Ruby: Consider Object#inspect a log sanitizer

hmac · hmac · commit 2e2fcd49bf69 · 2022-11-16T13:46:51.000+13:00
The behaviour of `Object#inspect` depends on whether it has been
overridden by a subclass, but it will typically produce output on a
single line. Calling `inspect` on a String will replace newlines with
`\n`, which is then safe for interpolation into a log line.
diff --git a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
@@ -60,6 +60,14 @@ class StringReplaceSanitizer extends Sanitizer {
   }
 }
 
+/**
+ * A call to `Object#inspect`, considered as a sanitizer.
+ * This is because `inspect` will replace newlines in strings with `\n`.
+ */
+class InspectSanitizer extends Sanitizer {
+  InspectSanitizer() { this.(DataFlow::CallNode).getMethodName() = "inspect" }
+}
+
 /**
  * A call to an HTML escape method is considered to sanitize its input.
  */
diff --git a/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected b/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected
@@ -11,6 +11,7 @@ edges
 | app/controllers/users_controller.rb:33:5:33:31 | ... = ... :  | app/controllers/users_controller.rb:35:33:35:55 | ... + ... |
 | app/controllers/users_controller.rb:33:19:33:25 | call to cookies :  | app/controllers/users_controller.rb:33:19:33:31 | ...[...] :  |
 | app/controllers/users_controller.rb:33:19:33:31 | ...[...] :  | app/controllers/users_controller.rb:33:5:33:31 | ... = ... :  |
+| app/controllers/users_controller.rb:49:19:49:24 | call to params :  | app/controllers/users_controller.rb:49:19:49:30 | ...[...] |
 nodes
 | app/controllers/users_controller.rb:15:19:15:24 | call to params :  | semmle.label | call to params :  |
 | app/controllers/users_controller.rb:15:19:15:30 | ...[...] :  | semmle.label | ...[...] :  |
@@ -26,6 +27,8 @@ nodes
 | app/controllers/users_controller.rb:33:19:33:31 | ...[...] :  | semmle.label | ...[...] :  |
 | app/controllers/users_controller.rb:34:33:34:43 | unsanitized | semmle.label | unsanitized |
 | app/controllers/users_controller.rb:35:33:35:55 | ... + ... | semmle.label | ... + ... |
+| app/controllers/users_controller.rb:49:19:49:24 | call to params :  | semmle.label | call to params :  |
+| app/controllers/users_controller.rb:49:19:49:30 | ...[...] | semmle.label | ...[...] |
 subpaths
 #select
 | app/controllers/users_controller.rb:16:19:16:29 | unsanitized | app/controllers/users_controller.rb:15:19:15:24 | call to params :  | app/controllers/users_controller.rb:16:19:16:29 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value |
@@ -34,3 +37,4 @@ subpaths
 | app/controllers/users_controller.rb:27:16:27:39 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params :  | app/controllers/users_controller.rb:27:16:27:39 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value |
 | app/controllers/users_controller.rb:34:33:34:43 | unsanitized | app/controllers/users_controller.rb:33:19:33:25 | call to cookies :  | app/controllers/users_controller.rb:34:33:34:43 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value |
 | app/controllers/users_controller.rb:35:33:35:55 | ... + ... | app/controllers/users_controller.rb:33:19:33:25 | call to cookies :  | app/controllers/users_controller.rb:35:33:35:55 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value |
+| app/controllers/users_controller.rb:49:19:49:30 | ...[...] | app/controllers/users_controller.rb:49:19:49:24 | call to params :  | app/controllers/users_controller.rb:49:19:49:30 | ...[...] | Log entry depends on a $@. | app/controllers/users_controller.rb:49:19:49:24 | call to params | user-provided value |
diff --git a/ruby/ql/test/query-tests/security/cwe-117/app/controllers/users_controller.rb b/ruby/ql/test/query-tests/security/cwe-117/app/controllers/users_controller.rb
@@ -39,7 +39,14 @@ def html_sanitization
     init_logger
 
     sanitized = html_escape params[:baz]
-    @logger.debug unsanitized             # GOOD: sanitized user input
-    @logger.debug "input: " + unsanitized # GOOD: sanitized user input
+    @logger.debug sanitized             # GOOD: sanitized user input
+    @logger.debug "input: " + sanitized # GOOD: sanitized user input
+  end
+
+  def inspect_sanitization
+    init_logger
+
+    @logger.debug params[:foo]         # BAD: unsanitized user input
+    @logger.debug params[:foo].inspect # GOOD: sanitized user input
   end
 end

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,14 @@ class StringReplaceSanitizer extends Sanitizer {`
`60`	`60`	`}`
`61`	`61`	`}`
`62`	`62`
	`63`	`+/**`
	`64`	+ * A call to `Object#inspect`, considered as a sanitizer.
	`65`	+ * This is because `inspect` will replace newlines in strings with `\n`.
	`66`	`+ */`
	`67`	`+class InspectSanitizer extends Sanitizer {`
	`68`	`+ InspectSanitizer() { this.(DataFlow::CallNode).getMethodName() = "inspect" }`
	`69`	`+}`
	`70`	`+`
`63`	`71`	`/**`
`64`	`72`	`* A call to an HTML escape method is considered to sanitize its input.`
`65`	`73`	`*/`