Ruby: Add ActiveJob::Serializers.deserialize as a code execution sink

alexrford · alexrford · commit ee7740400695 · 2022-10-09T22:28:22.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/Frameworks.qll b/ruby/ql/lib/codeql/ruby/Frameworks.qll
@@ -5,6 +5,7 @@
 private import codeql.ruby.frameworks.Core
 private import codeql.ruby.frameworks.ActionCable
 private import codeql.ruby.frameworks.ActionController
+private import codeql.ruby.frameworks.ActiveJob
 private import codeql.ruby.frameworks.ActiveRecord
 private import codeql.ruby.frameworks.ActiveResource
 private import codeql.ruby.frameworks.ActiveStorage
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveJob.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveJob.qll
@@ -0,0 +1,30 @@
+/**
+ * Modeling for `ActiveJob`, a framweork for declaring and enqueueing jobs that
+ * ships with Rails.
+ * https://rubygems.org/gems/activejob
+ */
+
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+
+/** Modeling for `ActiveJob`. */
+module ActiveJob {
+  /**
+   * `ActiveJob::Serializers`
+   */
+  module Serializers {
+    /**
+     * A call to `ActiveJob::Serializers.deserialize`, which interprets part of
+     * its argument as a Ruby constant.
+     */
+    class DeserializeCall extends DataFlow::CallNode, CodeExecution::Range {
+      DeserializeCall() {
+        this =
+          API::getTopLevelMember("ActiveJob").getMember("Serializers").getAMethodCall("deserialize")
+      }
+
+      override DataFlow::Node getCode() { result = this.getArgument(0) }
+    }
+  }
+}
diff --git a/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.expected b/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.expected
@@ -6,6 +6,7 @@ edges
 | CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:29:15:29:18 | code |
 | CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:32:19:32:22 | code |
 | CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:38:24:38:27 | code :  |
+| CodeInjection.rb:5:12:5:24 | ...[...] :  | CodeInjection.rb:41:40:41:43 | code |
 | CodeInjection.rb:38:24:38:27 | code :  | CodeInjection.rb:38:10:38:28 | call to escape |
 nodes
 | CodeInjection.rb:5:12:5:17 | call to params :  | semmle.label | call to params :  |
@@ -18,6 +19,7 @@ nodes
 | CodeInjection.rb:32:19:32:22 | code | semmle.label | code |
 | CodeInjection.rb:38:10:38:28 | call to escape | semmle.label | call to escape |
 | CodeInjection.rb:38:24:38:27 | code :  | semmle.label | code :  |
+| CodeInjection.rb:41:40:41:43 | code | semmle.label | code |
 subpaths
 #select
 | CodeInjection.rb:8:10:8:13 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:8:10:8:13 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
@@ -27,3 +29,4 @@ subpaths
 | CodeInjection.rb:29:15:29:18 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:29:15:29:18 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
 | CodeInjection.rb:32:19:32:22 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:32:19:32:22 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
 | CodeInjection.rb:38:10:38:28 | call to escape | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:38:10:38:28 | call to escape | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
+| CodeInjection.rb:41:40:41:43 | code | CodeInjection.rb:5:12:5:17 | call to params :  | CodeInjection.rb:41:40:41:43 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
