Add qhelp

joefarebrother · joefarebrother · commit a8aac318d08e · 2024-03-22T14:04:52.000Z
diff --git a/ruby/ql/src/queries/security/cwe-915/MassAssignment.qhelp b/ruby/ql/src/queries/security/cwe-915/MassAssignment.qhelp
@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+	<overview>
+		<p>
+			Operations that allow for mass assignment (setting multiple attributes of an object using a hash), such as <code>ActiveRecord::Base.new</code>, should take care not to 
+            allow arbitrary parameters to be set by the user. Otherwise, unintended attributes may be set, such as an <code>isAdmin</code> feild for a <code>User</code> object.
+		</p>
+	</overview>
+	<recommendation>
+		<p>
+			When using a mass assignment operation from user supplied parameters, use <code>ActionController::Parameters#permit</code> to restrict the possible parameters
+            a user can supply, rather than <code>ActionController::Parameters#permit!</code>, which permits arbitrary parameters to be used for mass assignment.
+		</p>
+	</recommendation>
+	<example>
+		<p>
+			 In the following example, <code>permit!</code> is used which allows arbitrary parameters to be supplied by the user.
+		</p>
+		<sample src="examples/MassAssignmentBad.rb" />
+		<p>
+			
+		</p>
+		<p>
+            In the following example, only specific parameters are permitted, so the mass assignment is safe.
+		</p>
+		<sample src="examples/MassAssignmentGood.rb" />
+	</example>
+
+	<references>
+		
+	</references>
+</qhelp>
diff --git a/ruby/ql/src/queries/security/cwe-915/MassAssignment.ql b/ruby/ql/src/queries/security/cwe-915/MassAssignment.ql
@@ -1,6 +1,6 @@
 /**
  * @name Insecure Mass Assignment
- * @description Using mass assignment with user-controlled keys allows unintended parameters to be set.
+ * @description Using mass assignment with user-controlled attributes allows unintended parameters to be set.
  * @kind path-problem
  * @problem.severity error
  * @security-severity 7.5
@@ -15,4 +15,6 @@ import MassAssignmentFlow::PathGraph
 
 from MassAssignmentFlow::PathNode source, MassAssignmentFlow::PathNode sink
 where MassAssignmentFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "mass assignment"
+select sink.getNode(), source, sink,
+  "This mass assignment operation can assign user-controlled attributes from $@.", source.getNode(),
+  "this remote flow source"
diff --git a/ruby/ql/src/queries/security/cwe-915/examples/MassAssignmentBad.rb b/ruby/ql/src/queries/security/cwe-915/examples/MassAssignmentBad.rb
@@ -0,0 +1,10 @@
+class UserController < ActionController::Base
+    def create
+        # BAD: arbitrary params are permitted to be used for this assignment
+        User.new(user_params).save!
+    end
+
+    def user_params
+        params.require(:user).permit!
+    end
+end
diff --git a/ruby/ql/src/queries/security/cwe-915/examples/MassAssignmentGood.rb b/ruby/ql/src/queries/security/cwe-915/examples/MassAssignmentGood.rb
@@ -0,0 +1,10 @@
+class UserController < ActionController::Base
+    def create
+        # GOOD: the permitted parameters are explicitly specified
+        User.new(user_params).save!
+    end
+
+    def user_params
+        params.require(:user).permit(:name, :email)
+    end
+end
