Ruby : XPath Injection Query (CWE-643)

Author: maikypedia

ruby/ql/lib/codeql/ruby/Concepts.qll

@@ -840,6 +840,58 @@ module XmlParserCall {
   }
 }
 
+/**
+ * A data-flow node that constructs an XPath expression.
+ *
+ * If it is important that the XPath expression is indeed executed, then use `XPathExecution`.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `XPathConstruction::Range` instead.
+ */
+class XPathConstruction extends DataFlow::Node instanceof XPathConstruction::Range {
+  /** Gets the argument that specifies the XPath expressions to be constructed. */
+  DataFlow::Node getXPath() { result = super.getXPath() }
+}
+
+/** Provides a class for modeling new XPath construction APIs. */
+module XPathConstruction {
+  /**
+   * A data-flow node that constructs an XPath expression.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `XPathConstruction` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the XPath expressions to be constructed. */
+    abstract DataFlow::Node getXPath();
+  }
+}
+
+/**
+ * A data-flow node that executes an XPath expression.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `XPathExecution::Range` instead.
+ */
+class XPathExecution extends DataFlow::Node instanceof XPathExecution::Range {
+  /** Gets the argument that specifies the XPath expressions to be executed. */
+  DataFlow::Node getXPath() { result = super.getXPath() }
+}
+
+/** Provides a class for modeling new XPath execution APIs. */
+module XPathExecution {
+  /**
+   * A data-flow node that executes an XPath expression.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `XPathExecution` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the XPath expressions to be executed. */
+    abstract DataFlow::Node getXPath();
+  }
+}
+
 /**
  * A data-flow node that may represent a database object in an ORM system.
  *

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -32,3 +32,6 @@ private import codeql.ruby.frameworks.Slim
 private import codeql.ruby.frameworks.Sinatra
 private import codeql.ruby.frameworks.Twirp
 private import codeql.ruby.frameworks.Sqlite3
+private import codeql.ruby.frameworks.Rexml
+private import codeql.ruby.frameworks.Nokogiri
+private import codeql.ruby.frameworks.Libxml

ruby/ql/lib/codeql/ruby/frameworks/Libxml.qll

@@ -0,0 +1,48 @@
+/**
+ * Provides modeling for `libxml`, an XML library for Ruby.
+ */
+
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.Concepts
+
+/**
+ * Provides modeling for `libxml`, an XML library for Ruby.
+ */
+module Libxml {
+  /**
+   * Flow summary for `libxml`. Wraps a string, parsing it as an XML document.
+   */
+  private class XMLSummary extends SummarizedCallable {
+    XMLSummary() { this = "LibXML::XML" }
+
+    override MethodCall getACall() { result = any(LibXmlRubyXmlParserCall c).asExpr().getExpr() }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
+    }
+  }
+
+  /** A call that parses XML. */
+  private class LibXmlRubyXmlParserCall extends DataFlow::CallNode {
+    LibXmlRubyXmlParserCall() {
+      this =
+        [API::getTopLevelMember("LibXML").getMember("XML"), API::getTopLevelMember("XML")]
+            .getMember(["Document", "Parser"])
+            .getAMethodCall(["file", "io", "string"])
+    }
+
+    DataFlow::Node getInput() { result = this.getArgument(0) }
+  }
+
+  /** Execution of a XPath statement. */
+  private class LibXmlXPathExecution extends XPathExecution::Range, DataFlow::CallNode {
+    LibXmlXPathExecution() {
+      exists(LibXmlRubyXmlParserCall parserCall |
+        this = parserCall.getAMethodCall(["find", "find_first"])
+      )
+    }
+
+    override DataFlow::Node getXPath() { result = this.getArgument(0) }
+  }
+}

ruby/ql/lib/codeql/ruby/frameworks/Nokogiri.qll

@@ -0,0 +1,54 @@
+/**
+ * Provides modeling for `nokogiri`, an XML library for Ruby.
+ */
+
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.Concepts
+
+/**
+ * Provides modeling for `nokogiri`, an XML library for Ruby.
+ */
+module Nokogiri {
+  /**
+   * Flow summary for `nokogiri`. Wraps a string, parsing it as an XML document.
+   */
+  private class XMLSummary extends SummarizedCallable {
+    XMLSummary() { this = "Nokogiri::XML.parse" }
+
+    override MethodCall getACall() { result = any(NokogiriXmlParserCall p).asExpr().getExpr() }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
+    }
+  }
+
+  /** A call that parses XML. */
+  private class NokogiriXmlParserCall extends DataFlow::CallNode {
+    NokogiriXmlParserCall() {
+      this =
+        [
+          API::getTopLevelMember("Nokogiri").getMember("XML"),
+          API::getTopLevelMember("Nokogiri").getMember("XML").getMember("Document"),
+          API::getTopLevelMember("Nokogiri")
+              .getMember("XML")
+              .getMember("SAX")
+              .getMember("Parser")
+              .getInstance()
+        ].getAMethodCall("parse")
+    }
+
+    DataFlow::Node getInput() { result = this.getArgument(0) }
+  }
+
+  /** Execution of a XPath statement. */
+  private class NokogiriXPathExecution extends XPathExecution::Range, DataFlow::CallNode {
+    NokogiriXPathExecution() {
+      exists(NokogiriXmlParserCall parserCall |
+        this = parserCall.getAMethodCall(["xpath", "at_xpath", "search", "at"])
+      )
+    }
+
+    override DataFlow::Node getXPath() { result = this.getArgument(0) }
+  }
+}

ruby/ql/lib/codeql/ruby/frameworks/Rexml.qll

@@ -0,0 +1,48 @@
+/**
+ * Provides modeling for `rexml`, an XML toolkit for Ruby.
+ */
+
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.Concepts
+
+/**
+ * Provides modeling for `rexml`, an XML toolkit for Ruby.
+ */
+module Rexml {
+  /**
+   * Flow summary for `REXML::Document.new()`. This method wraps a string, parsing it as an XML document.
+   */
+  private class XMLSummary extends SummarizedCallable {
+    XMLSummary() { this = "REXML::Document.new()" }
+
+    override MethodCall getACall() { result = any(RexmlParserCall c).asExpr().getExpr() }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
+    }
+  }
+
+  /** A call to `REXML::Document.new`, considered as a XML parsing. */
+  private class RexmlParserCall extends XmlParserCall::Range, DataFlow::CallNode {
+    RexmlParserCall() {
+      this = API::getTopLevelMember("REXML").getMember("Document").getAnInstantiation()
+    }
+
+    override DataFlow::Node getInput() { result = this.getArgument(0) }
+
+    /** No option for parsing */
+    override predicate externalEntitiesEnabled() { none() }
+  }
+
+  /** Execution of a XPath statement. */
+  private class RexmlXPathExecution extends XPathExecution::Range, DataFlow::CallNode {
+    RexmlXPathExecution() {
+      this =
+        [API::getTopLevelMember("REXML").getMember("XPath"), API::getTopLevelMember("XPath")]
+            .getAMethodCall(["each", "first", "match"])
+    }
+
+    override DataFlow::Node getXPath() { result = this.getArgument(1) }
+  }
+}

ruby/ql/lib/codeql/ruby/security/XpathInjectionCustomizations.qll

@@ -0,0 +1,54 @@
+/**
+ * Provides class and predicates to track external data that
+ * may represent malicious xpath query objects.
+ *
+ * This module is intended to be imported into a taint-tracking query.
+ */
+
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.BarrierGuards
+private import codeql.ruby.dataflow.RemoteFlowSources
+
+/** Models Xpath Injection related classes and functions */
+module XpathInjection {
+  /** A data flow source for "XPath injection" vulnerabilities. */
+  abstract class Source extends DataFlow::Node { }
+
+  /** A data flow sink for "XPath injection" vulnerabilities */
+  abstract class Sink extends DataFlow::Node { }
+
+  /** A sanitizer for "XPath injection" vulnerabilities. */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  private class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * An execution of an XPath expression, considered as a sink.
+   */
+  private class XPathExecutionAsSink extends Sink {
+    XPathExecutionAsSink() { this = any(XPathExecution e).getXPath() }
+  }
+
+  /**
+   * A construction of an XPath expression, considered as a sink.
+   */
+  private class XPathConstructionAsSink extends Sink {
+    XPathConstructionAsSink() { this = any(XPathConstruction c).getXPath() }
+  }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  private class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
+
+  /**
+   * An inclusion check against an array of constant strings, considered as a
+   * sanitizer-guard.
+   */
+  private class StringConstArrayInclusionCallAsSanitizer extends Sanitizer,
+    StringConstArrayInclusionCallBarrier { }
+}

ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll

@@ -0,0 +1,24 @@
+/**
+ * Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `XpathInjection::Configuration` is needed, otherwise
+ * `XpathInjectionCustomizations` should be imported instead.
+ */
+
+private import codeql.ruby.DataFlow
+private import codeql.ruby.TaintTracking
+import XpathInjectionCustomizations::XpathInjection
+
+/**
+ * A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "Xpath Injection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node source) { source instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+}

ruby/ql/src/change-notes/2023-05-11-xpath-injection-query.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new experimental query, `rb/xpath-injection`, to detect cases where user input may be embedded into a template's code in an unsafe manner.

ruby/ql/src/experimental/xpath-injection/XpathInjection.qhelp

@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+If an XPath expression is built using string concatenation, and the components of the concatenation
+include user input, it makes it very easy for a user to create a malicious XPath expression.
+</p>
+</overview>
+
+<recommendation>
+<p>
+If user input must be included in an XPath expression, either sanitize the data or use variable
+references to safely embed it without altering the structure of the expression.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example uses the <code>nokogiri</code>, <code>rexml</code> and <code>libxml</code> XML parsers to parse a string <code>xml</code>.
+Then the xpath query is controlled by the user and hence leads to a vulnerability.
+</p>
+<sample src="examples/XPathBad.rb"/>
+
+<p>
+To guard against XPath Injection attacks, the user input should be sanitized.
+</p>
+<sample src="examples/XPathGood.rb"/>
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://owasp.org/www-community/attacks/XPATH_Injection">XPath injection</a>.
+</li>
+</references>
+</qhelp>

ruby/ql/src/experimental/xpath-injection/XpathInjection.ql

@@ -0,0 +1,21 @@
+/**
+ * @name XPath query built from user-controlled sources
+ * @description Building a XPath query from user-controlled sources is vulnerable to insertion of
+ *              malicious Xpath code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision high
+ * @id rb/xpath-injection
+ * @tags security
+ *       external/cwe/cwe-643
+ */
+
+import codeql.ruby.DataFlow
+import codeql.ruby.security.XpathInjectionQuery
+import DataFlow::PathGraph
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "XPath expression depends on a $@.", source.getNode(),
+  "user-provided value"