Ruby: Add sinks from external models

Author: hmac

ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll

@@ -4,6 +4,7 @@ private import codeql.ruby.Concepts
 private import codeql.ruby.Frameworks
 private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.dataflow.BarrierGuards
+private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 
 /**
  * Provides default sources, sinks and sanitizers for detecting
@@ -156,4 +157,8 @@ module CodeInjection {
 
     override FlowState::State getAState() { result instanceof FlowState::Full }
   }
+
+  private class ExternalCodeInjectionSink extends Sink {
+    ExternalCodeInjectionSink() { this = ModelOutput::getASinkNode("code-injection").asSink() }
+  }
 }

ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll

@@ -9,6 +9,7 @@ private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.Concepts
 private import codeql.ruby.Frameworks
 private import codeql.ruby.ApiGraphs
+private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 
 module CommandInjection {
   /**
@@ -52,4 +53,10 @@ module CommandInjection {
       this.(DataFlow::CallNode).getMethodName() = "shellescape"
     }
   }
+
+  private class ExternalCommandInjectionSink extends Sink {
+    ExternalCommandInjectionSink() {
+      this = ModelOutput::getASinkNode("command-injection").asSink()
+    }
+  }
 }

ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll

@@ -8,6 +8,7 @@ import codeql.ruby.DataFlow
 import codeql.ruby.TaintTracking
 import codeql.ruby.dataflow.RemoteFlowSources
 import codeql.ruby.frameworks.Core
+private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 
 /**
  * A data flow source for user input used in log entries.
@@ -50,6 +51,10 @@ class LoggingSink extends Sink {
   LoggingSink() { this = any(Logging logging).getAnInput() }
 }
 
+private class ExternalLogInjectionSink extends Sink {
+  ExternalLogInjectionSink() { this = ModelOutput::getASinkNode("log-injection").asSink() }
+}
+
 /**
  * A call to `String#replace` that replaces `\n` is considered to sanitize the replaced string (reduce false positive).
  */

ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll

@@ -11,6 +11,7 @@ private import codeql.ruby.Concepts
 private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.BarrierGuards
 private import codeql.ruby.dataflow.RemoteFlowSources
+private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 
 module PathInjection {
   /**
@@ -52,4 +53,8 @@ module PathInjection {
   class StringConstArrayInclusionCallAsSanitizer extends Sanitizer,
     StringConstArrayInclusionCallBarrier
   { }
+
+  private class ExternalPathInjectionSink extends Sink {
+    ExternalPathInjectionSink() { this = ModelOutput::getASinkNode("path-injection").asSink() }
+  }
 }

ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll

@@ -11,6 +11,7 @@ private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.dataflow.BarrierGuards
 private import codeql.ruby.dataflow.Sanitizers
 private import codeql.ruby.frameworks.ActionController
+private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 
 /**
  * Provides default sources, sinks and sanitizers for detecting
@@ -73,6 +74,10 @@ module UrlRedirect {
     }
   }
 
+  private class ExternalUrlRedirectSink extends Sink {
+    ExternalUrlRedirectSink() { this = ModelOutput::getASinkNode("url-redirect").asSink() }
+  }
+
   /**
    * A comparison with a constant string, considered as a sanitizer-guard.
    */