Merge pull request #14627 from alexrford/rb/update_all_sink

hmac · web-flow · commit d6307735752a · 2023-12-04T13:02:14.000Z
Ruby: refine `ActiveRecord` `update_all` as an SQL sink
diff --git a/ruby/ql/lib/change-notes/2023-10-30-update-all.md b/ruby/ql/lib/change-notes/2023-10-30-update-all.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved modeling for `ActiveRecord`s `update_all` method
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
@@ -173,7 +173,7 @@ private predicate sqlFragmentArgumentInner(DataFlow::CallNode call, DataFlow::No
         "delete_all", "delete_by", "destroy_all", "destroy_by", "exists?", "find_by", "find_by!",
         "find_or_create_by", "find_or_create_by!", "find_or_initialize_by", "find_by_sql", "from",
         "group", "having", "joins", "lock", "not", "order", "reorder", "pluck", "where", "rewhere",
-        "select", "reselect", "update_all"
+        "select", "reselect"
       ]) and
   sink = call.getArgument(0)
   or
@@ -198,6 +198,20 @@ private predicate sqlFragmentArgumentInner(DataFlow::CallNode call, DataFlow::No
   or
   call = activeRecordConnectionInstance().getAMethodCall("execute") and
   sink = call.getArgument(0)
+  or
+  call = activeRecordQueryBuilderCall("update_all") and
+  (
+    // `update_all([sink, var1, var2, var3])`
+    sink = call.getArgument(0).getALocalSource().(DataFlow::ArrayLiteralNode).getElement(0)
+    or
+    // or arg0 is not of a known "safe" type
+    sink = call.getArgument(0) and
+    not (
+      sink.getALocalSource() = any(DataFlow::ArrayLiteralNode arr) or
+      sink.getALocalSource() = any(DataFlow::HashLiteralNode hash) or
+      sink.getALocalSource() = any(DataFlow::PairNode pair)
+    )
+  )
 }
 
 private predicate sqlFragmentArgument(DataFlow::CallNode call, DataFlow::Node sink) {
diff --git a/ruby/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb b/ruby/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb
@@ -90,9 +90,21 @@ def some_request_handler
     # BAD: executes `UPDATE "users" SET #{params[:fields]}`
     # where `params[:fields]` is unsanitized
     User.update_all(params[:fields])
-    
+
+    # GOOD -- `update_all` sanitizes its bind variable arguments
+    User.find_by(name: params[:user_name])
+      .update_all(['name = ?', params[:new_user_name]])
+
+    # BAD -- `update_all` does not sanitize its query (array arg)
+    User.find_by(name: params[:user_name])
+      .update_all(["name = '#{params[:new_user_name]}'"])
+
+    # BAD -- `update_all` does not sanitize its query (string arg)
+    User.find_by(name: params[:user_name])
+      .update_all("name = '#{params[:new_user_name]}'")
+
     User.reorder(params[:direction])
-    
+
     User.count_by_sql(params[:custom_sql_query])
   end
 end
@@ -168,13 +180,13 @@ def index
     result = Regression.find_by_sql(query)
   end
 
-  
+
   def permitted_params
     params.require(:my_key).permit(:id, :user_id, :my_type)
   end
-  
+
   def show
     ActiveRecord::Base.connection.execute("SELECT * FROM users WHERE id = #{permitted_params[:user_id]}")
     Regression.connection.execute("SELECT * FROM users WHERE id = #{permitted_params[:user_id]}")
   end
-end
+end
diff --git a/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Improved modeling for `ActiveRecord`s `update_all` method