Merge pull request #322 from github/request-without-validation

rb/request-without-cert-validation

Author: aibaars

ql/lib/codeql/ruby/Concepts.qll

@@ -419,6 +419,15 @@ module HTTP {
 
       /** Gets a string that identifies the framework used for this request. */
       string getFramework() { result = super.getFramework() }
+
+      /**
+       * Holds if this request is made using a mode that disables SSL/TLS
+       * certificate validation, where `disablingNode` represents the point at
+       * which the validation was disabled.
+       */
+      predicate disablesCertificateValidation(DataFlow::Node disablingNode) {
+        super.disablesCertificateValidation(disablingNode)
+      }
     }
 
     /** Provides a class for modeling new HTTP requests. */
@@ -435,6 +444,13 @@ module HTTP {
 
         /** Gets a string that identifies the framework used for this request. */
         abstract string getFramework();
+
+        /**
+         * Holds if this request is made using a mode that disables SSL/TLS
+         * certificate validation, where `disablingNode` represents the point at
+         * which the validation was disabled.
+         */
+        abstract predicate disablesCertificateValidation(DataFlow::Node disablingNode);
       }
     }
 

ql/lib/codeql/ruby/ast/Literal.qll

@@ -194,6 +194,13 @@ class BooleanLiteral extends Literal, TBooleanLiteral {
 
   /** Holds if the Boolean literal is `false` or `FALSE`. */
   predicate isFalse() { none() }
+
+  /** Gets the value of this Boolean literal. */
+  boolean getValue() {
+    this.isTrue() and result = true
+    or
+    this.isFalse() and result = false
+  }
 }
 
 private class TrueLiteral extends BooleanLiteral, TTrueLiteral {
@@ -750,7 +757,7 @@ class HashLiteral extends Literal, THashLiteral {
   final override string getAPrimaryQlClass() { result = "HashLiteral" }
 
   /**
-   * Gets the `n`th element in this array literal.
+   * Gets the `n`th element in this hash literal.
    *
    * In the following example, the 0th element is a `Pair`, and the 1st element
    * is a `HashSplatExpr`.
@@ -761,7 +768,7 @@ class HashLiteral extends Literal, THashLiteral {
    */
   final Expr getElement(int n) { toGenerated(result) = g.getChild(n) }
 
-  /** Gets an element in this array literal. */
+  /** Gets an element in this hash literal. */
   final Expr getAnElement() { result = this.getElement(_) }
 
   /** Gets a key-value `Pair` in this hash literal. */

ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll

@@ -18,29 +18,113 @@ private import codeql.ruby.ApiGraphs
  * https://github.com/excon/excon/blob/master/README.md
  */
 class ExconHttpRequest extends HTTP::Client::Request::Range {
-  DataFlow::Node request;
-  DataFlow::CallNode responseBody;
+  DataFlow::Node requestUse;
+  API::Node requestNode;
+  API::Node connectionNode;
 
   ExconHttpRequest() {
-    exists(API::Node requestNode | request = requestNode.getAnImmediateUse() |
-      requestNode =
-        [
-          // one-off requests
-          API::getTopLevelMember("Excon"),
-          // connection re-use
-          API::getTopLevelMember("Excon").getInstance()
-        ]
-            .getReturn([
-                // Excon#request exists but Excon.request doesn't.
-                // This shouldn't be a problem - in real code the latter would raise NoMethodError anyway.
-                "get", "head", "delete", "options", "post", "put", "patch", "trace", "request"
-              ]) and
-      responseBody = requestNode.getAMethodCall("body") and
-      this = request.asExpr().getExpr()
-    )
+    requestUse = requestNode.getAnImmediateUse() and
+    connectionNode =
+      [
+        // one-off requests
+        API::getTopLevelMember("Excon"),
+        // connection re-use
+        API::getTopLevelMember("Excon").getInstance(),
+        API::getTopLevelMember("Excon").getMember("Connection").getInstance()
+      ] and
+    requestNode =
+      connectionNode
+          .getReturn([
+              // Excon#request exists but Excon.request doesn't.
+              // This shouldn't be a problem - in real code the latter would raise NoMethodError anyway.
+              "get", "head", "delete", "options", "post", "put", "patch", "trace", "request"
+            ]) and
+    this = requestUse.asExpr().getExpr()
   }
 
-  override DataFlow::Node getResponseBody() { result = responseBody }
+  override DataFlow::Node getResponseBody() { result = requestNode.getAMethodCall("body") }
+
+  override predicate disablesCertificateValidation(DataFlow::Node disablingNode) {
+    // Check for `ssl_verify_peer: false` in the options hash.
+    exists(DataFlow::Node arg, int i |
+      i > 0 and arg = connectionNode.getAUse().(DataFlow::CallNode).getArgument(i)
+    |
+      argSetsVerifyPeer(arg, false, disablingNode)
+    )
+    or
+    // Or we see a call to `Excon.defaults[:ssl_verify_peer] = false` before the
+    // request, and no `ssl_verify_peer: true` in the explicit options hash for
+    // the request call.
+    exists(DataFlow::CallNode disableCall |
+      setsDefaultVerification(disableCall, false) and
+      disableCall.asExpr().getASuccessor+() = requestUse.asExpr() and
+      disablingNode = disableCall and
+      not exists(DataFlow::Node arg, int i |
+        i > 0 and arg = connectionNode.getAUse().(DataFlow::CallNode).getArgument(i)
+      |
+        argSetsVerifyPeer(arg, true, _)
+      )
+    )
+  }
 
   override string getFramework() { result = "Excon" }
 }
+
+/**
+ * Holds if `arg` represents an options hash that contains the key
+ * `:ssl_verify_peer` with `value`, where `kvNode` is the data-flow node for
+ * this key-value pair.
+ */
+predicate argSetsVerifyPeer(DataFlow::Node arg, boolean value, DataFlow::Node kvNode) {
+  // Either passed as an individual key:value argument, e.g.:
+  // Excon.get(..., ssl_verify_peer: false)
+  isSslVerifyPeerPair(arg.asExpr().getExpr(), value) and
+  kvNode = arg
+  or
+  // Or as a single hash argument, e.g.:
+  // Excon.get(..., { ssl_verify_peer: false, ... })
+  exists(DataFlow::LocalSourceNode optionsNode, Pair p |
+    p = optionsNode.asExpr().getExpr().(HashLiteral).getAKeyValuePair() and
+    isSslVerifyPeerPair(p, value) and
+    optionsNode.flowsTo(arg) and
+    kvNode.asExpr().getExpr() = p
+  )
+}
+
+/**
+ * Holds if `callNode` sets `Excon.defaults[:ssl_verify_peer]` or
+ * `Excon.ssl_verify_peer` to `value`.
+ */
+private predicate setsDefaultVerification(DataFlow::CallNode callNode, boolean value) {
+  callNode = API::getTopLevelMember("Excon").getReturn("defaults").getAMethodCall("[]=") and
+  isSslVerifyPeerLiteral(callNode.getArgument(0)) and
+  hasBooleanValue(callNode.getArgument(1), value)
+  or
+  callNode = API::getTopLevelMember("Excon").getAMethodCall("ssl_verify_peer=") and
+  hasBooleanValue(callNode.getArgument(0), value)
+}
+
+private predicate isSslVerifyPeerLiteral(DataFlow::Node node) {
+  exists(DataFlow::LocalSourceNode literal |
+    literal.asExpr().getExpr().(SymbolLiteral).getValueText() = "ssl_verify_peer" and
+    literal.flowsTo(node)
+  )
+}
+
+/** Holds if `node` can contain `value`. */
+private predicate hasBooleanValue(DataFlow::Node node, boolean value) {
+  exists(DataFlow::LocalSourceNode literal |
+    literal.asExpr().getExpr().(BooleanLiteral).getValue() = value and
+    literal.flowsTo(node)
+  )
+}
+
+/** Holds if `p` is the pair `ssl_verify_peer: <value>`. */
+private predicate isSslVerifyPeerPair(Pair p, boolean value) {
+  exists(DataFlow::Node key, DataFlow::Node valueNode |
+    key.asExpr().getExpr() = p.getKey() and valueNode.asExpr().getExpr() = p.getValue()
+  |
+    isSslVerifyPeerLiteral(key) and
+    hasBooleanValue(valueNode, value)
+  )
+}

ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll

@@ -14,25 +14,127 @@ private import codeql.ruby.ApiGraphs
  * ```
  */
 class FaradayHttpRequest extends HTTP::Client::Request::Range {
-  DataFlow::Node request;
-  DataFlow::CallNode responseBody;
+  DataFlow::Node requestUse;
+  API::Node requestNode;
+  API::Node connectionNode;
 
   FaradayHttpRequest() {
-    exists(API::Node requestNode |
-      requestNode =
-        [
-          // one-off requests
-          API::getTopLevelMember("Faraday"),
-          // connection re-use
-          API::getTopLevelMember("Faraday").getInstance()
-        ].getReturn(["get", "head", "delete", "post", "put", "patch", "trace"]) and
-      responseBody = requestNode.getAMethodCall("body") and
-      request = requestNode.getAnImmediateUse() and
-      this = request.asExpr().getExpr()
-    )
+    connectionNode =
+      [
+        // one-off requests
+        API::getTopLevelMember("Faraday"),
+        // connection re-use
+        API::getTopLevelMember("Faraday").getInstance()
+      ] and
+    requestNode =
+      connectionNode.getReturn(["get", "head", "delete", "post", "put", "patch", "trace"]) and
+    requestUse = requestNode.getAnImmediateUse() and
+    this = requestUse.asExpr().getExpr()
   }
 
-  override DataFlow::Node getResponseBody() { result = responseBody }
+  override DataFlow::Node getResponseBody() { result = requestNode.getAMethodCall("body") }
+
+  override predicate disablesCertificateValidation(DataFlow::Node disablingNode) {
+    // `Faraday::new` takes an options hash as its second argument, and we're
+    // looking for
+    // `{ ssl: { verify: false } }`
+    // or
+    // `{ ssl: { verify_mode: OpenSSL::SSL::VERIFY_NONE } }`
+    exists(DataFlow::Node arg, int i |
+      i > 0 and arg = connectionNode.getAUse().(DataFlow::CallNode).getArgument(i)
+    |
+      // Either passed as an individual key:value argument, e.g.:
+      // Faraday.new(..., ssl: {...})
+      isSslOptionsPairDisablingValidation(arg.asExpr().getExpr()) and
+      disablingNode = arg
+      or
+      // Or as a single hash argument, e.g.:
+      // Faraday.new(..., { ssl: {...} })
+      exists(DataFlow::LocalSourceNode optionsNode, Pair p |
+        p = optionsNode.asExpr().getExpr().(HashLiteral).getAKeyValuePair() and
+        isSslOptionsPairDisablingValidation(p) and
+        optionsNode.flowsTo(arg) and
+        disablingNode.asExpr().getExpr() = p
+      )
+    )
+  }
 
   override string getFramework() { result = "Faraday" }
 }
+
+/**
+ * Holds if the pair `p` contains the key `:ssl` for which the value is a hash
+ * containing either `verify: false` or
+ * `verify_mode: OpenSSL::SSL::VERIFY_NONE`.
+ */
+private predicate isSslOptionsPairDisablingValidation(Pair p) {
+  exists(DataFlow::Node key, DataFlow::Node value |
+    key.asExpr().getExpr() = p.getKey() and value.asExpr().getExpr() = p.getValue()
+  |
+    isSymbolLiteral(key, "ssl") and
+    (isHashWithVerifyFalse(value) or isHashWithVerifyModeNone(value))
+  )
+}
+
+/** Holds if `node` represents the symbol literal with the given `valueText`. */
+private predicate isSymbolLiteral(DataFlow::Node node, string valueText) {
+  exists(DataFlow::LocalSourceNode literal |
+    literal.asExpr().getExpr().(SymbolLiteral).getValueText() = valueText and
+    literal.flowsTo(node)
+  )
+}
+
+/**
+ * Holds if `node` represents a hash containing the key-value pair
+ * `verify: false`.
+ */
+private predicate isHashWithVerifyFalse(DataFlow::Node node) {
+  exists(DataFlow::LocalSourceNode hash |
+    isVerifyFalsePair(hash.asExpr().getExpr().(HashLiteral).getAKeyValuePair()) and
+    hash.flowsTo(node)
+  )
+}
+
+/**
+ * Holds if `node` represents a hash containing the key-value pair
+ * `verify_mode: OpenSSL::SSL::VERIFY_NONE`.
+ */
+private predicate isHashWithVerifyModeNone(DataFlow::Node node) {
+  exists(DataFlow::LocalSourceNode hash |
+    isVerifyModeNonePair(hash.asExpr().getExpr().(HashLiteral).getAKeyValuePair()) and
+    hash.flowsTo(node)
+  )
+}
+
+/**
+ * Holds if the pair `p` has the key `:verify_mode` and the value
+ * `OpenSSL::SSL::VERIFY_NONE`.
+ */
+private predicate isVerifyModeNonePair(Pair p) {
+  exists(DataFlow::Node key, DataFlow::Node value |
+    key.asExpr().getExpr() = p.getKey() and value.asExpr().getExpr() = p.getValue()
+  |
+    isSymbolLiteral(key, "verify_mode") and
+    value = API::getTopLevelMember("OpenSSL").getMember("SSL").getMember("VERIFY_NONE").getAUse()
+  )
+}
+
+/**
+ * Holds if the pair `p` has the key `:verify` and the value `false`.
+ */
+private predicate isVerifyFalsePair(Pair p) {
+  exists(DataFlow::Node key, DataFlow::Node value |
+    key.asExpr().getExpr() = p.getKey() and value.asExpr().getExpr() = p.getValue()
+  |
+    isSymbolLiteral(key, "verify") and
+    isFalse(value)
+  )
+}
+
+/** Holds if `node` can contain the Boolean value `false`. */
+private predicate isFalse(DataFlow::Node node) {
+  exists(DataFlow::LocalSourceNode literal |
+    literal.asExpr().getExpr().(BooleanLiteral).isFalse() and
+    literal.flowsTo(node)
+  )
+}