Skip to content

Commit 9b9fc18

Browse files
nickrolfenickrolfe
committed
Add taint step for Base64.decode64
1 parent adceb0a commit 9b9fc18

File tree

2 files changed

+25
-0
lines changed

2 files changed

+25
-0
lines changed

ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,13 @@ module UnsafeDeserialization {
2525
*/
2626
abstract class Sanitizer extends DataFlow::Node { }
2727

28+
/**
29+
* Additional taint steps for "unsafe deserialization" vulnerabilities.
30+
*/
31+
predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
32+
base64DecodeTaintStep(fromNode, toNode)
33+
}
34+
2835
/** A source of remote user input, considered as a flow source for unsafe deserialization. */
2936
class RemoteFlowSourceAsSource extends Source {
3037
RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
@@ -59,4 +66,18 @@ module UnsafeDeserialization {
5966
this = API::getTopLevelMember("JSON").getAMethodCall(["load", "restore"]).getArgument(0)
6067
}
6168
}
69+
70+
/**
71+
* `Base64.decode64` propagates taint from its argument to its return value.
72+
*/
73+
predicate base64DecodeTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
74+
exists(DataFlow::CallNode callNode |
75+
callNode =
76+
API::getTopLevelMember("Base64")
77+
.getAMethodCall(["decode64", "strict_decode64", "urlsafe_decode64"])
78+
|
79+
fromNode = callNode.getArgument(0) and
80+
toNode = callNode
81+
)
82+
}
6283
}

ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,4 +27,8 @@ class Configuration extends TaintTracking::Configuration {
2727
super.isSanitizer(node) or
2828
node instanceof UnsafeDeserialization::Sanitizer
2929
}
30+
31+
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
32+
UnsafeDeserialization::isAdditionalTaintStep(fromNode, toNode)
33+
}
3034
}

0 commit comments

Comments
 (0)