Add additional sinks to the rb/kernel-open query

p- · p- · commit d8752a0b12d3 · 2022-11-29T10:00:56.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll b/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll
@@ -19,18 +19,63 @@ class AmbiguousPathCall extends DataFlow::CallNode {
     this = API::getTopLevelMember("IO").getAMethodCall("read") and
     not this = API::getTopLevelMember("File").getAMethodCall("read") and // needed in e.g. opal/opal, where some calls have both paths, but I'm not sure why
     name = "IO.read"
+    or
+    this = API::getTopLevelMember("IO").getAMethodCall("write") and
+    name = "IO.write"
+    or
+    this = API::getTopLevelMember("IO").getAMethodCall("binread") and
+    name = "IO.binread"
+    or
+    this = API::getTopLevelMember("IO").getAMethodCall("binwrite") and
+    name = "IO.binwrite"
+    or
+    this = API::getTopLevelMember("IO").getAMethodCall("foreach") and
+    name = "IO.foreach"
+    or
+    this = API::getTopLevelMember("IO").getAMethodCall("readlines") and
+    name = "IO.readlines"
+    or
+    this = API::getTopLevelMember("URI").getAMethodCall("open") and
+    name = "URI.open"
   }
 
   /** Gets the name for the method being called. */
   string getName() { result = name }
 
   /** Gets the name for a safer method that can be used instead. */
   string getReplacement() {
+    result = "File.open" and name = "Kernel.open"
+    or
     result = "File.read" and name = "IO.read"
     or
-    result = "File.open" and name = "Kernel.open"
+    result = "File.write" and name = "IO.write"
+    or
+    result = "File.binread" and name = "IO.binread"
+    or
+    result = "File.binwrite" and name = "IO.binwrite"
+    or
+    result = "File.foreach" and name = "IO.foreach"
+    or
+    result = "File.readlines" and name = "IO.readlines"
+    or
+    result = "URI(<uri>).open" and name = "URI.open"
   }
 
   /** Gets the argument that specifies the path to be accessed. */
   DataFlow::Node getPathArgument() { result = this.getArgument(0) }
 }
+
+/**
+ * A sanitizer for kernel open vulnerabilities.
+ */
+abstract class Sanitizer extends DataFlow::Node { }
+
+/**
+ * If a File.join is performed the resulting string will not start with a pipe |
+ * This is true as long the tainted data doesn't flow into the first argument.
+ */
+private class FileJoinCall extends Sanitizer, DataFlow::ExprNode {
+  FileJoinCall() {
+    this = API::getTopLevelMember("File").getAMethodCall("join").getArgument(any(int i | i > 0))
+  }
+}
diff --git a/ruby/ql/src/change-notes/2022-11-22-kernel-open-sinks.md b/ruby/ql/src/change-notes/2022-11-22-kernel-open-sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Extended the `rb/kernel-open` query with following sinks: `IO.write`, `IO.binread`, `IO.binwrite`, `IO.foreach`, `IO.readlines`, and `URI.open`.
diff --git a/ruby/ql/src/queries/security/cwe-078/KernelOpen.inc.qhelp b/ruby/ql/src/queries/security/cwe-078/KernelOpen.inc.qhelp
@@ -6,15 +6,19 @@
 <p>If <code>Kernel.open</code> is given a file name that starts with a <code>|</code>
 character, it will execute the remaining string as a shell command. If a
 malicious user can control the file name, they can execute arbitrary code.
-The same vulnerability applies to <code>IO.read</code>.
+The same vulnerability applies to <code>IO.read</code>, <code>IO.write</code>,
+<code>IO.binread</code>, <code>IO.binwrite</code>, <code>IO.foreach</code>,
+<code>IO.readlines</code> and <code>URI.open</code>.
 </p>
 
 </overview>
 <recommendation>
 
 <p>Use <code>File.open</code> instead of <code>Kernel.open</code>, as the former
-does not have this vulnerability. Similarly, use <code>File.read</code> instead
+does not have this vulnerability. Similarly, use the methods from the <code>File</code>
+class instead of the <code>IO</code> class e.g. <code>File.read</code> instead
 of <code>IO.read</code>.</p>
+<p>Instead of <code>URI.open</code> use <code>URI(<uri>).open</code> or an HTTP Client.</p>
 
 </recommendation>
 <example>
@@ -36,6 +40,7 @@ user-supplied file path.
 <li>
 OWASP:
 <a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+<a href="https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#command-injection">Ruby on Rails Cheat Sheet: Command Injection</a>.
 </li>
 
 <li>
diff --git a/ruby/ql/src/queries/security/cwe-078/KernelOpen.ql b/ruby/ql/src/queries/security/cwe-078/KernelOpen.ql
@@ -1,6 +1,7 @@
 /**
- * @name Use of `Kernel.open` or `IO.read` with user-controlled input
- * @description Using `Kernel.open` or `IO.read` may allow a malicious
+ * @name Use of `Kernel.open`, `IO.read` or similar sinks with user-controlled input
+ * @description Using `Kernel.open`, `IO.read`, `IO.write`, `IO.binread`, `IO.binwrite`,
+ *              `IO.foreach`, `IO.readlines`, or `URI.open` may allow a malicious
  *              user to execute arbitrary system commands.
  * @kind path-problem
  * @problem.severity error
@@ -32,7 +33,8 @@ class Configuration extends TaintTracking::Configuration {
 
   override predicate isSanitizer(DataFlow::Node node) {
     node instanceof StringConstCompareBarrier or
-    node instanceof StringConstArrayInclusionCallBarrier
+    node instanceof StringConstArrayInclusionCallBarrier or
+    node instanceof Sanitizer
   }
 }
 
diff --git a/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.expected b/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.expected
@@ -2,12 +2,35 @@ edges
 | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:3:12:3:24 | ...[...] :  |
 | KernelOpen.rb:3:12:3:24 | ...[...] :  | KernelOpen.rb:4:10:4:13 | file |
 | KernelOpen.rb:3:12:3:24 | ...[...] :  | KernelOpen.rb:5:13:5:16 | file |
+| KernelOpen.rb:3:12:3:24 | ...[...] :  | KernelOpen.rb:6:14:6:17 | file |
+| KernelOpen.rb:3:12:3:24 | ...[...] :  | KernelOpen.rb:7:16:7:19 | file |
+| KernelOpen.rb:3:12:3:24 | ...[...] :  | KernelOpen.rb:8:17:8:20 | file |
+| KernelOpen.rb:3:12:3:24 | ...[...] :  | KernelOpen.rb:9:16:9:19 | file |
+| KernelOpen.rb:3:12:3:24 | ...[...] :  | KernelOpen.rb:10:18:10:21 | file |
+| KernelOpen.rb:3:12:3:24 | ...[...] :  | KernelOpen.rb:11:14:11:17 | file |
+| KernelOpen.rb:3:12:3:24 | ...[...] :  | KernelOpen.rb:13:23:13:26 | file :  |
+| KernelOpen.rb:13:23:13:26 | file :  | KernelOpen.rb:13:13:13:31 | call to join |
 nodes
 | KernelOpen.rb:3:12:3:17 | call to params :  | semmle.label | call to params :  |
 | KernelOpen.rb:3:12:3:24 | ...[...] :  | semmle.label | ...[...] :  |
 | KernelOpen.rb:4:10:4:13 | file | semmle.label | file |
 | KernelOpen.rb:5:13:5:16 | file | semmle.label | file |
+| KernelOpen.rb:6:14:6:17 | file | semmle.label | file |
+| KernelOpen.rb:7:16:7:19 | file | semmle.label | file |
+| KernelOpen.rb:8:17:8:20 | file | semmle.label | file |
+| KernelOpen.rb:9:16:9:19 | file | semmle.label | file |
+| KernelOpen.rb:10:18:10:21 | file | semmle.label | file |
+| KernelOpen.rb:11:14:11:17 | file | semmle.label | file |
+| KernelOpen.rb:13:13:13:31 | call to join | semmle.label | call to join |
+| KernelOpen.rb:13:23:13:26 | file :  | semmle.label | file :  |
 subpaths
 #select
 | KernelOpen.rb:4:10:4:13 | file | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:4:10:4:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
 | KernelOpen.rb:5:13:5:16 | file | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:5:13:5:16 | file | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
+| KernelOpen.rb:6:14:6:17 | file | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:6:14:6:17 | file | This call to IO.write depends on a $@. Consider replacing it with File.write. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
+| KernelOpen.rb:7:16:7:19 | file | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:7:16:7:19 | file | This call to IO.binread depends on a $@. Consider replacing it with File.binread. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
+| KernelOpen.rb:8:17:8:20 | file | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:8:17:8:20 | file | This call to IO.binwrite depends on a $@. Consider replacing it with File.binwrite. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
+| KernelOpen.rb:9:16:9:19 | file | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:9:16:9:19 | file | This call to IO.foreach depends on a $@. Consider replacing it with File.foreach. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
+| KernelOpen.rb:10:18:10:21 | file | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:10:18:10:21 | file | This call to IO.readlines depends on a $@. Consider replacing it with File.readlines. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
+| KernelOpen.rb:11:14:11:17 | file | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:11:14:11:17 | file | This call to URI.open depends on a $@. Consider replacing it with URI(<uri>).open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
+| KernelOpen.rb:13:13:13:31 | call to join | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:13:13:13:31 | call to join | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
diff --git a/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.rb b/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.rb
@@ -3,6 +3,15 @@ def create
     file = params[:file]
     open(file) # BAD
     IO.read(file) # BAD
+    IO.write(file) # BAD
+    IO.binread(file) # BAD
+    IO.binwrite(file) # BAD
+    IO.foreach(file) # BAD
+    IO.readlines(file) # BAD
+    URI.open(file) # BAD
+
+    IO.read(File.join(file, "")) # BAD - file as first argument to File.join
+    IO.read(File.join("", file)) # GOOD - file path is sanitised by guard
 
     File.open(file).read # GOOD
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Extended the `rb/kernel-open` query with following sinks: `IO.write`, `IO.binread`, `IO.binwrite`, `IO.foreach`, `IO.readlines`, and `URI.open`.