Ruby: configsig rb/url-redirection

alexrford · alexrford · commit 42cd58695da3 · 2023-09-03T17:20:05.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll b/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll
@@ -1,8 +1,9 @@
 /**
  * Provides a taint-tracking configuration for detecting "URL redirection" vulnerabilities.
  *
- * Note, for performance reasons: only import this file if `Configuration` is needed,
- * otherwise `UrlRedirectCustomizations` should be imported instead.
+ * Note, for performance reasons: only import this file if
+ * `UrlRedirectConfig` is needed, otherwise
+ * `UrlRedirectCustomizations` should be imported instead.
  */
 
 private import codeql.ruby.AST
@@ -13,8 +14,9 @@ import UrlRedirectCustomizations::UrlRedirect
 
 /**
  * A taint-tracking configuration for detecting "URL redirection" vulnerabilities.
+ * DEPRECATED: Use `UrlRedirectFlow`
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "UrlRedirect" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -31,3 +33,20 @@ class Configuration extends TaintTracking::Configuration {
     UrlRedirect::isAdditionalTaintStep(node1, node2)
   }
 }
+
+private module UrlRedirectConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    UrlRedirect::isAdditionalTaintStep(node1, node2)
+  }
+}
+
+/**
+ * Taint-tracking for detecting "URL redirection" vulnerabilities.
+ */
+module UrlRedirectFlow = TaintTracking::Global<UrlRedirectConfig>;
diff --git a/ruby/ql/src/queries/security/cwe-601/UrlRedirect.ql b/ruby/ql/src/queries/security/cwe-601/UrlRedirect.ql
@@ -12,11 +12,10 @@
  * @precision high
  */
 
-import codeql.ruby.AST
 import codeql.ruby.security.UrlRedirectQuery
-import codeql.ruby.DataFlow::DataFlow::PathGraph
+import UrlRedirectFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from UrlRedirectFlow::PathNode source, UrlRedirectFlow::PathNode sink
+where UrlRedirectFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
   "user-provided value"
diff --git a/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected b/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected
@@ -10,7 +10,8 @@ edges
 | UrlRedirect.rb:63:38:63:43 | call to params | UrlRedirect.rb:63:38:63:49 | ...[...] |
 | UrlRedirect.rb:68:38:68:43 | call to params | UrlRedirect.rb:68:38:68:49 | ...[...] |
 | UrlRedirect.rb:73:25:73:30 | call to params | UrlRedirect.rb:73:25:73:36 | ...[...] |
-| UrlRedirect.rb:93:21:93:32 | input_params | UrlRedirect.rb:94:5:94:29 | call to permit |
+| UrlRedirect.rb:93:21:93:32 | input_params | UrlRedirect.rb:94:5:94:16 | input_params |
+| UrlRedirect.rb:94:5:94:16 | input_params | UrlRedirect.rb:94:5:94:29 | call to permit |
 nodes
 | UrlRedirect.rb:4:17:4:22 | call to params | semmle.label | call to params |
 | UrlRedirect.rb:9:17:9:22 | call to params | semmle.label | call to params |
@@ -33,6 +34,7 @@ nodes
 | UrlRedirect.rb:73:25:73:30 | call to params | semmle.label | call to params |
 | UrlRedirect.rb:73:25:73:36 | ...[...] | semmle.label | ...[...] |
 | UrlRedirect.rb:93:21:93:32 | input_params | semmle.label | input_params |
+| UrlRedirect.rb:94:5:94:16 | input_params | semmle.label | input_params |
 | UrlRedirect.rb:94:5:94:29 | call to permit | semmle.label | call to permit |
 subpaths
 | UrlRedirect.rb:24:31:24:36 | call to params | UrlRedirect.rb:93:21:93:32 | input_params | UrlRedirect.rb:94:5:94:29 | call to permit | UrlRedirect.rb:24:17:24:37 | call to filter_params |
