Add test for rb/unsafe-deserialization

Author: nickrolfe

ql/test/query-tests/security/cwe-502/UnsafeDeserialization.expected

@@ -0,0 +1,23 @@
+edges
+| UnsafeDeserialization.rb:8:39:8:44 | call to params :  | UnsafeDeserialization.rb:9:27:9:41 | serialized_data |
+| UnsafeDeserialization.rb:14:39:14:44 | call to params :  | UnsafeDeserialization.rb:15:30:15:44 | serialized_data |
+| UnsafeDeserialization.rb:20:17:20:22 | call to params :  | UnsafeDeserialization.rb:21:24:21:32 | json_data |
+| UnsafeDeserialization.rb:26:17:26:22 | call to params :  | UnsafeDeserialization.rb:27:27:27:35 | json_data |
+| UnsafeDeserialization.rb:38:17:38:22 | call to params :  | UnsafeDeserialization.rb:39:24:39:32 | yaml_data |
+nodes
+| UnsafeDeserialization.rb:8:39:8:44 | call to params :  | semmle.label | call to params :  |
+| UnsafeDeserialization.rb:9:27:9:41 | serialized_data | semmle.label | serialized_data |
+| UnsafeDeserialization.rb:14:39:14:44 | call to params :  | semmle.label | call to params :  |
+| UnsafeDeserialization.rb:15:30:15:44 | serialized_data | semmle.label | serialized_data |
+| UnsafeDeserialization.rb:20:17:20:22 | call to params :  | semmle.label | call to params :  |
+| UnsafeDeserialization.rb:21:24:21:32 | json_data | semmle.label | json_data |
+| UnsafeDeserialization.rb:26:17:26:22 | call to params :  | semmle.label | call to params :  |
+| UnsafeDeserialization.rb:27:27:27:35 | json_data | semmle.label | json_data |
+| UnsafeDeserialization.rb:38:17:38:22 | call to params :  | semmle.label | call to params :  |
+| UnsafeDeserialization.rb:39:24:39:32 | yaml_data | semmle.label | yaml_data |
+#select
+| UnsafeDeserialization.rb:9:27:9:41 | serialized_data | UnsafeDeserialization.rb:8:39:8:44 | call to params :  | UnsafeDeserialization.rb:9:27:9:41 | serialized_data | Unsafe deserialization of $@. | UnsafeDeserialization.rb:8:39:8:44 | call to params | user input |
+| UnsafeDeserialization.rb:15:30:15:44 | serialized_data | UnsafeDeserialization.rb:14:39:14:44 | call to params :  | UnsafeDeserialization.rb:15:30:15:44 | serialized_data | Unsafe deserialization of $@. | UnsafeDeserialization.rb:14:39:14:44 | call to params | user input |
+| UnsafeDeserialization.rb:21:24:21:32 | json_data | UnsafeDeserialization.rb:20:17:20:22 | call to params :  | UnsafeDeserialization.rb:21:24:21:32 | json_data | Unsafe deserialization of $@. | UnsafeDeserialization.rb:20:17:20:22 | call to params | user input |
+| UnsafeDeserialization.rb:27:27:27:35 | json_data | UnsafeDeserialization.rb:26:17:26:22 | call to params :  | UnsafeDeserialization.rb:27:27:27:35 | json_data | Unsafe deserialization of $@. | UnsafeDeserialization.rb:26:17:26:22 | call to params | user input |
+| UnsafeDeserialization.rb:39:24:39:32 | yaml_data | UnsafeDeserialization.rb:38:17:38:22 | call to params :  | UnsafeDeserialization.rb:39:24:39:32 | yaml_data | Unsafe deserialization of $@. | UnsafeDeserialization.rb:38:17:38:22 | call to params | user input |

ql/test/query-tests/security/cwe-502/UnsafeDeserialization.qlref

@@ -0,0 +1 @@
+queries/security/cwe-502/UnsafeDeserialization.ql

ql/test/query-tests/security/cwe-502/UnsafeDeserialization.rb

@@ -0,0 +1,41 @@
+require "base64"
+require "json"
+require "yaml"
+
+class UsersController < ActionController::Base
+  # BAD
+  def route0
+    serialized_data = Base64.decode64 params[:key]
+    object = Marshal.load serialized_data
+  end
+
+  # BAD
+  def route1
+    serialized_data = Base64.decode64 params[:key]
+    object = Marshal.restore serialized_data
+  end
+
+  # BAD
+  def route2
+    json_data = params[:key]
+    object = JSON.load json_data
+  end
+
+  # BAD
+  def route3
+    json_data = params[:key]
+    object = JSON.restore json_data
+  end
+
+  # GOOD - JSON.parse is safe to use on untrusted data
+  def route4
+    json_data = params[:key]
+    object = JSON.parse json_data
+  end
+
+  # BAD
+  def route5
+    yaml_data = params[:key]
+    object = YAML.load yaml_data
+  end
+end