Merge pull request github#11187 from github/nickrolfe/actioncable

Ruby: add ActionCable channel RPC params as remote flow sources

Author: nickrolfe

ruby/ql/lib/change-notes/2022-11-09-actioncable-channels.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Arguments to RPC endpoints (public methods) on subclasses of `ActionCable::Channel::Base` are now recognized as sources of remote user input.

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll

@@ -1058,6 +1058,15 @@ class MethodNode extends CallableNode {
 
   /** Gets the name of this method. */
   string getMethodName() { result = this.asCallableAstNode().getName() }
+
+  /** Holds if this method is public. */
+  predicate isPublic() { this.asCallableAstNode().isPublic() }
+
+  /** Holds if this method is private. */
+  predicate isPrivate() { this.asCallableAstNode().isPrivate() }
+
+  /** Holds if this method is protected. */
+  predicate isProtected() { this.asCallableAstNode().isProtected() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/frameworks/ActionCable.qll

@@ -6,6 +6,8 @@
 private import codeql.ruby.AST
 private import codeql.ruby.Concepts
 private import codeql.ruby.ApiGraphs
+private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.frameworks.stdlib.Logger::Logger as StdlibLogger
 
 /**
@@ -26,4 +28,36 @@ module ActionCable {
       }
     }
   }
+
+  private DataFlow::ConstRef getActionCableChannelBase() {
+    result = DataFlow::getConstant("ActionCable").getConstant("Channel").getConstant("Base")
+  }
+
+  /**
+   * The data argument in an RPC endpoint method on a subclass of
+   * `ActionCable::Channel::Base`, considered as a remote flow source.
+   */
+  class ActionCableChannelRpcParam extends RemoteFlowSource::Range {
+    ActionCableChannelRpcParam() {
+      exists(DataFlow::MethodNode m |
+        // Any method on a subclass of `ActionCable::Channel::Base`
+        // automatically becomes an RPC endpoint
+        m = getActionCableChannelBase().getADescendentModule().getAnInstanceMethod() and
+        // as long as it's not an instance method of
+        // `ActionCable::Channel::Base` itself, which might exist in the
+        // database
+        not m = getActionCableChannelBase().asModule().getAnInstanceMethod() and
+        // and as long as it's public
+        m.isPublic() and
+        // and is not called `subscribed` or `unsubscribed`.
+        not m.getMethodName() = ["subscribed", "unsubscribed"]
+      |
+        // If the method takes a parameter, it contains data from the remote
+        // request.
+        this = m.getParameter(0)
+      )
+    }
+
+    override string getSourceType() { result = "ActionCable channel RPC data" }
+  }
 }

ruby/ql/test/library-tests/frameworks/action_cable/ActionCable.expected

@@ -1 +1,4 @@
+loggerInstantiations
 | action_cable.rb:1:1:1:54 | call to new |
+remoteFlowSources
+| action_cable.rb:9:10:9:13 | data |

ruby/ql/test/library-tests/frameworks/action_cable/ActionCable.ql

@@ -1,4 +1,7 @@
 import codeql.ruby.frameworks.ActionCable
 import codeql.ruby.frameworks.stdlib.Logger
+import codeql.ruby.dataflow.RemoteFlowSources
 
 query predicate loggerInstantiations(Logger::LoggerInstantiation l) { any() }
+
+query predicate remoteFlowSources(RemoteFlowSource s) { any() }

ruby/ql/test/library-tests/frameworks/action_cable/action_cable.rb

@@ -1 +1,11 @@
 ActionCable::Connection::TaggedLoggerProxy.new(logger)
+
+class MyChannel < ActionCable::Channel::Base
+	# An RPC endpoint without the optional data parm, so no remote flow source.
+	def foo
+	end
+
+	# An RPC endpoint including the optional data parm, which is a remote flow source.
+	def bar(data)
+	end
+end