add string concat as a sink for code-construction

Author: erik-krogh

ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll

@@ -96,6 +96,40 @@ module UnsafeCodeConstruction {
     override string getSinkType() { result = "string interpolation" }
   }
 
+  private class AddRoot extends Ast::AddExpr {
+    AddRoot() { not this.getParent() instanceof Ast::AddExpr }
+
+    private Ast::AstNode getALeafOrAdd() {
+      result = this.getAChild()
+      or
+      result = getALeafOrAdd().(Ast::AddExpr).getAChild()
+    }
+
+    Ast::AstNode getALeaf() {
+      result = getALeafOrAdd() and
+      not result instanceof Ast::AddExpr
+    }
+  }
+
+  /**
+   * A string constructed from a string-concatenation (e.g. `"foo " + sink`),
+   * where the resulting string ends up being executed as a code.
+   */
+  class StringConcatAsSink extends Sink {
+    Concepts::CodeExecution s;
+
+    StringConcatAsSink() {
+      exists(AddRoot add |
+        any(DataFlow::Node n | n.asExpr().getExpr() = add) = getANodeExecutedAsCode(s) and
+        this.asExpr().getExpr() = add.getALeaf()
+      )
+    }
+
+    override DataFlow::Node getCodeSink() { result = s }
+
+    override string getSinkType() { result = "string concatenation" }
+  }
+
   import codeql.ruby.security.TaintedFormatStringSpecific as TaintedFormat
 
   /**

ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected

@@ -7,6 +7,7 @@ edges
 | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:40:10:40:12 | arr |
 | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:44:10:44:12 | arr |
 | impl/unsafeCode.rb:47:15:47:15 | x :  | impl/unsafeCode.rb:49:9:49:12 | #{...} |
+| impl/unsafeCode.rb:54:21:54:21 | x :  | impl/unsafeCode.rb:55:22:55:22 | x |
 nodes
 | impl/unsafeCode.rb:2:12:2:17 | target :  | semmle.label | target :  |
 | impl/unsafeCode.rb:3:17:3:25 | #{...} | semmle.label | #{...} |
@@ -23,6 +24,8 @@ nodes
 | impl/unsafeCode.rb:44:10:44:12 | arr | semmle.label | arr |
 | impl/unsafeCode.rb:47:15:47:15 | x :  | semmle.label | x :  |
 | impl/unsafeCode.rb:49:9:49:12 | #{...} | semmle.label | #{...} |
+| impl/unsafeCode.rb:54:21:54:21 | x :  | semmle.label | x :  |
+| impl/unsafeCode.rb:55:22:55:22 | x | semmle.label | x |
 subpaths
 #select
 | impl/unsafeCode.rb:3:17:3:25 | #{...} | impl/unsafeCode.rb:2:12:2:17 | target :  | impl/unsafeCode.rb:3:17:3:25 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:2:12:2:17 | target | library input | impl/unsafeCode.rb:3:5:3:27 | call to eval | interpreted as code |
@@ -33,3 +36,4 @@ subpaths
 | impl/unsafeCode.rb:40:10:40:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:40:10:40:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:40:5:40:24 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:44:10:44:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:44:10:44:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:44:5:44:24 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:49:9:49:12 | #{...} | impl/unsafeCode.rb:47:15:47:15 | x :  | impl/unsafeCode.rb:49:9:49:12 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:47:15:47:15 | x | library input | impl/unsafeCode.rb:51:5:51:13 | call to eval | interpreted as code |
+| impl/unsafeCode.rb:55:22:55:22 | x | impl/unsafeCode.rb:54:21:54:21 | x :  | impl/unsafeCode.rb:55:22:55:22 | x | This string concatenation which depends on $@ is later $@. | impl/unsafeCode.rb:54:21:54:21 | x | library input | impl/unsafeCode.rb:56:5:56:13 | call to eval | interpreted as code |

ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb

@@ -50,4 +50,9 @@ def hereDoc(x)
     HERE
     eval(foo) # NOT OK
   end
+
+  def string_concat(x)
+    foo = "foo = " + x
+    eval(foo) # NOT OK
+  end
 end