Merge pull request #306 from github/hmac-outgoing-http

Model outgoing HTTP requests as remote flow sources

Author: hmac

ql/lib/codeql/ruby/Concepts.qll

@@ -404,6 +404,49 @@ module HTTP {
       }
     }
   }
+
+  /** Provides classes for modeling HTTP clients. */
+  module Client {
+    /**
+     * A method call that makes an outgoing HTTP request.
+     *
+     * Extend this class to refine existing API models. If you want to model new APIs,
+     * extend `Request::Range` instead.
+     */
+    class Request extends MethodCall instanceof Request::Range {
+      /** Gets a node which returns the body of the response */
+      DataFlow::Node getResponseBody() { result = super.getResponseBody() }
+
+      /** Gets a string that identifies the framework used for this request. */
+      string getFramework() { result = super.getFramework() }
+    }
+
+    /** Provides a class for modeling new HTTP requests. */
+    module Request {
+      /**
+       * A method call that makes an outgoing HTTP request.
+       *
+       * Extend this class to model new APIs. If you want to refine existing API models,
+       * extend `Request` instead.
+       */
+      abstract class Range extends MethodCall {
+        /** Gets a node which returns the body of the response */
+        abstract DataFlow::Node getResponseBody();
+
+        /** Gets a string that identifies the framework used for this request. */
+        abstract string getFramework();
+      }
+    }
+
+    /** The response body from an outgoing HTTP request, considered as a remote flow source */
+    private class RequestResponseBody extends RemoteFlowSource::Range, DataFlow::Node {
+      Request request;
+
+      RequestResponseBody() { this = request.getResponseBody() }
+
+      override string getSourceType() { result = request.getFramework() }
+    }
+  }
 }
 
 /**

ql/lib/codeql/ruby/Frameworks.qll

@@ -7,3 +7,4 @@ private import codeql.ruby.frameworks.ActiveRecord
 private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.StandardLibrary
 private import codeql.ruby.frameworks.Files
+private import codeql.ruby.frameworks.HTTPClients

ql/lib/codeql/ruby/frameworks/HTTPClients.qll

@@ -0,0 +1,5 @@
+/**
+ * Helper file that imports all HTTP clients.
+ */
+
+private import codeql.ruby.frameworks.http_clients.NetHTTP

ql/lib/codeql/ruby/frameworks/http_clients/NetHTTP.qll

@@ -0,0 +1,54 @@
+private import codeql.ruby.AST
+private import codeql.ruby.Concepts
+private import codeql.ruby.dataflow.RemoteFlowSources
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.internal.DataFlowPublic
+
+/**
+ * A `Net::HTTP` call which initiates an HTTP request.
+ * ```ruby
+ * Net::HTTP.get("http://example.com/")
+ * Net::HTTP.post("http://example.com/", "some_data")
+ * req = Net::HTTP.new("example.com")
+ * response = req.get("/")
+ * ```
+ */
+class NetHTTPRequest extends HTTP::Client::Request::Range {
+  private DataFlow::CallNode request;
+  private DataFlow::Node responseBody;
+
+  NetHTTPRequest() {
+    exists(API::Node requestNode, string method |
+      request = requestNode.getAnImmediateUse() and
+      this = request.asExpr().getExpr()
+    |
+      // Net::HTTP.get(...)
+      method = "get" and
+      requestNode = API::getTopLevelMember("Net").getMember("HTTP").getReturn(method) and
+      responseBody = request
+      or
+      // Net::HTTP.post(...).body
+      method in ["post", "post_form"] and
+      requestNode = API::getTopLevelMember("Net").getMember("HTTP").getReturn(method) and
+      responseBody = requestNode.getAMethodCall(["body", "read_body", "entity"])
+      or
+      // Net::HTTP.new(..).get(..).body
+      method in [
+          "get", "get2", "request_get", "head", "head2", "request_head", "delete", "put", "patch",
+          "post", "post2", "request_post", "request"
+        ] and
+      requestNode = API::getTopLevelMember("Net").getMember("HTTP").getInstance().getReturn(method) and
+      responseBody = requestNode.getAMethodCall(["body", "read_body", "entity"])
+    )
+  }
+
+  /**
+   * Gets the node representing the URL of the request.
+   * Currently unused, but may be useful in future, e.g. to filter out certain requests.
+   */
+  DataFlow::Node getURLArgument() { result = request.getArgument(0) }
+
+  override DataFlow::Node getResponseBody() { result = responseBody }
+
+  override string getFramework() { result = "Net::HTTP" }
+}

ql/test/library-tests/frameworks/http_clients/NetHTTP.expected

@@ -0,0 +1,8 @@
+| NetHTTP.rb:4:1:4:18 | call to get | NetHTTP.rb:4:1:4:18 | call to get |
+| NetHTTP.rb:6:8:6:50 | call to post | NetHTTP.rb:7:1:7:9 | call to body |
+| NetHTTP.rb:6:8:6:50 | call to post | NetHTTP.rb:8:1:8:14 | call to read_body |
+| NetHTTP.rb:6:8:6:50 | call to post | NetHTTP.rb:9:1:9:11 | call to entity |
+| NetHTTP.rb:13:6:13:17 | call to get | NetHTTP.rb:18:1:18:7 | call to body |
+| NetHTTP.rb:14:6:14:18 | call to post | NetHTTP.rb:19:1:19:12 | call to read_body |
+| NetHTTP.rb:15:6:15:17 | call to put | NetHTTP.rb:20:1:20:9 | call to entity |
+| NetHTTP.rb:24:3:24:33 | call to get | NetHTTP.rb:27:1:27:28 | call to body |

ql/test/library-tests/frameworks/http_clients/NetHTTP.ql

@@ -0,0 +1,4 @@
+import codeql.ruby.frameworks.http_clients.NetHTTP
+import codeql.ruby.DataFlow
+
+query DataFlow::Node netHTTPRequests(NetHTTPRequest e) { result = e.getResponseBody() }

ql/test/library-tests/frameworks/http_clients/NetHTTP.rb

@@ -0,0 +1,27 @@
+require "net/http"
+
+uri = URI.parse("https://example.com")
+Net::HTTP.get(uri)
+
+resp = Net::HTTP.post(URI.parse(uri), "some_body")
+resp.body
+resp.read_body
+resp.entity
+
+req = Net::HTTP.new("https://example.com")
+
+r1 = req.get("/")
+r2 = req.post("/")
+r3 = req.put("/")
+r4 = req.patch("/")
+
+r1.body
+r2.read_body
+r3.entity
+r4.foo
+
+def get(domain, path)
+  Net::HTTP.new(domain).get(path)
+end
+
+get("example.com", "/").body