add a taint-step for format-calls

erik-krogh · erik-krogh · commit d4919d04ba93 · 2022-10-17T13:16:38.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/StringFormatters.qll b/ruby/ql/lib/codeql/ruby/frameworks/StringFormatters.qll
@@ -93,3 +93,19 @@ private class StringLiteralFormatStep extends AdditionalTaintStep {
     pred.asExpr() = succ.asExpr().(CfgNodes::ExprNodes::StringlikeLiteralCfgNode).getAComponent()
   }
 }
+
+/**
+ * A taint propagating data flow edge arising from string formatting.
+ */
+private class StringFormattingTaintStep extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(PrintfStyleCall call |
+      call.returnsFormatted() and
+      succ = call
+    |
+      pred = call.getFormatString()
+      or
+      pred = call.getFormatArgument(_)
+    )
+  }
+}
diff --git a/ruby/ql/test/query-tests/security/cwe-079/StoredXSS.expected b/ruby/ql/test/query-tests/security/cwe-079/StoredXSS.expected
@@ -11,6 +11,7 @@ edges
 | app/views/foo/stores/show.html.erb:41:64:41:87 | ... + ... :  | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text |
 | app/views/foo/stores/show.html.erb:41:64:41:87 | ... + ... :  | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] |
 | app/views/foo/stores/show.html.erb:41:76:41:87 | call to display_text :  | app/views/foo/stores/show.html.erb:41:64:41:87 | ... + ... :  |
+| app/views/foo/stores/show.html.erb:87:17:87:28 | call to handle :  | app/views/foo/stores/show.html.erb:87:3:87:29 | call to sprintf |
 nodes
 | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | semmle.label | call to read :  |
 | app/controllers/foo/stores_controller.rb:9:22:9:23 | dt :  | semmle.label | dt :  |
@@ -31,6 +32,8 @@ nodes
 | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | semmle.label | call to raw_name |
 | app/views/foo/stores/show.html.erb:80:5:80:22 | call to display_name | semmle.label | call to display_name |
 | app/views/foo/stores/show.html.erb:83:5:83:24 | @other_user_raw_name | semmle.label | @other_user_raw_name |
+| app/views/foo/stores/show.html.erb:87:3:87:29 | call to sprintf | semmle.label | call to sprintf |
+| app/views/foo/stores/show.html.erb:87:17:87:28 | call to handle :  | semmle.label | call to handle :  |
 subpaths
 #select
 | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | Stored cross-site scripting vulnerability due to $@. | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
@@ -46,3 +49,4 @@ subpaths
 | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | Stored cross-site scripting vulnerability due to $@. | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | stored value |
 | app/views/foo/stores/show.html.erb:80:5:80:22 | call to display_name | app/views/foo/stores/show.html.erb:80:5:80:22 | call to display_name | app/views/foo/stores/show.html.erb:80:5:80:22 | call to display_name | Stored cross-site scripting vulnerability due to $@. | app/views/foo/stores/show.html.erb:80:5:80:22 | call to display_name | stored value |
 | app/views/foo/stores/show.html.erb:83:5:83:24 | @other_user_raw_name | app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name :  | app/views/foo/stores/show.html.erb:83:5:83:24 | @other_user_raw_name | Stored cross-site scripting vulnerability due to $@. | app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name | stored value |
+| app/views/foo/stores/show.html.erb:87:3:87:29 | call to sprintf | app/views/foo/stores/show.html.erb:87:17:87:28 | call to handle :  | app/views/foo/stores/show.html.erb:87:3:87:29 | call to sprintf | Stored cross-site scripting vulnerability due to $@. | app/views/foo/stores/show.html.erb:87:17:87:28 | call to handle | stored value |
diff --git a/ruby/ql/test/query-tests/security/cwe-079/app/views/foo/stores/show.html.erb b/ruby/ql/test/query-tests/security/cwe-079/app/views/foo/stores/show.html.erb
@@ -81,3 +81,8 @@
 
 <%# BAD: Indirect to a database value without escaping %>
 <%= @other_user_raw_name.html_safe %>
+
+<%# BAD: Kernel.sprintf is a taint-step %>
+<%=
+  sprintf("%s", @user.handle).html_safe
+%>
