitive files through an insecure connection.
+   */
+  class SensitiveFileUrl extends Source {
+    string str;
+
+    SensitiveFileUrl() {
+      str = this.asExpr().getConstantValue().getString() and
+      hasUnsafeExtension(str)
+    }
+
+    override DataFlow::FlowState getALabel() { result instanceof Label::Sensitive }
+  }
+
+  /**
+   * Holds if `str` is a string that ends with an unsafe file extension.
+   */
+  bindingset[str]
+  predicate hasUnsafeExtension(string str) {
+    exists(string suffix | suffix = unsafeExtension() |
+      str.suffix(str.length() - suffix.length() - 1).toLowerCase() = "." + suffix
+    )
+  }
+
+  /**
+   * Gets a file-extension that can potentially be dangerous.
+   *
+   * Archives are included, because they often contain source-code.
+   */
+  string unsafeExtension() {
+    result =
+      [
+        "exe", "dmg", "pkg", "tar.gz", "zip", "sh", "bat", "cmd", "app", "apk", "msi", "dmg",
+        "tar.gz", "zip", "js", "py", "jar", "war"
+      ]
+  }
+
+  /**
+   * A response from an outgoing HTTP request, considered as a flow sink for
+   * downloading a sensitive file through an insecure connection.
+   */
+  private class HttpResponseAsSink extends Sink {
+    private HTTP::Client::Request req;
+
+    HttpResponseAsSink() {
+      this = req.getAUrlPart() and
+      // If any part of the URL has an unsafe extension, we consider all parts of the URL to be sinks.
+      hasUnsafeExtension(req.getAUrlPart().asExpr().getConstantValue().getString())
+    }
+
+    override DataFlow::Node getDownloadCall() { result.asExpr().getExpr() = req }
+
+    override DataFlow::FlowState getALabel() {
+      result instanceof Label::SensitiveInsecure
+      or
+      any(req.getAUrlPart()) instanceof InsecureUrl and result instanceof Label::Sensitive
+    }
+  }
+
+  /**
+   * Gets a node for the response from `request`, type-tracked using `t`.
+   */
+  DataFlow::LocalSourceNode clientRequestResponse(TypeTracker t, HTTP::Client::Request request) {
+    t.start() and
+    result = request.getResponseBody()
+    or
+    exists(TypeTracker t2 | result = clientRequestResponse(t2, request).track(t2, t))
+  }
+
+  /**
+   * A url that is downloaded through an insecure connection, where the result ends up being saved to a sensitive location.
+   */
+  class FileWriteSink extends Sink {
+    HTTP::Client::Request request;
+
+    FileWriteSink() {
+      // For example, in:
+      //
+      // ```rb
+      // f = File.open("foo.exe")
+      // f.write(Excon.get(...).body) # $BAD=
+      // ```
+      //
+      // `f` is the `FileSystemAccess` and the call `f.write` is the `IO::FileWriter`.
+      // The call `Excon.get` is the `HTTP::Client::Request`.
+      //
+      // The `file = write` alternative models this case:
+      // ```rb
+      // File.write("foo.exe", Excon.get(...).body)
+      // ```
+      exists(IO::FileWriter write, FileSystemAccess file |
+        this = request.getAUrlPart() and
+        clientRequestResponse(TypeTracker::end(), request).flowsTo(write.getADataNode()) and
+        (file.(DataFlow::LocalSourceNode).flowsTo(write.getReceiver()) or file = write) and
+        hasUnsafeExtension(file.getAPathArgument().asExpr().getConstantValue().getString())
+      )
+    }
+
+    override DataFlow::FlowState getALabel() { result instanceof Label::Insecure }
+
+    override DataFlow::Node getDownloadCall() { result.asExpr().getExpr() = request }
+  }
+}

ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll

@@ -0,0 +1,31 @@
+/**
+ * Provides a taint tracking configuration for reasoning about download of sensitive file through insecure connection.
+ *
+ * Note, for performance reasons: only import this file if
+ * `InsecureDownload::Configuration` is needed, otherwise
+ * `InsecureDownloadCustomizations` should be imported instead.
+ */
+
+private import ruby
+private import codeql.ruby.DataFlow
+import InsecureDownloadCustomizations::InsecureDownload
+
+/**
+ * A taint tracking configuration for download of sensitive file through insecure connection.
+ */
+class Configuration extends DataFlow::Configuration {
+  Configuration() { this = "InsecureDownload" }
+
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowState label) {
+    source.(Source).getALabel() = label
+  }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState label) {
+    sink.(Sink).getALabel() = label
+  }
+
+  override predicate isBarrier(DataFlow::Node node) {
+    super.isBarrier(node) or
+    node instanceof Sanitizer
+  }
+}

ruby/ql/src/queries/security/cwe-829/InsecureDownload.qhelp

@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+	<overview>
+		<p>
+			Downloading executeables or other sensitive files over an unencrypted connection 
+			can leave a server open to man-in-the-middle attacks (MITM). 
+			Such an attack can allow an attacker to insert arbitrary content 
+			into the downloaded file, and in the worst case, allow the attacker to execute 
+			arbitrary code on the vulnerable system.
+		</p>
+	</overview>
+	<recommendation>
+		<p>
+			Use a secure transfer protocol when downloading executables or other sensitive files.
+		</p>
+	</recommendation>
+	<example>
+		<p>
+			In this example, a server downloads a shell script from a remote URL and then executes the script. 
+		</p>
+		<sample src="examples/insecure_download.rb" />
+		<p>
+			The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded
+			shell script with arbitrary code, which gives the attacker complete control over the system.
+		</p>
+		<p>
+			The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.
+		</p>
+		<sample src="examples/secure_download.rb" />
+	</example>
+
+	<references>
+		<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">Man-in-the-middle attack</a></li>
+	</references>
+</qhelp>

ruby/ql/src/queries/security/cwe-829/InsecureDownload.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Download of sensitive file through insecure connection
+ * @description Downloading executables and other sensitive files over an insecure connection
+ *              opens up for potential man-in-the-middle attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.1
+ * @precision high
+ * @id rb/insecure-download
+ * @tags security
+ *       external/cwe/cwe-829
+ */
+
+import ruby
+import codeql.ruby.DataFlow
+import codeql.ruby.security.InsecureDownloadQuery
+import DataFlow::PathGraph
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ of sensitive file from $@.",
+  sink.getNode().(Sink).getDownloadCall(), "Download", source.getNode(), "HTTP source"

ruby/ql/src/queries/security/cwe-829/examples/insecure_download.rb

@@ -0,0 +1,4 @@
+require "net/http"
+
+script = Net::HTTP.new("http://mydownload.example.org").get("/myscript.sh").body
+system(script)

ruby/ql/src/queries/security/cwe-829/examples/secure_download.rb

@@ -0,0 +1,4 @@
+require "net/http"
+
+script = Net::HTTP.new("https://mydownload.example.org").get("/myscript.sh").body
+system(script)

ruby/ql/test/query-tests/security/cwe-829/InsecureDownload.expected

@@ -0,0 +1,28 @@
+failures
+| insecure_download.rb:5:36:5:63 | # $BAD= (requires hash flow) | Missing result:BAD= |
+edges
+| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | insecure_download.rb:33:15:33:17 | url |
+| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | insecure_download.rb:33:15:33:17 | url |
+nodes
+| insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | semmle.label | "http://example.org/unsafe.APK" |
+| insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | semmle.label | "http://example.org/unsafe.APK" |
+| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | semmle.label | "http://example.org/unsafe.APK" :  |
+| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | semmle.label | "http://example.org/unsafe.APK" :  |
+| insecure_download.rb:33:15:33:17 | url | semmle.label | url |
+| insecure_download.rb:33:15:33:17 | url | semmle.label | url |
+| insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | semmle.label | "http://example.org/unsafe" |
+| insecure_download.rb:41:37:41:63 | "http://example.org/unsafe" | semmle.label | "http://example.org/unsafe" |
+| insecure_download.rb:43:22:43:56 | "http://example.org/unsafe.unk..." | semmle.label | "http://example.org/unsafe.unk..." |
+| insecure_download.rb:53:65:53:78 | "/myscript.sh" | semmle.label | "/myscript.sh" |
+subpaths
+#select
+| insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | $@ | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | "http://example.org/unsafe.APK" |
+| insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | $@ | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | "http://example.org/unsafe.APK" |
+| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | "http://example.org/unsafe.APK" :  |
+| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" :  | "http://example.org/unsafe.APK" :  |
+| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:33:15:33:17 | url | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:33:15:33:17 | url | url |
+| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:33:15:33:17 | url | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:33:15:33:17 | url | url |
+| insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | $@ | insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | "http://example.org/unsafe" |
+| insecure_download.rb:41:37:41:63 | "http://example.org/unsafe" | insecure_download.rb:41:37:41:63 | "http://example.org/unsafe" | insecure_download.rb:41:37:41:63 | "http://example.org/unsafe" | $@ | insecure_download.rb:41:37:41:63 | "http://example.org/unsafe" | "http://example.org/unsafe" |
+| insecure_download.rb:43:22:43:56 | "http://example.org/unsafe.unk..." | insecure_download.rb:43:22:43:56 | "http://example.org/unsafe.unk..." | insecure_download.rb:43:22:43:56 | "http://example.org/unsafe.unk..." | $@ | insecure_download.rb:43:22:43:56 | "http://example.org/unsafe.unk..." | "http://example.org/unsafe.unk..." |
+| insecure_download.rb:53:65:53:78 | "/myscript.sh" | insecure_download.rb:53:65:53:78 | "/myscript.sh" | insecure_download.rb:53:65:53:78 | "/myscript.sh" | $@ | insecure_download.rb:53:65:53:78 | "/myscript.sh" | "/myscript.sh" |

ruby/ql/test/query-tests/security/cwe-829/InsecureDownload.ql

@@ -0,0 +1,22 @@
+import ruby
+import codeql.ruby.DataFlow
+import PathGraph
+import TestUtilities.InlineFlowTest
+import codeql.ruby.security.InsecureDownloadQuery
+
+class FlowTest extends InlineFlowTest {
+  override DataFlow::Configuration getValueFlowConfig() { result = any(Configuration config) }
+
+  override DataFlow::Configuration getTaintFlowConfig() { none() }
+
+  override string getARelevantTag() { result = "BAD" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "BAD" and
+    super.hasActualResult(location, element, "hasValueFlow", value)
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, Configuration conf
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()