Merge pull request github#12311 from maikypedia/maikypedia/ruby-ssti

alexrford · web-flow · commit be163cfc380a · 2023-03-20T15:26:27.000Z
Ruby: Add Server Side Template Injection query
diff --git a/ruby/ql/lib/codeql/ruby/Concepts.qll b/ruby/ql/lib/codeql/ruby/Concepts.qll
@@ -1063,3 +1063,69 @@ module Cryptography {
 
   class BlockMode = SC::BlockMode;
 }
+
+/**
+ * A data-flow node that constructs a template.
+ *
+ * Often, it is worthy of an alert if a template is constructed such that
+ * executing it would be a security risk.
+ *
+ * If it is important that the template is rendered, use `TemplateRendering`.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `TemplateConstruction::Range` instead.
+ */
+class TemplateConstruction extends DataFlow::Node instanceof TemplateConstruction::Range {
+  /** Gets the argument that specifies the template to be constructed. */
+  DataFlow::Node getTemplate() { result = super.getTemplate() }
+}
+
+/** Provides a class for modeling new template rendering APIs. */
+module TemplateConstruction {
+  /**
+   * A data-flow node that constructs a template.
+   *
+   * Often, it is worthy of an alert if a template is constructed such that
+   * executing it would be a security risk.
+   *
+   * If it is important that the template is rendered, use `TemplateRendering`.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `TemplateConstruction` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the template to be constructed. */
+    abstract DataFlow::Node getTemplate();
+  }
+}
+
+/**
+ * A data-flow node that renders templates.
+ *
+ * If the context of interest is such that merely constructing a template
+ * would be valuable to report, consider using `TemplateConstruction`.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `TemplateRendering::Range` instead.
+ */
+class TemplateRendering extends DataFlow::Node instanceof TemplateRendering::Range {
+  /** Gets the argument that specifies the template to be rendered. */
+  DataFlow::Node getTemplate() { result = super.getTemplate() }
+}
+
+/** Provides a class for modeling new template rendering APIs. */
+module TemplateRendering {
+  /**
+   * A data-flow node that renders templates.
+   *
+   * If the context of interest is such that merely constructing a template
+   * would be valuable to report, consider using `TemplateConstruction`.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `TemplateRendering` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the template to be rendered. */
+    abstract DataFlow::Node getTemplate();
+  }
+}
diff --git a/ruby/ql/lib/codeql/ruby/Frameworks.qll b/ruby/ql/lib/codeql/ruby/Frameworks.qll
@@ -27,5 +27,7 @@ private import codeql.ruby.frameworks.ActionDispatch
 private import codeql.ruby.frameworks.PosixSpawn
 private import codeql.ruby.frameworks.StringFormatters
 private import codeql.ruby.frameworks.Json
+private import codeql.ruby.frameworks.Erb
+private import codeql.ruby.frameworks.Slim
 private import codeql.ruby.frameworks.Sinatra
 private import codeql.ruby.frameworks.Twirp
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Erb.qll b/ruby/ql/lib/codeql/ruby/frameworks/Erb.qll
@@ -0,0 +1,46 @@
+/**
+ * Provides templating for embedding Ruby code into text files, allowing dynamic content generation in web applications.
+ */
+
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.Concepts
+
+/**
+ * Provides templating for embedding Ruby code into text files, allowing dynamic content generation in web applications.
+ */
+module Erb {
+  /**
+   * Flow summary for `ERB.new`. This method wraps a template string, compiling it.
+   */
+  private class TemplateSummary extends SummarizedCallable {
+    TemplateSummary() { this = "ERB.new" }
+
+    override MethodCall getACall() { result = any(ErbTemplateNewCall c).asExpr().getExpr() }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
+    }
+  }
+
+  /** A call to `ERB.new`, considered as a template construction. */
+  private class ErbTemplateNewCall extends TemplateConstruction::Range, DataFlow::CallNode {
+    ErbTemplateNewCall() { this = API::getTopLevelMember("ERB").getAnInstantiation() }
+
+    override DataFlow::Node getTemplate() { result = this.getArgument(0) }
+  }
+
+  /** A call to `ERB.new(foo).result(binding)`, considered as a template rendering. */
+  private class ErbTemplateRendering extends TemplateRendering::Range, DataFlow::CallNode {
+    private DataFlow::Node template;
+
+    ErbTemplateRendering() {
+      exists(ErbTemplateNewCall templateConstruction |
+        this = templateConstruction.getAMethodCall("result") and
+        template = templateConstruction.getTemplate()
+      )
+    }
+
+    override DataFlow::Node getTemplate() { result = template }
+  }
+}
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Slim.qll b/ruby/ql/lib/codeql/ruby/frameworks/Slim.qll
@@ -0,0 +1,38 @@
+/**
+ * Provides templating for embedding Ruby code into text files, allowing dynamic content generation in web applications.
+ */
+
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.Concepts
+
+/**
+ * Provides templating for embedding Ruby code into text files, allowing dynamic content generation in web applications.
+ */
+module Slim {
+  /** A call to `Slim::Template.new`, considered as a template construction. */
+  private class SlimTemplateNewCall extends TemplateConstruction::Range, DataFlow::CallNode {
+    SlimTemplateNewCall() {
+      this = API::getTopLevelMember("Slim").getMember("Template").getAnInstantiation()
+    }
+
+    override DataFlow::Node getTemplate() {
+      result.asExpr().getExpr() =
+        this.getBlock().(DataFlow::BlockNode).asCallableAstNode().getAStmt()
+    }
+  }
+
+  /** A call to `Slim::Template.new{ foo }.render`, considered as a template rendering */
+  private class SlimTemplateRendering extends TemplateRendering::Range, DataFlow::CallNode {
+    private DataFlow::Node template;
+
+    SlimTemplateRendering() {
+      exists(SlimTemplateNewCall templateConstruction |
+        this = templateConstruction.getAMethodCall("render") and
+        template = templateConstruction.getTemplate()
+      )
+    }
+
+    override DataFlow::Node getTemplate() { result = template }
+  }
+}
diff --git a/ruby/ql/lib/codeql/ruby/security/TemplateInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/TemplateInjectionCustomizations.qll
@@ -0,0 +1,49 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * ERB Server Side Template Injections, as well as extension points for adding your own
+ */
+
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.BarrierGuards
+private import codeql.ruby.dataflow.RemoteFlowSources
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * Server Side Template Injections, as well as extension points for adding your own
+ */
+module TemplateInjection {
+  /** A data flow source for SSTI vulnerabilities */
+  abstract class Source extends DataFlow::Node { }
+
+  /** A data flow sink for SSTI vulnerabilities */
+  abstract class Sink extends DataFlow::Node { }
+
+  /** A sanitizer for SSTI vulnerabilities. */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  private class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * An Server Side Template Injection rendering, considered as a flow sink.
+   */
+  private class TemplateRenderingAsSink extends Sink {
+    TemplateRenderingAsSink() { this = any(TemplateRendering e).getTemplate() }
+  }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  private class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
+
+  /**
+   * An inclusion check against an array of constant strings, considered as a
+   * sanitizer-guard.
+   */
+  private class StringConstArrayInclusionCallAsSanitizer extends Sanitizer,
+    StringConstArrayInclusionCallBarrier
+  { }
+}
diff --git a/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll
@@ -0,0 +1,21 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * Server Side Template Injections, as well as extension points for adding your own
+ */
+
+private import codeql.ruby.DataFlow
+private import codeql.ruby.TaintTracking
+import TemplateInjectionCustomizations::TemplateInjection
+
+/**
+ * A taint-tracking configuration for detecting Server Side Template Injections vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "TemplateInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node source) { source instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+}
diff --git a/ruby/ql/src/change-notes/2023-03-15-ssti-query.md b/ruby/ql/src/change-notes/2023-03-15-ssti-query.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new experimental query, `rb/server-side-template-injection`, to detect cases where user input may be embedded into a template's code in an unsafe manner.
diff --git a/ruby/ql/src/experimental/template-injection/TemplateInjection.qhelp b/ruby/ql/src/experimental/template-injection/TemplateInjection.qhelp
@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Template Injection occurs when user input is embedded in a template's code in an unsafe manner.
+An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side.
+This permits the attacker to run arbitrary code in the server's context.
+</p>
+</overview>
+
+<recommendation>
+<p>
+To fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this,
+use a sandboxed environment where access to unsafe attributes and methods is prohibited.
+</p>
+</recommendation>
+
+<example>
+<p>
+Consider the example given below, an untrusted HTTP parameter <code>name</code> is used to generate a template string. This can lead to remote code execution.
+</p>
+<sample src="examples/SSTIBad.rb" />
+
+<p>
+Here we have fixed the problem by including ERB/Slim syntax in the string, then the user input will be rendered but not evaluated.
+</p>
+<sample src="examples/SSTIGood.rb" />
+</example>
+
+<references>
+<li>
+Wikipedia: <a href="https://en.wikipedia.org/wiki/Code_injection#Server_Side_Template_Injection">Server Side Template Injection</a>.
+</li>
+<li>
+Portswigger : <a href="https://portswigger.net/web-security/server-side-template-injection">Server Side Template Injection</a>.
+</li>
+</references>
+</qhelp>
diff --git a/ruby/ql/src/experimental/template-injection/TemplateInjection.ql b/ruby/ql/src/experimental/template-injection/TemplateInjection.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Server-side template injection
+ * @description Building a server-side template from user-controlled sources is vulnerable to
+ *              insertion of malicious code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id rb/server-side-template-injection
+ * @tags security
+ *       external/cwe/cwe-94
+ */
+
+import codeql.ruby.DataFlow
+import codeql.ruby.security.TemplateInjectionQuery
+import DataFlow::PathGraph
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This template depends on a $@.", source.getNode(),
+  "user-provided value"
diff --git a/ruby/ql/src/experimental/template-injection/examples/SSTIBad.rb b/ruby/ql/src/experimental/template-injection/examples/SSTIBad.rb
@@ -0,0 +1,24 @@
+require 'erb'
+require 'slim'
+
+class BadERBController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    html_text = "
+      <!DOCTYPE html><html><body>
+      <h2>Hello %s </h2></body></html>
+      " % name
+    template = ERB.new(html_text).result(binding) 
+  end
+end
+
+class BadSlimController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    html_text = "
+      <!DOCTYPE html><html><body>
+      <h2>Hello %s </h2></body></html>
+      " % name
+    Slim::Template.new{ html_text }.render 
+  end
+end
diff --git a/ruby/ql/src/experimental/template-injection/examples/SSTIGood.rb b/ruby/ql/src/experimental/template-injection/examples/SSTIGood.rb
@@ -0,0 +1,26 @@
+require 'erb'
+require 'slim'
+
+class GoodController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    html_text = "
+      <!DOCTYPE html><html><body>
+      <h2>Hello <%= name %> </h2></body></html>
+      "
+    template = ERB.new(html_text).result(binding) 
+  end
+end
+
+class GoodController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    html_text = "
+    <!DOCTYPE html>
+      html
+        body
+          h2  == name;
+    "
+    Slim::Template.new{ html_text }.render(Object.new, name: name)
+  end
+end
diff --git a/ruby/ql/test/library-tests/dataflow/local/TaintStep.expected b/ruby/ql/test/library-tests/dataflow/local/TaintStep.expected
@@ -2805,6 +2805,7 @@
 | file://:0:0:0:0 | parameter position 0 of ActionController::Parameters#merge! | file://:0:0:0:0 | [summary] to write: return (return) in ActionController::Parameters#merge! |
 | file://:0:0:0:0 | parameter position 0 of Arel.sql | file://:0:0:0:0 | [summary] to write: return (return) in Arel.sql |
 | file://:0:0:0:0 | parameter position 0 of Base64.decode64() | file://:0:0:0:0 | [summary] to write: return (return) in Base64.decode64() |
+| file://:0:0:0:0 | parameter position 0 of ERB.new | file://:0:0:0:0 | [summary] to write: return (return) in ERB.new |
 | file://:0:0:0:0 | parameter position 0 of File.absolute_path | file://:0:0:0:0 | [summary] to write: return (return) in File.absolute_path |
 | file://:0:0:0:0 | parameter position 0 of File.dirname | file://:0:0:0:0 | [summary] to write: return (return) in File.dirname |
 | file://:0:0:0:0 | parameter position 0 of File.expand_path | file://:0:0:0:0 | [summary] to write: return (return) in File.expand_path |
diff --git a/ruby/ql/test/query-tests/experimental/TemplateInjection/ErbInjection.rb b/ruby/ql/test/query-tests/experimental/TemplateInjection/ErbInjection.rb
diff --git a/ruby/ql/test/query-tests/experimental/TemplateInjection/SlimInjection.rb b/ruby/ql/test/query-tests/experimental/TemplateInjection/SlimInjection.rb
diff --git a/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.expected b/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.expected
diff --git a/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.qlref b/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.qlref

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: newQuery
 +---
 +* Added a new experimental query, `rb/server-side-template-injection`, to detect cases where user input may be embedded into a template's code in an unsafe manner.