Merge pull request #326 from github/hmac/eval-fixes

Make Code execution query more specific

Author: hmac

ql/lib/codeql/ruby/frameworks/StandardLibrary.qll

@@ -277,7 +277,7 @@ class Open3PipelineCall extends SystemCommandExecution::Range {
 }
 
 /**
- * A call to `Kernel.eval`, which executes its argument as Ruby code.
+ * A call to `Kernel.eval`, which executes its first argument as Ruby code.
  * ```ruby
  * a = 1
  * Kernel.eval("a = 2")
@@ -291,11 +291,11 @@ class EvalCallCodeExecution extends CodeExecution::Range {
     this.asExpr().getExpr() = methodCall and methodCall.getMethodName() = "eval"
   }
 
-  override DataFlow::Node getCode() { result.asExpr().getExpr() = methodCall.getAnArgument() }
+  override DataFlow::Node getCode() { result.asExpr().getExpr() = methodCall.getArgument(0) }
 }
 
 /**
- * A call to `Kernel#send`, which executes its arguments as a Ruby method call.
+ * A call to `Kernel#send`, which executes its first argument as a Ruby method call.
  * ```ruby
  * arr = []
  * arr.send("push", 1)
@@ -309,11 +309,11 @@ class SendCallCodeExecution extends CodeExecution::Range {
     this.asExpr().getExpr() = methodCall and methodCall.getMethodName() = "send"
   }
 
-  override DataFlow::Node getCode() { result.asExpr().getExpr() = methodCall.getAnArgument() }
+  override DataFlow::Node getCode() { result.asExpr().getExpr() = methodCall.getArgument(0) }
 }
 
 /**
- * A call to `BasicObject#instance_eval`, which executes its argument as Ruby code.
+ * A call to `BasicObject#instance_eval`, which executes its first argument as Ruby code.
  */
 class InstanceEvalCallCodeExecution extends CodeExecution::Range {
   BasicObjectInstanceMethodCall methodCall;
@@ -322,11 +322,11 @@ class InstanceEvalCallCodeExecution extends CodeExecution::Range {
     this.asExpr().getExpr() = methodCall and methodCall.getMethodName() = "instance_eval"
   }
 
-  override DataFlow::Node getCode() { result.asExpr().getExpr() = methodCall.getAnArgument() }
+  override DataFlow::Node getCode() { result.asExpr().getExpr() = methodCall.getArgument(0) }
 }
 
 /**
- * A call to `Module#class_eval`, which executes its argument as Ruby code.
+ * A call to `Module#class_eval`, which executes its first argument as Ruby code.
  */
 class ClassEvalCallCodeExecution extends CodeExecution::Range {
   UnknownMethodCall methodCall;
@@ -335,11 +335,11 @@ class ClassEvalCallCodeExecution extends CodeExecution::Range {
     this.asExpr().getExpr() = methodCall and methodCall.getMethodName() = "class_eval"
   }
 
-  override DataFlow::Node getCode() { result.asExpr().getExpr() = methodCall.getAnArgument() }
+  override DataFlow::Node getCode() { result.asExpr().getExpr() = methodCall.getArgument(0) }
 }
 
 /**
- * A call to `Module#module_eval`, which executes its argument as Ruby code.
+ * A call to `Module#module_eval`, which executes its first argument as Ruby code.
  */
 class ModuleEvalCallCodeExecution extends CodeExecution::Range {
   UnknownMethodCall methodCall;
@@ -348,5 +348,5 @@ class ModuleEvalCallCodeExecution extends CodeExecution::Range {
     this.asExpr().getExpr() = methodCall and methodCall.getMethodName() = "module_eval"
   }
 
-  override DataFlow::Node getCode() { result.asExpr().getExpr() = methodCall.getAnArgument() }
+  override DataFlow::Node getCode() { result.asExpr().getExpr() = methodCall.getArgument(0) }
 }

ql/test/library-tests/frameworks/Eval.rb

@@ -1,10 +1,10 @@
 # Uses of eval and send
 
-eval("raise \"error\"")
+eval("raise \"error\"", binding, "file", 1)
 send("raise", "error")
 
 a = []
-a.send("raise", "error")
+a.send("push", "1")
 
 class Foo
   def eval(x)
@@ -21,3 +21,6 @@ def run
 end
 
 Foo.new.send("exit", 1)
+Foo.new.instance_eval("self.class", "file.rb", 3)
+Foo.class_eval("def foo; 1; end", "file.rb", 1)
+Foo.module_eval("def bar; 1; end", "other_file.rb", 2)

ql/test/library-tests/frameworks/StandardLibrary.expected

@@ -59,7 +59,13 @@ open3PipelineCallExecutions
 | CommandExecution.rb:64:1:64:44 | call to pipeline_start |
 | CommandExecution.rb:65:1:65:38 | call to pipeline |
 evalCallCodeExecutions
-| Eval.rb:3:1:3:23 | call to eval |
+| Eval.rb:3:1:3:43 | call to eval | Eval.rb:3:6:3:22 | "raise \\"error\\"" |
 sendCallCodeExecutions
-| Eval.rb:4:1:4:22 | call to send |
-| Eval.rb:7:1:7:24 | call to send |
+| Eval.rb:4:1:4:22 | call to send | Eval.rb:4:6:4:12 | "raise" |
+| Eval.rb:7:1:7:19 | call to send | Eval.rb:7:8:7:13 | "push" |
+instanceEvalCallCodeExecutions
+| Eval.rb:24:1:24:49 | call to instance_eval | Eval.rb:24:23:24:34 | "self.class" |
+classEvalCallCodeExecutions
+| Eval.rb:25:1:25:47 | call to class_eval | Eval.rb:25:16:25:32 | "def foo; 1; end" |
+moduleEvalCallCodeExecutions
+| Eval.rb:26:1:26:54 | call to module_eval | Eval.rb:26:17:26:33 | "def bar; 1; end" |

ql/test/library-tests/frameworks/StandardLibrary.ql

@@ -1,4 +1,5 @@
 import codeql.ruby.frameworks.StandardLibrary
+import codeql.ruby.DataFlow
 
 query predicate subshellLiteralExecutions(SubshellLiteralExecution e) { any() }
 
@@ -14,6 +15,18 @@ query predicate open3CallExecutions(Open3Call c) { any() }
 
 query predicate open3PipelineCallExecutions(Open3PipelineCall c) { any() }
 
-query predicate evalCallCodeExecutions(EvalCallCodeExecution e) { any() }
+query DataFlow::Node evalCallCodeExecutions(EvalCallCodeExecution e) { result = e.getCode() }
 
-query predicate sendCallCodeExecutions(SendCallCodeExecution e) { any() }
+query DataFlow::Node sendCallCodeExecutions(SendCallCodeExecution e) { result = e.getCode() }
+
+query DataFlow::Node instanceEvalCallCodeExecutions(InstanceEvalCallCodeExecution e) {
+  result = e.getCode()
+}
+
+query DataFlow::Node classEvalCallCodeExecutions(ClassEvalCallCodeExecution e) {
+  result = e.getCode()
+}
+
+query DataFlow::Node moduleEvalCallCodeExecutions(ModuleEvalCallCodeExecution e) {
+  result = e.getCode()
+}

ql/test/query-tests/security/cwe-094/CodeInjection.expected

@@ -1,16 +1,16 @@
 edges
 | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:6:10:6:13 | code |
-| CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:15:20:15:23 | code |
-| CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:18:21:18:24 | code |
+| CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:18:20:18:23 | code |
+| CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:21:21:21:24 | code |
 nodes
 | CodeInjection.rb:3:12:3:17 | call to params :  | semmle.label | call to params :  |
 | CodeInjection.rb:6:10:6:13 | code | semmle.label | code |
 | CodeInjection.rb:9:10:9:15 | call to params | semmle.label | call to params |
-| CodeInjection.rb:15:20:15:23 | code | semmle.label | code |
-| CodeInjection.rb:18:21:18:24 | code | semmle.label | code |
+| CodeInjection.rb:18:20:18:23 | code | semmle.label | code |
+| CodeInjection.rb:21:21:21:24 | code | semmle.label | code |
 subpaths
 #select
 | CodeInjection.rb:6:10:6:13 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:6:10:6:13 | code | This code execution depends on $@. | CodeInjection.rb:3:12:3:17 | call to params | a user-provided value |
 | CodeInjection.rb:9:10:9:15 | call to params | CodeInjection.rb:9:10:9:15 | call to params | CodeInjection.rb:9:10:9:15 | call to params | This code execution depends on $@. | CodeInjection.rb:9:10:9:15 | call to params | a user-provided value |
-| CodeInjection.rb:15:20:15:23 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:15:20:15:23 | code | This code execution depends on $@. | CodeInjection.rb:3:12:3:17 | call to params | a user-provided value |
-| CodeInjection.rb:18:21:18:24 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:18:21:18:24 | code | This code execution depends on $@. | CodeInjection.rb:3:12:3:17 | call to params | a user-provided value |
+| CodeInjection.rb:18:20:18:23 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:18:20:18:23 | code | This code execution depends on $@. | CodeInjection.rb:3:12:3:17 | call to params | a user-provided value |
+| CodeInjection.rb:21:21:21:24 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:21:21:21:24 | code | This code execution depends on $@. | CodeInjection.rb:3:12:3:17 | call to params | a user-provided value |

ql/test/query-tests/security/cwe-094/CodeInjection.rb

@@ -8,6 +8,9 @@ def create
     # BAD
     eval(params)
 
+    # GOOD - user input is in second argument, which is not evaluated as Ruby code
+    send(:sanitize, params[:code])
+
     # GOOD
     Foo.new.bar(code)
 
@@ -25,6 +28,12 @@ def update
     # GOOD
     eval("foo")
   end
+
+  private
+
+  def sanitize(code)
+    true
+  end
 end
 
 class Foo