add Kernel methods as sinks to path-injection

Author: erik-krogh

ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll

@@ -179,4 +179,19 @@ module Kernel {
       preservesValue = true
     }
   }
+
+  /** A call to e.g. `Kernel.load` that accesses a file. */
+  private class KernelFileAccess extends FileSystemAccess::Range instanceof KernelMethodCall {
+    KernelFileAccess() {
+      super.getMethodName() = ["load", "require", "require_relative", "autoload", "autoload?"]
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result = super.getArgument(0) and
+      super.getMethodName() = ["load", "require", "require_relative"]
+      or
+      result = super.getArgument(1) and
+      super.getMethodName() = ["autoload", "autoload?"]
+    }
+  }
 }

ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected

@@ -43,6 +43,10 @@ edges
 | tainted_path.rb:77:12:77:53 | call to new :  | tainted_path.rb:79:14:79:17 | path |
 | tainted_path.rb:77:40:77:45 | call to params :  | tainted_path.rb:77:40:77:52 | ...[...] :  |
 | tainted_path.rb:77:40:77:52 | ...[...] :  | tainted_path.rb:77:12:77:53 | call to new :  |
+| tainted_path.rb:84:12:84:53 | call to new :  | tainted_path.rb:85:10:85:13 | path |
+| tainted_path.rb:84:12:84:53 | call to new :  | tainted_path.rb:86:25:86:28 | path |
+| tainted_path.rb:84:40:84:45 | call to params :  | tainted_path.rb:84:40:84:52 | ...[...] :  |
+| tainted_path.rb:84:40:84:52 | ...[...] :  | tainted_path.rb:84:12:84:53 | call to new :  |
 nodes
 | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | semmle.label | call to params :  |
 | ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | semmle.label | ...[...] :  |
@@ -102,6 +106,11 @@ nodes
 | tainted_path.rb:77:40:77:52 | ...[...] :  | semmle.label | ...[...] :  |
 | tainted_path.rb:78:19:78:22 | path | semmle.label | path |
 | tainted_path.rb:79:14:79:17 | path | semmle.label | path |
+| tainted_path.rb:84:12:84:53 | call to new :  | semmle.label | call to new :  |
+| tainted_path.rb:84:40:84:45 | call to params :  | semmle.label | call to params :  |
+| tainted_path.rb:84:40:84:52 | ...[...] :  | semmle.label | ...[...] :  |
+| tainted_path.rb:85:10:85:13 | path | semmle.label | path |
+| tainted_path.rb:86:25:86:28 | path | semmle.label | path |
 subpaths
 #select
 | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | This path depends on a $@. | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | user-provided value |
@@ -119,3 +128,5 @@ subpaths
 | tainted_path.rb:72:15:72:18 | path | tainted_path.rb:71:40:71:45 | call to params :  | tainted_path.rb:72:15:72:18 | path | This path depends on a $@. | tainted_path.rb:71:40:71:45 | call to params | user-provided value |
 | tainted_path.rb:78:19:78:22 | path | tainted_path.rb:77:40:77:45 | call to params :  | tainted_path.rb:78:19:78:22 | path | This path depends on a $@. | tainted_path.rb:77:40:77:45 | call to params | user-provided value |
 | tainted_path.rb:79:14:79:17 | path | tainted_path.rb:77:40:77:45 | call to params :  | tainted_path.rb:79:14:79:17 | path | This path depends on a $@. | tainted_path.rb:77:40:77:45 | call to params | user-provided value |
+| tainted_path.rb:85:10:85:13 | path | tainted_path.rb:84:40:84:45 | call to params :  | tainted_path.rb:85:10:85:13 | path | This path depends on a $@. | tainted_path.rb:84:40:84:45 | call to params | user-provided value |
+| tainted_path.rb:86:25:86:28 | path | tainted_path.rb:84:40:84:45 | call to params :  | tainted_path.rb:86:25:86:28 | path | This path depends on a $@. | tainted_path.rb:84:40:84:45 | call to params | user-provided value |

ruby/ql/test/query-tests/security/cwe-022/tainted_path.rb

@@ -78,4 +78,11 @@ def route12
     bla (Dir.glob path)
     bla (Dir[path])
   end
+
+  # BAD
+  def route13
+    path = ActiveStorage::Filename.new(params[:path])
+    load(path)
+    autoload(:MyModule, path)
+  end
 end