add support for array pushes

erik-krogh · erik-krogh · commit 80c92dc3e65a · 2022-11-25T10:32:05.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll
@@ -30,4 +30,20 @@ class Configuration extends TaintTracking::Configuration {
   override DataFlow::FlowFeature getAFeature() {
     result instanceof DataFlow::FeatureHasSourceCallContext
   }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    // if an array element gets tainted, then we treat the entire array as tainted
+    exists(DataFlow::CallNode call |
+      call.getMethodName() = ["<<", "push", "append"] and
+      call.getReceiver() = succ and
+      pred = call.getArgument(0) and
+      call.getNumberOfArguments() = 1
+    )
+    or
+    exists(DataFlow::CallNode call |
+      call.getMethodName() = "[]" and
+      succ = call and
+      pred = call.getArgument(_)
+    )
+  }
 }
diff --git a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected
@@ -3,6 +3,9 @@ edges
 | impl/unsafeCode.rb:7:12:7:12 | x :  | impl/unsafeCode.rb:8:30:8:30 | x |
 | impl/unsafeCode.rb:12:12:12:12 | x :  | impl/unsafeCode.rb:13:33:13:33 | x |
 | impl/unsafeCode.rb:28:17:28:22 | my_arr :  | impl/unsafeCode.rb:29:10:29:15 | my_arr |
+| impl/unsafeCode.rb:32:21:32:21 | x :  | impl/unsafeCode.rb:34:10:34:12 | arr |
+| impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:40:10:40:12 | arr |
+| impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:44:10:44:12 | arr |
 nodes
 | impl/unsafeCode.rb:2:12:2:17 | target :  | semmle.label | target :  |
 | impl/unsafeCode.rb:3:17:3:25 | #{...} | semmle.label | #{...} |
@@ -12,9 +15,17 @@ nodes
 | impl/unsafeCode.rb:13:33:13:33 | x | semmle.label | x |
 | impl/unsafeCode.rb:28:17:28:22 | my_arr :  | semmle.label | my_arr :  |
 | impl/unsafeCode.rb:29:10:29:15 | my_arr | semmle.label | my_arr |
+| impl/unsafeCode.rb:32:21:32:21 | x :  | semmle.label | x :  |
+| impl/unsafeCode.rb:34:10:34:12 | arr | semmle.label | arr |
+| impl/unsafeCode.rb:37:15:37:15 | x :  | semmle.label | x :  |
+| impl/unsafeCode.rb:40:10:40:12 | arr | semmle.label | arr |
+| impl/unsafeCode.rb:44:10:44:12 | arr | semmle.label | arr |
 subpaths
 #select
 | impl/unsafeCode.rb:3:17:3:25 | #{...} | impl/unsafeCode.rb:2:12:2:17 | target :  | impl/unsafeCode.rb:3:17:3:25 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:2:12:2:17 | target | library input | impl/unsafeCode.rb:3:5:3:27 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:8:30:8:30 | x | impl/unsafeCode.rb:7:12:7:12 | x :  | impl/unsafeCode.rb:8:30:8:30 | x | This string format which depends on $@ is later $@. | impl/unsafeCode.rb:7:12:7:12 | x | library input | impl/unsafeCode.rb:8:5:8:32 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:13:33:13:33 | x | impl/unsafeCode.rb:12:12:12:12 | x :  | impl/unsafeCode.rb:13:33:13:33 | x | This string format which depends on $@ is later $@. | impl/unsafeCode.rb:12:12:12:12 | x | library input | impl/unsafeCode.rb:13:5:13:35 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:29:10:29:15 | my_arr | impl/unsafeCode.rb:28:17:28:22 | my_arr :  | impl/unsafeCode.rb:29:10:29:15 | my_arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:28:17:28:22 | my_arr | library input | impl/unsafeCode.rb:29:5:29:27 | call to eval | interpreted as code |
+| impl/unsafeCode.rb:34:10:34:12 | arr | impl/unsafeCode.rb:32:21:32:21 | x :  | impl/unsafeCode.rb:34:10:34:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:32:21:32:21 | x | library input | impl/unsafeCode.rb:34:5:34:24 | call to eval | interpreted as code |
+| impl/unsafeCode.rb:40:10:40:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:40:10:40:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:40:5:40:24 | call to eval | interpreted as code |
+| impl/unsafeCode.rb:44:10:44:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:44:10:44:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:44:5:44:24 | call to eval | interpreted as code |
diff --git a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb
@@ -29,6 +29,18 @@ def joinStuff(my_arr)
     eval(my_arr.join("\n")) # NOT OK
   end
 
-  # TODO: [x, y].join("\n") is not yet supported
-  # TODO: list << element. 
+  def joinWithElemt(x) 
+    arr = [x, "foobar"]
+    eval(arr.join("\n")) # NOT OK
+  end
+
+  def pushArr(x, y)
+    arr = []
+    arr.push(x)
+    eval(arr.join("\n")) # NOT OK
+
+    arr2 = []
+    arr2 << y
+    eval(arr.join("\n")) # NOT OK
+  end
 end
