Merge pull request #307 from github/hmac-outgoing-http-2

Model some more HTTP clients

Author: hmac

ql/lib/codeql/ruby/frameworks/HTTPClients.qll

@@ -3,3 +3,6 @@
  */
 
 private import codeql.ruby.frameworks.http_clients.NetHTTP
+private import codeql.ruby.frameworks.http_clients.Excon
+private import codeql.ruby.frameworks.http_clients.Faraday
+private import codeql.ruby.frameworks.http_clients.RestClient

ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll

@@ -0,0 +1,46 @@
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+
+/**
+ * A call that makes an HTTP request using `Excon`.
+ * ```ruby
+ * # one-off request
+ * Excon.get("http://example.com").body
+ *
+ * # connection re-use
+ * connection = Excon.new("http://example.com")
+ * connection.get(path: "/").body
+ * connection.request(method: :get, path: "/")
+ * ```
+ *
+ * TODO: pipelining, streaming responses
+ * https://github.com/excon/excon/blob/master/README.md
+ */
+class ExconHTTPRequest extends HTTP::Client::Request::Range {
+  DataFlow::Node request;
+  DataFlow::CallNode responseBody;
+
+  ExconHTTPRequest() {
+    exists(API::Node requestNode | request = requestNode.getAnImmediateUse() |
+      requestNode =
+        [
+          // one-off requests
+          API::getTopLevelMember("Excon"),
+          // connection re-use
+          API::getTopLevelMember("Excon").getInstance()
+        ]
+            .getReturn([
+                // Excon#request exists but Excon.request doesn't.
+                // This shouldn't be a problem - in real code the latter would raise NoMethodError anyway.
+                "get", "head", "delete", "options", "post", "put", "patch", "trace", "request"
+              ]) and
+      responseBody = requestNode.getAMethodCall("body") and
+      this = request.asExpr().getExpr()
+    )
+  }
+
+  override DataFlow::Node getResponseBody() { result = responseBody }
+
+  override string getFramework() { result = "Excon" }
+}

ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll

@@ -0,0 +1,38 @@
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+
+/**
+ * A call that makes an HTTP request using `Faraday`.
+ * ```ruby
+ * # one-off request
+ * Faraday.get("http://example.com").body
+ *
+ * # connection re-use
+ * connection = Faraday.new("http://example.com")
+ * connection.get("/").body
+ * ```
+ */
+class FaradayHTTPRequest extends HTTP::Client::Request::Range {
+  DataFlow::Node request;
+  DataFlow::CallNode responseBody;
+
+  FaradayHTTPRequest() {
+    exists(API::Node requestNode |
+      requestNode =
+        [
+          // one-off requests
+          API::getTopLevelMember("Faraday"),
+          // connection re-use
+          API::getTopLevelMember("Faraday").getInstance()
+        ].getReturn(["get", "head", "delete", "post", "put", "patch", "trace"]) and
+      responseBody = requestNode.getAMethodCall("body") and
+      request = requestNode.getAnImmediateUse() and
+      this = request.asExpr().getExpr()
+    )
+  }
+
+  override DataFlow::Node getResponseBody() { result = responseBody }
+
+  override string getFramework() { result = "Faraday" }
+}

ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll

@@ -0,0 +1,29 @@
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+
+/**
+ * A call that makes an HTTP request using `RestClient`.
+ * ```ruby
+ * RestClient.get("http://example.com").body
+ * ```
+ */
+class RestClientHTTPRequest extends HTTP::Client::Request::Range {
+  DataFlow::Node request;
+  DataFlow::CallNode responseBody;
+
+  RestClientHTTPRequest() {
+    exists(API::Node requestNode |
+      requestNode =
+        API::getTopLevelMember("RestClient")
+            .getReturn(["get", "head", "delete", "options", "post", "put", "patch"]) and
+      request = requestNode.getAnImmediateUse() and
+      responseBody = requestNode.getAMethodCall("body") and
+      this = request.asExpr().getExpr()
+    )
+  }
+
+  override DataFlow::Node getResponseBody() { result = responseBody }
+
+  override string getFramework() { result = "RestClient" }
+}

ql/test/library-tests/frameworks/http_clients/Excon.expected

@@ -0,0 +1,10 @@
+| Excon.rb:3:9:3:40 | call to get | Excon.rb:4:1:4:10 | call to body |
+| Excon.rb:6:9:6:60 | call to post | Excon.rb:7:1:7:10 | call to body |
+| Excon.rb:9:9:9:59 | call to put | Excon.rb:10:1:10:10 | call to body |
+| Excon.rb:12:9:12:61 | call to patch | Excon.rb:13:1:13:10 | call to body |
+| Excon.rb:15:9:15:43 | call to delete | Excon.rb:16:1:16:10 | call to body |
+| Excon.rb:18:9:18:41 | call to head | Excon.rb:19:1:19:10 | call to body |
+| Excon.rb:21:9:21:44 | call to options | Excon.rb:22:1:22:10 | call to body |
+| Excon.rb:24:9:24:42 | call to trace | Excon.rb:25:1:25:10 | call to body |
+| Excon.rb:28:9:28:33 | call to get | Excon.rb:29:1:29:10 | call to body |
+| Excon.rb:31:10:31:38 | call to post | Excon.rb:32:1:32:11 | call to body |

ql/test/library-tests/frameworks/http_clients/Excon.ql

@@ -0,0 +1,4 @@
+import codeql.ruby.frameworks.http_clients.Excon
+import codeql.ruby.DataFlow
+
+query DataFlow::Node exconHTTPRequests(ExconHTTPRequest e) { result = e.getResponseBody() }

ql/test/library-tests/frameworks/http_clients/Excon.rb

@@ -0,0 +1,32 @@
+require "excon"
+
+resp1 = Excon.get("http://example.com/")
+resp1.body
+
+resp2 = Excon.post("http://example.com/", body: "some_data")
+resp2.body
+
+resp3 = Excon.put("http://example.com/", body: "some_data")
+resp3.body
+
+resp4 = Excon.patch("http://example.com/", body: "some_data")
+resp4.body
+
+resp5 = Excon.delete("http://example.com/")
+resp5.body
+
+resp6 = Excon.head("http://example.com/")
+resp6.body
+
+resp7 = Excon.options("http://example.com/")
+resp7.body
+
+resp8 = Excon.trace("http://example.com/")
+resp8.body
+
+connection = Excon.new("http://example.com")
+resp9 = connection.get(path: "/")
+resp9.body
+
+resp10 = connection.post(path: "/foo")
+resp10.body

ql/test/library-tests/frameworks/http_clients/Faraday.expected

@@ -0,0 +1,9 @@
+| Faraday.rb:3:9:3:42 | call to get | Faraday.rb:4:1:4:10 | call to body |
+| Faraday.rb:6:9:6:62 | call to post | Faraday.rb:7:1:7:10 | call to body |
+| Faraday.rb:9:9:9:61 | call to put | Faraday.rb:10:1:10:10 | call to body |
+| Faraday.rb:12:9:12:63 | call to patch | Faraday.rb:13:1:13:10 | call to body |
+| Faraday.rb:15:9:15:45 | call to delete | Faraday.rb:16:1:16:10 | call to body |
+| Faraday.rb:18:9:18:43 | call to head | Faraday.rb:19:1:19:10 | call to body |
+| Faraday.rb:24:9:24:44 | call to trace | Faraday.rb:25:1:25:10 | call to body |
+| Faraday.rb:28:9:28:27 | call to get | Faraday.rb:29:1:29:10 | call to body |
+| Faraday.rb:31:10:31:46 | call to post | Faraday.rb:32:1:32:11 | call to body |

ql/test/library-tests/frameworks/http_clients/Faraday.ql

@@ -0,0 +1,4 @@
+import codeql.ruby.frameworks.http_clients.Faraday
+import codeql.ruby.DataFlow
+
+query DataFlow::Node faradayHTTPRequests(FaradayHTTPRequest e) { result = e.getResponseBody() }

ql/test/library-tests/frameworks/http_clients/Faraday.rb

@@ -0,0 +1,32 @@
+require "faraday"
+
+resp1 = Faraday.get("http://example.com/")
+resp1.body
+
+resp2 = Faraday.post("http://example.com/", body: "some_data")
+resp2.body
+
+resp3 = Faraday.put("http://example.com/", body: "some_data")
+resp3.body
+
+resp4 = Faraday.patch("http://example.com/", body: "some_data")
+resp4.body
+
+resp5 = Faraday.delete("http://example.com/")
+resp5.body
+
+resp6 = Faraday.head("http://example.com/")
+resp6.body
+
+resp7 = Faraday.options("http://example.com/")
+resp7.body
+
+resp8 = Faraday.trace("http://example.com/")
+resp8.body
+
+connection = Faraday.new("http://example.com")
+resp9 = connection.get("/")
+resp9.body
+
+resp10 = connection.post("/foo", some: "data")
+resp10.body