apply code review suggestions, fix qldoc, add experimental additional taint steps that can improve performance

am0o0 · am0o0 · commit 2097a001b990 · 2023-11-22T10:01:51.000+01:00
diff --git a/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp b/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp
@@ -12,7 +12,7 @@
 <p>When you want to decompress a user-provided compressed file you must be careful about the decompression ratio or read these files within a loop byte by byte to be able to manage the decompressed size in each cycle of the loop.</p>
 
 </recommendation>
-<p>Please read official RubyZip Documentation <a href="https://github.com/rubyzip/rubyzip/#size-validation">here</a>
+<p>Please read official RubyZip Documentation <a href="https://github.com/rubyzip/rubyzip/#size-validation">here</a></p>
 <example>
 <p>Rubyzip: According to <a href="https://github.com/rubyzip/rubyzip/#reading-a-zip-file">official</a> Documentation</p>
 <sample src="example_good.rb" />
diff --git a/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql b/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
@@ -11,6 +11,7 @@
  *       external/cwe/cwe-409
  */
 
+import ruby
 private import codeql.ruby.Concepts
 private import codeql.ruby.DataFlow
 private import codeql.ruby.TaintTracking
@@ -26,40 +27,31 @@ class IoCopyStream extends DataFlow::CallNode {
 }
 
 module BombsConfig implements DataFlow::ConfigSig {
-  predicate isBarrier(DataFlow::Node node) {
-    node.getLocation().hasLocationInfo("%spec%", _, _, _, _)
-  }
-
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof DecompressionBomb::Sink }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(DecompressionBomb::AdditionalTaintStep ats).isAdditionalTaintStep(nodeFrom, nodeTo)
     or
-    exists(API::Node n | n = API::root().getMember("File").getMethod("open") |
+    exists(API::Node n | n = API::getTopLevelMember("File").getMethod("open") |
       nodeFrom = n.getParameter(0).asSink() and
       nodeTo = n.getReturn().asSource()
     )
     or
-    exists(File::FileOpen n |
-      nodeFrom = n.getAPathArgument() and
-      nodeTo = n
-    )
+    nodeFrom = nodeTo.(File::FileOpen).getAPathArgument()
     or
-    exists(API::Node n | n = API::root().getMember("StringIO").getMethod("new") |
+    exists(API::Node n | n = API::getTopLevelMember("StringIO").getMethod("new") |
       nodeFrom = n.getParameter(0).asSink() and
       nodeTo = n.getReturn().asSource()
     )
     or
-    exists(IoCopyStream n |
-      nodeFrom = n.getAPathArgument() and
-      nodeTo = n
-    )
+    nodeFrom = nodeTo.(IoCopyStream).getAPathArgument()
     or
     // following can be a global additional step
     exists(DataFlow::CallNode cn |
-      cn.getMethodName() = "open" and cn.getReceiver().toString() = "self"
+      cn.getMethodName() = "open" and
+      cn.getReceiver().getExprNode().getExpr() instanceof Ast::SelfVariableAccess
     |
       nodeFrom = cn.getArgument(0) and
       nodeTo = cn
diff --git a/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qll b/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qll
@@ -6,11 +6,12 @@ import codeql.ruby.dataflow.RemoteFlowSources
 
 module DecompressionBomb {
   /**
-   * The Sinks of uncontrolled data decompression
+   * A abstract class responsible for extending new decompression sinks
+   *
+   * can be a path, stream of compressed data,
+   * or a call to function that use pipe
    */
-  class Sink extends DataFlow::Node {
-    Sink() { this = any(Range r).sink() }
-  }
+  abstract class Sink extends DataFlow::Node { }
 
   /**
    * The additional taint steps that need for creating taint tracking or dataflow.
@@ -23,19 +24,6 @@ module DecompressionBomb {
      */
     abstract predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ);
   }
-
-  /**
-   * A abstract class responsible for extending new decompression sinks
-   */
-  abstract class Range extends API::Node {
-    /**
-     * Gets the sink of responsible for decompression node
-     *
-     * it can be a path, stream of compressed data,
-     * or a call to function that use pipe
-     */
-    abstract DataFlow::Node sink();
-  }
 }
 
 module Zlib {
@@ -54,10 +42,10 @@ module Zlib {
    * `Zlib::GzipReader.zcat`
    * `Zlib::GzipReader.new`
    */
-  class DecompressionBombSink extends DecompressionBomb::Range {
-    DecompressionBombSink() { this = gzipReaderInstance().getMethod(["open", "new", "zcat"]) }
-
-    override DataFlow::Node sink() { result = this.getReturn().asSource() }
+  class DecompressionBombSink extends DecompressionBomb::Sink {
+    DecompressionBombSink() {
+      this = gzipReaderInstance().getMethod(["open", "new", "zcat"]).getReturn().asSource()
+    }
   }
 
   /**
@@ -94,10 +82,10 @@ module ZipInputStream {
    *
    * as source of decompression bombs, they need an additional taint step for a dataflow or taint tracking query
    */
-  class DecompressionBombSink extends DecompressionBomb::Range {
-    DecompressionBombSink() { this = zipInputStream().getMethod(["open", "new"]) }
-
-    override DataFlow::Node sink() { result = this.getReturn().asSource() }
+  class DecompressionBombSink extends DecompressionBomb::Sink {
+    DecompressionBombSink() {
+      this = zipInputStream().getMethod(["open", "new"]).getReturn().asSource()
+    }
   }
 
   /**
@@ -144,12 +132,14 @@ module ZipFile {
    * `ZipEntry.extract`
    * A sanitizer exists inside the nodes which have `entry.size > someOBJ`
    */
-  class DecompressionBombSink extends DecompressionBomb::Range {
-    DecompressionBombSink() { this = rubyZipNode(zipFile()) }
-
-    override DataFlow::Node sink() {
-      result = this.getMethod(["extract", "read"]).getReturn().asSource() and
-      not exists(this.getMethod("size").getReturn().getMethod(">").getParameter(0))
+  class DecompressionBombSink extends DecompressionBomb::Sink {
+    DecompressionBombSink() {
+      exists(API::Node rubyZip | rubyZip = rubyZipNode(zipFile()) |
+        this = rubyZip.getMethod(["extract", "read"]).getReturn().asSource() and
+        not exists(
+          rubyZip.getMethod("size").getReturn().getMethod([">", " <", "<=", " >="]).getParameter(0)
+        )
+      )
     }
   }
 
@@ -166,4 +156,60 @@ module ZipFile {
       )
     }
   }
+
+  predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(API::Node zipFile | zipFile = zipFile().getMethod("open") |
+      nodeFrom = zipFile.getParameter(0).asSink() and
+      nodeTo = rubyZipNode(zipFile).getMethod(["extract", "read"]).getReturn().asSource()
+    )
+  }
+  // /**
+  //  * The additional taint steps that need for creating taint tracking or dataflow for `Zip::File`.
+  //  */
+  // class AdditionalTaintStep1 extends DecompressionBomb::AdditionalTaintStep {
+  //   AdditionalTaintStep1() { this = "AdditionalTaintStep" }
+  //   override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  //     exists(API::Node zipFile | zipFile = zipFile().getMethod("open") |
+  //       nodeFrom = zipFile.getParameter(0).asSink() and
+  //       nodeTo = zipFile.asSource()
+  //     )
+  //   }
+  // }
+  // API::Node rubyZipNode2() {
+  //   result = zipFile().getMethod("open")
+  //   or
+  //   result = rubyZipNode2().getMethod(_)
+  //   or
+  //   result = rubyZipNode2().getReturn()
+  //   or
+  //   result = rubyZipNode2().getParameter(_)
+  //   or
+  //   result = rubyZipNode2().getAnElement()
+  //   or
+  //   result = rubyZipNode2().getBlock()
+  // }
+  // /**
+  //  * The additional taint steps that need for creating taint tracking or dataflow for `Zip::File`.
+  //  */
+  // class AdditionalTaintStep2 extends DecompressionBomb::AdditionalTaintStep {
+  //   AdditionalTaintStep2() { this = "AdditionalTaintStep" }
+  //   override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  //     exists(API::Node zipFileOpen | zipFileOpen = rubyZipNode2() |
+  //       nodeFrom = zipFileOpen.getReturn().asSource() and
+  //       nodeTo = zipFileOpen.getMethod(["extract", "read"]).getReturn().asSource()
+  //     )
+  //   }
+  // }
+  // /**
+  //  * The additional taint steps that need for creating taint tracking or dataflow for `Zip::File`.
+  //  */
+  // class AdditionalTaintStep3 extends DecompressionBomb::AdditionalTaintStep {
+  //   AdditionalTaintStep3() { this = "AdditionalTaintStep" }
+  //   override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  //     exists(API::Node zipFileOpen | zipFileOpen = rubyZipNode2() |
+  //       nodeFrom = zipFileOpen.asCall() and
+  //       nodeTo = zipFileOpen.getMethod(["extract", "read"]).getReturn().asSource()
+  //     )
+  //   }
+  // }
 }
