v1.3

am0o0 · hmac · commit 0e343e5a12b9 · 2023-05-27T01:14:36.000Z
diff --git a/ruby/ql/src/experimental/CWE-502/YAMLUnsafeYamlDeserialization.ql b/ruby/ql/src/experimental/CWE-502/YAMLUnsafeYamlDeserialization.ql
@@ -12,10 +12,8 @@
  *       external/cwe/cwe-502
  */
 
-import codeql.ruby.AST
 import codeql.ruby.ApiGraphs
 import codeql.ruby.DataFlow
-import codeql.ruby.dataflow.RemoteFlowSources
 import codeql.ruby.TaintTracking
 import DataFlow::PathGraph
 import codeql.ruby.security.UnsafeDeserializationCustomizations
@@ -38,26 +36,28 @@ class YamlUnsafeLoadArgument extends YamlSink {
       API::getTopLevelMember(["YAML", "Psych"])
           .getAMethodCall("unsafe_load_file")
           .getKeywordArgument("filename")
+    or
+    this =
+      API::getTopLevelMember(["YAML", "Psych"])
+          .getAMethodCall(["parse", "parse_stream", "parse_file"])
+          .getAMethodCall("to_ruby")
   }
 }
 
 class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnsafeDeserialization" }
+  Configuration() { this = "UnsafeYAMLDeserialization" }
 
   override predicate isSource(DataFlow::Node source) {
-    // for detecting The CVE we should uncomment following line instead of current RemoteFlowSource
+    // to detect CVE-2022-32224, we should uncomment following line instead of current UnsafeDeserialization::Source
     // source instanceof DataFlow::LocalSourceNode
     source instanceof UnsafeDeserialization::Source
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    // for detecting The CVE we should uncomment following line
+    // after changing the isSource for detecting CVE-2022-32224
+    // uncomment the following line only see the CVE sink not other files similar sinks
     // sink.getLocation().getFile().toString().matches("%yaml_column%") and
-    sink instanceof YamlSink or
-    sink =
-      API::getTopLevelMember(["YAML", "Psych"])
-          .getAMethodCall(["parse", "parse_stream", "parse_file"])
-          .getAMethodCall("to_ruby")
+    sink instanceof YamlSink
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
diff --git a/ruby/ql/src/experimental/CWE-502/YAMLUnsafeYamlDeserialization.rb b/ruby/ql/src/experimental/CWE-502/YAMLUnsafeYamlDeserialization.rb
@@ -11,10 +11,12 @@ def example
     Psych.unsafe_load(params[:yaml_string])
     Psych.unsafe_load_file(params[:yaml_file])
     Psych.load_stream(params[:yaml_string])
-    Psych.parse_stream(params[:yaml_string]).to_ruby
+    parse_output = Psych.parse_stream(params[:yaml_string])
+    parse_output.to_ruby
     Psych.parse(params[:yaml_string]).to_ruby
     Psych.parse_file(params[:yaml_file]).to_ruby
 
   end
 end
 
+
diff --git a/ruby/ql/test/query-tests/experimental/Security/CWE-502/YAMLUnsafeYamlDeserialization.expected b/ruby/ql/test/query-tests/experimental/Security/CWE-502/YAMLUnsafeYamlDeserialization.expected
@@ -2,69 +2,33 @@ edges
 | YAMLUnsafeYamlDeserialization.rb:11:23:11:28 | call to params :  | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] |
 | YAMLUnsafeYamlDeserialization.rb:12:28:12:33 | call to params :  | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] |
 | YAMLUnsafeYamlDeserialization.rb:13:23:13:28 | call to params :  | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] |
-| YAMLUnsafeYamlDeserialization.rb:14:24:14:29 | call to params :  | YAMLUnsafeYamlDeserialization.rb:14:24:14:43 | ...[...] :  |
-| YAMLUnsafeYamlDeserialization.rb:14:24:14:43 | ...[...] :  | YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby |
-| YAMLUnsafeYamlDeserialization.rb:15:17:15:22 | call to params :  | YAMLUnsafeYamlDeserialization.rb:15:17:15:36 | ...[...] :  |
-| YAMLUnsafeYamlDeserialization.rb:15:17:15:36 | ...[...] :  | YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby |
-| YAMLUnsafeYamlDeserialization.rb:16:22:16:27 | call to params :  | YAMLUnsafeYamlDeserialization.rb:16:22:16:39 | ...[...] :  |
-| YAMLUnsafeYamlDeserialization.rb:16:22:16:39 | ...[...] :  | YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby |
-| file://:0:0:0:0 | parameter self of [] :  | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] |
-| file://:0:0:0:0 | parameter self of [] :  | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] |
-| file://:0:0:0:0 | parameter self of [] :  | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] |
-| file://:0:0:0:0 | parameter self of [] :  | YAMLUnsafeYamlDeserialization.rb:14:24:14:43 | ...[...] :  |
-| file://:0:0:0:0 | parameter self of [] :  | YAMLUnsafeYamlDeserialization.rb:15:17:15:36 | ...[...] :  |
-| file://:0:0:0:0 | parameter self of [] :  | YAMLUnsafeYamlDeserialization.rb:16:22:16:39 | ...[...] :  |
-| file://:0:0:0:0 | parameter self of [](:yaml_file) :  | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] |
-| file://:0:0:0:0 | parameter self of [](:yaml_file) :  | YAMLUnsafeYamlDeserialization.rb:16:22:16:39 | ...[...] :  |
-| file://:0:0:0:0 | parameter self of [](:yaml_string) :  | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] |
-| file://:0:0:0:0 | parameter self of [](:yaml_string) :  | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] |
-| file://:0:0:0:0 | parameter self of [](:yaml_string) :  | YAMLUnsafeYamlDeserialization.rb:14:24:14:43 | ...[...] :  |
-| file://:0:0:0:0 | parameter self of [](:yaml_string) :  | YAMLUnsafeYamlDeserialization.rb:15:17:15:36 | ...[...] :  |
+| YAMLUnsafeYamlDeserialization.rb:14:39:14:44 | call to params :  | YAMLUnsafeYamlDeserialization.rb:14:39:14:58 | ...[...] :  |
+| YAMLUnsafeYamlDeserialization.rb:14:39:14:58 | ...[...] :  | YAMLUnsafeYamlDeserialization.rb:15:5:15:24 | call to to_ruby |
+| YAMLUnsafeYamlDeserialization.rb:16:17:16:22 | call to params :  | YAMLUnsafeYamlDeserialization.rb:16:17:16:36 | ...[...] :  |
+| YAMLUnsafeYamlDeserialization.rb:16:17:16:36 | ...[...] :  | YAMLUnsafeYamlDeserialization.rb:16:5:16:45 | call to to_ruby |
+| YAMLUnsafeYamlDeserialization.rb:17:22:17:27 | call to params :  | YAMLUnsafeYamlDeserialization.rb:17:22:17:39 | ...[...] :  |
+| YAMLUnsafeYamlDeserialization.rb:17:22:17:39 | ...[...] :  | YAMLUnsafeYamlDeserialization.rb:17:5:17:48 | call to to_ruby |
 nodes
 | YAMLUnsafeYamlDeserialization.rb:11:23:11:28 | call to params :  | semmle.label | call to params :  |
 | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | semmle.label | ...[...] |
 | YAMLUnsafeYamlDeserialization.rb:12:28:12:33 | call to params :  | semmle.label | call to params :  |
 | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | semmle.label | ...[...] |
 | YAMLUnsafeYamlDeserialization.rb:13:23:13:28 | call to params :  | semmle.label | call to params :  |
 | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | semmle.label | ...[...] |
-| YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | semmle.label | call to to_ruby |
-| YAMLUnsafeYamlDeserialization.rb:14:24:14:29 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeYamlDeserialization.rb:14:24:14:43 | ...[...] :  | semmle.label | ...[...] :  |
-| YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | semmle.label | call to to_ruby |
-| YAMLUnsafeYamlDeserialization.rb:15:17:15:22 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeYamlDeserialization.rb:15:17:15:36 | ...[...] :  | semmle.label | ...[...] :  |
-| YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | semmle.label | call to to_ruby |
-| YAMLUnsafeYamlDeserialization.rb:16:22:16:27 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeYamlDeserialization.rb:16:22:16:39 | ...[...] :  | semmle.label | ...[...] :  |
-| file://:0:0:0:0 | parameter self of [] :  | semmle.label | parameter self of [] :  |
-| file://:0:0:0:0 | parameter self of [](:yaml_file) :  | semmle.label | parameter self of [](:yaml_file) :  |
-| file://:0:0:0:0 | parameter self of [](:yaml_string) :  | semmle.label | parameter self of [](:yaml_string) :  |
+| YAMLUnsafeYamlDeserialization.rb:14:39:14:44 | call to params :  | semmle.label | call to params :  |
+| YAMLUnsafeYamlDeserialization.rb:14:39:14:58 | ...[...] :  | semmle.label | ...[...] :  |
+| YAMLUnsafeYamlDeserialization.rb:15:5:15:24 | call to to_ruby | semmle.label | call to to_ruby |
+| YAMLUnsafeYamlDeserialization.rb:16:5:16:45 | call to to_ruby | semmle.label | call to to_ruby |
+| YAMLUnsafeYamlDeserialization.rb:16:17:16:22 | call to params :  | semmle.label | call to params :  |
+| YAMLUnsafeYamlDeserialization.rb:16:17:16:36 | ...[...] :  | semmle.label | ...[...] :  |
+| YAMLUnsafeYamlDeserialization.rb:17:5:17:48 | call to to_ruby | semmle.label | call to to_ruby |
+| YAMLUnsafeYamlDeserialization.rb:17:22:17:27 | call to params :  | semmle.label | call to params :  |
+| YAMLUnsafeYamlDeserialization.rb:17:22:17:39 | ...[...] :  | semmle.label | ...[...] :  |
 subpaths
 #select
 | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | YAMLUnsafeYamlDeserialization.rb:11:23:11:28 | call to params :  | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:11:23:11:28 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | file://:0:0:0:0 | parameter self of [] :  | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | This file extraction depends on a $@. | file://:0:0:0:0 | parameter self of [] | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | file://:0:0:0:0 | parameter self of [](:yaml_string) :  | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | This file extraction depends on a $@. | file://:0:0:0:0 | parameter self of [](:yaml_string) | potentially untrusted source |
 | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | YAMLUnsafeYamlDeserialization.rb:12:28:12:33 | call to params :  | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:12:28:12:33 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | file://:0:0:0:0 | parameter self of [] :  | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | This file extraction depends on a $@. | file://:0:0:0:0 | parameter self of [] | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | file://:0:0:0:0 | parameter self of [](:yaml_file) :  | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | This file extraction depends on a $@. | file://:0:0:0:0 | parameter self of [](:yaml_file) | potentially untrusted source |
 | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | YAMLUnsafeYamlDeserialization.rb:13:23:13:28 | call to params :  | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:13:23:13:28 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | file://:0:0:0:0 | parameter self of [] :  | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | This file extraction depends on a $@. | file://:0:0:0:0 | parameter self of [] | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | file://:0:0:0:0 | parameter self of [](:yaml_string) :  | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | This file extraction depends on a $@. | file://:0:0:0:0 | parameter self of [](:yaml_string) | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:14:24:14:29 | call to params :  | YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:14:24:14:29 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:14:24:14:43 | ...[...] :  | YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:14:24:14:43 | ...[...] | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | file://:0:0:0:0 | parameter self of [] :  | YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | This file extraction depends on a $@. | file://:0:0:0:0 | parameter self of [] | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | file://:0:0:0:0 | parameter self of [](:yaml_string) :  | YAMLUnsafeYamlDeserialization.rb:14:5:14:52 | call to to_ruby | This file extraction depends on a $@. | file://:0:0:0:0 | parameter self of [](:yaml_string) | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:15:17:15:22 | call to params :  | YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:15:17:15:22 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:15:17:15:36 | ...[...] :  | YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:15:17:15:36 | ...[...] | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | file://:0:0:0:0 | parameter self of [] :  | YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | This file extraction depends on a $@. | file://:0:0:0:0 | parameter self of [] | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | file://:0:0:0:0 | parameter self of [](:yaml_string) :  | YAMLUnsafeYamlDeserialization.rb:15:5:15:45 | call to to_ruby | This file extraction depends on a $@. | file://:0:0:0:0 | parameter self of [](:yaml_string) | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:16:22:16:27 | call to params :  | YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:16:22:16:27 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:16:22:16:39 | ...[...] :  | YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:16:22:16:39 | ...[...] | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | file://:0:0:0:0 | parameter self of [] :  | YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | This file extraction depends on a $@. | file://:0:0:0:0 | parameter self of [] | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | file://:0:0:0:0 | parameter self of [](:yaml_file) :  | YAMLUnsafeYamlDeserialization.rb:16:5:16:48 | call to to_ruby | This file extraction depends on a $@. | file://:0:0:0:0 | parameter self of [](:yaml_file) | potentially untrusted source |
+| YAMLUnsafeYamlDeserialization.rb:15:5:15:24 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:14:39:14:44 | call to params :  | YAMLUnsafeYamlDeserialization.rb:15:5:15:24 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:14:39:14:44 | call to params | potentially untrusted source |
+| YAMLUnsafeYamlDeserialization.rb:16:5:16:45 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:16:17:16:22 | call to params :  | YAMLUnsafeYamlDeserialization.rb:16:5:16:45 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:16:17:16:22 | call to params | potentially untrusted source |
+| YAMLUnsafeYamlDeserialization.rb:17:5:17:48 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:17:22:17:27 | call to params :  | YAMLUnsafeYamlDeserialization.rb:17:5:17:48 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:17:22:17:27 | call to params | potentially untrusted source |
diff --git a/ruby/ql/test/query-tests/experimental/Security/CWE-502/YAMLUnsafeYamlDeserialization.rb b/ruby/ql/test/query-tests/experimental/Security/CWE-502/YAMLUnsafeYamlDeserialization.rb
@@ -11,10 +11,12 @@ def example
     Psych.unsafe_load(params[:yaml_string])
     Psych.unsafe_load_file(params[:yaml_file])
     Psych.load_stream(params[:yaml_string])
-    Psych.parse_stream(params[:yaml_string]).to_ruby
+    parse_output = Psych.parse_stream(params[:yaml_string])
+    parse_output.to_ruby
     Psych.parse(params[:yaml_string]).to_ruby
     Psych.parse_file(params[:yaml_file]).to_ruby
 
   end
 end
 
+
