Merge pull request #10680 from erik-krogh/unsafeRbCmd

RB: add an unsafe-shell-command-construction query

Author: erik-krogh

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll

@@ -147,6 +147,9 @@ class ExprNode extends Node, TExprNode {
 class ParameterNode extends Node, TParameterNode instanceof ParameterNodeImpl {
   /** Gets the parameter corresponding to this node, if any. */
   final Parameter getParameter() { result = super.getParameter() }
+
+  /** Gets the name of the parameter, if any. */
+  final string getName() { result = this.getParameter().(NamedParameter).getName() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/frameworks/Core.qll

@@ -7,6 +7,7 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.FlowSummary
 import core.BasicObject::BasicObject
 import core.Object::Object
+import core.Gem::Gem
 import core.Kernel::Kernel
 import core.Module
 import core.Array

ruby/ql/lib/codeql/ruby/frameworks/core/Gem.qll

@@ -0,0 +1,102 @@
+/**
+ * Provides modeling for the `Gem` module and `.gemspec` files.
+ */
+
+private import ruby
+private import Ast
+private import codeql.ruby.ApiGraphs
+
+/** Provides modeling for the `Gem` module and `.gemspec` files. */
+module Gem {
+  /**
+   * A .gemspec file that lists properties of a Ruby gem.
+   * The contents of a .gemspec file generally look like:
+   * ```Ruby
+   * Gem::Specification.new do |s|
+   *   s.name = 'library-name'
+   *   s.require_path = "lib"
+   *   # more properties
+   * end
+   * ```
+   */
+  class GemSpec instanceof File {
+    API::Node specCall;
+
+    GemSpec() {
+      this.getExtension() = "gemspec" and
+      specCall = API::root().getMember("Gem").getMember("Specification").getMethod("new") and
+      specCall.getLocation().getFile() = this
+    }
+
+    /** Gets the name of this .gemspec file. */
+    string toString() { result = File.super.getBaseName() }
+
+    /**
+     * Gets a value of the `name` property of this .gemspec file.
+     * These properties are set using the `Gem::Specification.new` method.
+     */
+    private Expr getSpecProperty(string name) {
+      exists(Expr rhs |
+        rhs =
+          specCall
+              .getBlock()
+              .getParameter(0)
+              .getMethod(name + "=")
+              .getParameter(0)
+              .asSink()
+              .asExpr()
+              .getExpr()
+              .(Ast::AssignExpr)
+              .getRightOperand()
+      |
+        result = rhs
+        or
+        // some properties are arrays, we just unfold them
+        result = rhs.(ArrayLiteral).getAnElement()
+      )
+    }
+
+    /** Gets the name of the gem */
+    string getName() { result = getSpecProperty("name").getConstantValue().getString() }
+
+    /** Gets a path that is loaded when the gem is required */
+    private string getARequirePath() {
+      result = getSpecProperty(["require_paths", "require_path"]).getConstantValue().getString()
+      or
+      not exists(getSpecProperty(["require_paths", "require_path"]).getConstantValue().getString()) and
+      result = "lib" // the default is "lib"
+    }
+
+    /** Gets a file that could be loaded when the gem is required. */
+    private File getAPossiblyRequiredFile() {
+      result = File.super.getParentContainer().getFolder(getARequirePath()).getAChildContainer*()
+    }
+
+    /** Gets a class/module that is exported by this gem. */
+    private ModuleBase getAPublicModule() {
+      result.(Toplevel).getLocation().getFile() = getAPossiblyRequiredFile()
+      or
+      result = getAPublicModule().getAModule()
+      or
+      result = getAPublicModule().getAClass()
+      or
+      result = getAPublicModule().getStmt(_).(SingletonClass)
+    }
+
+    /** Gets a parameter from an exported method, which is an input to this gem. */
+    DataFlow::ParameterNode getAnInputParameter() {
+      exists(MethodBase method | method = getAPublicModule().getAMethod() |
+        result.getParameter() = method.getAParameter() and
+        method.isPublic()
+      )
+    }
+  }
+
+  /** Gets a parameter that is an input to a named gem. */
+  DataFlow::ParameterNode getALibraryInput() {
+    exists(GemSpec spec |
+      exists(spec.getName()) and // we only consider `.gemspec` files that have a name
+      result = spec.getAnInputParameter()
+    )
+  }
+}

ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll

@@ -49,6 +49,9 @@ module CommandInjection {
   class ShellwordsEscapeAsSanitizer extends Sanitizer {
     ShellwordsEscapeAsSanitizer() {
       this = API::getTopLevelMember("Shellwords").getAMethodCall(["escape", "shellescape"])
+      or
+      // The method is also added as `String#shellescape`.
+      this.(DataFlow::CallNode).getMethodName() = "shellescape"
     }
   }
 }

ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionCustomizations.qll

@@ -0,0 +1,105 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * shell command constructed from library input vulnerabilities, as
+ * well as extension points for adding your own.
+ */
+
+private import codeql.ruby.DataFlow
+private import codeql.ruby.DataFlow2
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.frameworks.core.Gem::Gem as Gem
+private import codeql.ruby.AST as Ast
+private import codeql.ruby.Concepts as Concepts
+
+/**
+ * Module containing sources, sinks, and sanitizers for shell command constructed from library input.
+ */
+module UnsafeShellCommandConstruction {
+  /** A source for shell command constructed from library input vulnerabilities. */
+  abstract class Source extends DataFlow::Node { }
+
+  /** An input parameter to a gem seen as a source. */
+  private class LibraryInputAsSource extends Source instanceof DataFlow::ParameterNode {
+    LibraryInputAsSource() {
+      this = Gem::getALibraryInput() and
+      // we exclude arguments named `cmd` or similar, as they seem to execute commands on purpose
+      not exists(string name | name = super.getName() |
+        name = ["cmd", "command"]
+        or
+        name.regexpMatch(".*(Cmd|Command)$")
+      )
+    }
+  }
+
+  /** A sink for shell command constructed from library input vulnerabilities. */
+  abstract class Sink extends DataFlow::Node {
+    /** Gets a description of how the string in this sink was constructed. */
+    abstract string describe();
+
+    /** Gets the dataflow node where the string is constructed. */
+    DataFlow::Node getStringConstruction() { result = this }
+
+    /** Gets the dataflow node that executed the string as a shell command. */
+    abstract DataFlow::Node getCommandExecution();
+  }
+
+  /** Holds if the string constructed at `source` is executed at `shellExec` */
+  predicate isUsedAsShellCommand(DataFlow::Node source, Concepts::SystemCommandExecution shellExec) {
+    source = backtrackShellExec(TypeTracker::TypeBackTracker::end(), shellExec)
+  }
+
+  import codeql.ruby.typetracking.TypeTracker as TypeTracker
+
+  private DataFlow::LocalSourceNode backtrackShellExec(
+    TypeTracker::TypeBackTracker t, Concepts::SystemCommandExecution shellExec
+  ) {
+    t.start() and
+    result = any(DataFlow::Node n | shellExec.isShellInterpreted(n)).getALocalSource()
+    or
+    exists(TypeTracker::TypeBackTracker t2 |
+      result = backtrackShellExec(t2, shellExec).backtrack(t2, t)
+    )
+  }
+
+  /**
+   * A string constructed from a string-literal (e.g. `"foo #{sink}"`),
+   * where the resulting string ends up being executed as a shell command.
+   */
+  class StringInterpolationAsSink extends Sink {
+    Concepts::SystemCommandExecution s;
+    Ast::StringLiteral lit;
+
+    StringInterpolationAsSink() {
+      isUsedAsShellCommand(any(DataFlow::Node n | n.asExpr().getExpr() = lit), s) and
+      this.asExpr().getExpr() = lit.getComponent(_)
+    }
+
+    override string describe() { result = "string construction" }
+
+    override DataFlow::Node getCommandExecution() { result = s }
+
+    override DataFlow::Node getStringConstruction() { result.asExpr().getExpr() = lit }
+  }
+
+  import codeql.ruby.security.TaintedFormatStringSpecific as TaintedFormat
+
+  /**
+   * A string constructed from a printf-style call,
+   * where the resulting string ends up being executed as a shell command.
+   */
+  class TaintedFormatStringAsSink extends Sink {
+    Concepts::SystemCommandExecution s;
+    TaintedFormat::PrintfStyleCall call;
+
+    TaintedFormatStringAsSink() {
+      isUsedAsShellCommand(call, s) and
+      this = [call.getFormatArgument(_), call.getFormatString()]
+    }
+
+    override string describe() { result = "formatted string" }
+
+    override DataFlow::Node getCommandExecution() { result = s }
+
+    override DataFlow::Node getStringConstruction() { result = call }
+  }
+}

ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll

@@ -0,0 +1,35 @@
+/**
+ * Provides a taint tracking configuration for reasoning about shell command
+ * constructed from library input vulnerabilities
+ *
+ * Note, for performance reasons: only import this file if `Configuration` is needed,
+ * otherwise `UnsafeShellCommandConstructionCustomizations` should be imported instead.
+ */
+
+import codeql.ruby.DataFlow
+import UnsafeShellCommandConstructionCustomizations::UnsafeShellCommandConstruction
+private import codeql.ruby.TaintTracking
+private import CommandInjectionCustomizations::CommandInjection as CommandInjection
+private import codeql.ruby.dataflow.BarrierGuards
+
+/**
+ * A taint-tracking configuration for detecting shell command constructed from library input vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "UnsafeShellCommandConstruction" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node instanceof CommandInjection::Sanitizer or // using all sanitizers from `rb/command-injection`
+    node instanceof StringConstCompareBarrier or
+    node instanceof StringConstArrayInclusionCallBarrier
+  }
+
+  // override to require the path doesn't have unmatched return steps
+  override DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureHasSourceCallContext
+  }
+}

ruby/ql/src/change-notes/2022-10-10-unsafe-shell-command-construction.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `rb/shell-command-constructed-from-input`, to detect libraries that unsafely construct shell commands from their inputs.

ruby/ql/src/queries/security/cwe-078/UnsafeShellCommandConstruction.qhelp

@@ -0,0 +1,73 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+<overview>
+	<p>
+		Dynamically constructing a shell command with inputs from exported 
+		functions may inadvertently change the meaning of the shell command.
+		
+		Clients using the exported function may use inputs containing
+		characters that the shell interprets in a special way, for instance
+		quotes and spaces.
+
+		This can result in the shell command misbehaving, or even
+		allowing a malicious user to execute arbitrary commands on the system.
+	</p>
+
+
+</overview>
+<recommendation>
+
+	<p>
+		If possible, provide the dynamic arguments to the shell as an array 
+		to APIs such as <code>system(..)</code> to avoid interpretation by the shell.
+	</p>
+
+	<p>
+		Alternatively, if the shell command must be constructed
+		dynamically, then add code to ensure that special characters 
+		do not alter the shell command unexpectedly.
+	</p>
+
+</recommendation>
+<example>
+
+	<p>
+		The following example shows a dynamically constructed shell
+		command that downloads a file from a remote URL.
+	</p>
+
+	<sample src="examples/unsafe-shell-command-construction.rb" />
+
+	<p>
+		The shell command will, however, fail to work as intended if the
+		input contains spaces or other special characters interpreted in a 
+		special way by the shell. 
+	</p>
+
+	<p>
+		Even worse, a client might pass in user-controlled
+		data, not knowing that the input is interpreted as a shell command. 
+		This could allow a malicious user to provide the input <code>http://example.org; cat /etc/passwd</code>
+		in order to execute the command <code>cat /etc/passwd</code>.
+	</p>
+
+	<p>
+		To avoid such potentially catastrophic behaviors, provide the
+		input from exported functions as an argument that does not
+		get interpreted by a shell:
+	</p>
+
+	<sample src="examples/unsafe-shell-command-construction_fixed.rb" />
+
+</example>
+<references>
+
+	<li>
+		OWASP:
+		<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+	</li>
+
+</references>
+</qhelp>

ruby/ql/src/queries/security/cwe-078/UnsafeShellCommandConstruction.ql

@@ -0,0 +1,26 @@
+/**
+ * @name Unsafe shell command constructed from library input
+ * @description Using externally controlled strings in a command line may allow a malicious
+ *              user to change the meaning of the command.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 6.3
+ * @precision high
+ * @id rb/shell-command-constructed-from-input
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-078
+ *       external/cwe/cwe-088
+ *       external/cwe/cwe-073
+ */
+
+import codeql.ruby.security.UnsafeShellCommandConstructionQuery
+import DataFlow::PathGraph
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
+where
+  config.hasFlowPath(source, sink) and
+  sinkNode = sink.getNode()
+select sinkNode.getStringConstruction(), source, sink,
+  "This " + sinkNode.describe() + " which depends on $@ is later used in a $@.", source.getNode(),
+  "library input", sinkNode.getCommandExecution(), "shell command"

ruby/ql/src/queries/security/cwe-078/examples/unsafe-shell-command-construction.rb

@@ -0,0 +1,5 @@
+module Utils 
+    def download(path)
+        system("wget #{path}") # NOT OK
+    end
+end