Merge pull request github#13130 from maikypedia/maikypedia/xpath-injection

Ruby :  XPath Injection Query (CWE-643)

Author: alexrford

ruby/ql/lib/codeql/ruby/Concepts.qll

@@ -843,6 +843,58 @@ module XmlParserCall {
   }
 }
 
+/**
+ * A data-flow node that constructs an XPath expression.
+ *
+ * If it is important that the XPath expression is indeed executed, then use `XPathExecution`.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `XPathConstruction::Range` instead.
+ */
+class XPathConstruction extends DataFlow::Node instanceof XPathConstruction::Range {
+  /** Gets the argument that specifies the XPath expressions to be constructed. */
+  DataFlow::Node getXPath() { result = super.getXPath() }
+}
+
+/** Provides a class for modeling new XPath construction APIs. */
+module XPathConstruction {
+  /**
+   * A data-flow node that constructs an XPath expression.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `XPathConstruction` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the XPath expressions to be constructed. */
+    abstract DataFlow::Node getXPath();
+  }
+}
+
+/**
+ * A data-flow node that executes an XPath expression.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `XPathExecution::Range` instead.
+ */
+class XPathExecution extends DataFlow::Node instanceof XPathExecution::Range {
+  /** Gets the argument that specifies the XPath expressions to be executed. */
+  DataFlow::Node getXPath() { result = super.getXPath() }
+}
+
+/** Provides a class for modeling new XPath execution APIs. */
+module XPathExecution {
+  /**
+   * A data-flow node that executes an XPath expression.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `XPathExecution` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the XPath expressions to be executed. */
+    abstract DataFlow::Node getXPath();
+  }
+}
+
 /**
  * A data-flow node that may represent a database object in an ORM system.
  *

ruby/ql/lib/codeql/ruby/frameworks/XmlParsing.qll

@@ -45,6 +45,17 @@ private class NokogiriXmlParserCall extends XmlParserCall::Range, DataFlow::Call
   }
 }
 
+/** Execution of a XPath statement. */
+private class NokogiriXPathExecution extends XPathExecution::Range, DataFlow::CallNode {
+  NokogiriXPathExecution() {
+    exists(NokogiriXmlParserCall parserCall |
+      this = parserCall.getAMethodCall(["xpath", "at_xpath", "search", "at"])
+    )
+  }
+
+  override DataFlow::Node getXPath() { result = this.getArgument(0) }
+}
+
 /**
  * Holds if `assign` enables the `default_substitute_entities` option in
  * libxml-ruby.
@@ -123,6 +134,40 @@ private predicate xmlMiniEntitySubstitutionEnabled() {
   enablesLibXmlDefaultEntitySubstitution(_)
 }
 
+/** Execution of a XPath statement. */
+private class LibXmlXPathExecution extends XPathExecution::Range, DataFlow::CallNode {
+  LibXmlXPathExecution() {
+    exists(LibXmlRubyXmlParserCall parserCall |
+      this = parserCall.getAMethodCall(["find", "find_first"])
+    )
+  }
+
+  override DataFlow::Node getXPath() { result = this.getArgument(0) }
+}
+
+/** A call to `REXML::Document.new`, considered as a XML parsing. */
+private class RexmlParserCall extends XmlParserCall::Range, DataFlow::CallNode {
+  RexmlParserCall() {
+    this = API::getTopLevelMember("REXML").getMember("Document").getAnInstantiation()
+  }
+
+  override DataFlow::Node getInput() { result = this.getArgument(0) }
+
+  /** No option for parsing */
+  override predicate externalEntitiesEnabled() { none() }
+}
+
+/** Execution of a XPath statement. */
+private class RexmlXPathExecution extends XPathExecution::Range, DataFlow::CallNode {
+  RexmlXPathExecution() {
+    this =
+      [API::getTopLevelMember("REXML").getMember("XPath"), API::getTopLevelMember("XPath")]
+          .getAMethodCall(["each", "first", "match"])
+  }
+
+  override DataFlow::Node getXPath() { result = this.getArgument(1) }
+}
+
 /**
  * A call to `ActiveSupport::XmlMini.parse` considered as an `XmlParserCall`.
  */

ruby/ql/lib/codeql/ruby/security/XpathInjectionCustomizations.qll

@@ -0,0 +1,55 @@
+/**
+ * Provides class and predicates to track external data that
+ * may represent malicious xpath query objects.
+ *
+ * This module is intended to be imported into a taint-tracking query.
+ */
+
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.BarrierGuards
+private import codeql.ruby.dataflow.RemoteFlowSources
+
+/** Models Xpath Injection related classes and functions */
+module XpathInjection {
+  /** A data flow source for "XPath injection" vulnerabilities. */
+  abstract class Source extends DataFlow::Node { }
+
+  /** A data flow sink for "XPath injection" vulnerabilities */
+  abstract class Sink extends DataFlow::Node { }
+
+  /** A sanitizer for "XPath injection" vulnerabilities. */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  private class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * An execution of an XPath expression, considered as a sink.
+   */
+  private class XPathExecutionAsSink extends Sink {
+    XPathExecutionAsSink() { this = any(XPathExecution e).getXPath() }
+  }
+
+  /**
+   * A construction of an XPath expression, considered as a sink.
+   */
+  private class XPathConstructionAsSink extends Sink {
+    XPathConstructionAsSink() { this = any(XPathConstruction c).getXPath() }
+  }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  private class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
+
+  /**
+   * An inclusion check against an array of constant strings, considered as a
+   * sanitizer-guard.
+   */
+  private class StringConstArrayInclusionCallAsSanitizer extends Sanitizer,
+    StringConstArrayInclusionCallBarrier
+  { }
+}

ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll

@@ -0,0 +1,27 @@
+/**
+ * Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `XpathInjection::Configuration` is needed, otherwise
+ * `XpathInjectionCustomizations` should be imported instead.
+ */
+
+private import codeql.ruby.DataFlow
+private import codeql.ruby.TaintTracking
+import XpathInjectionCustomizations::XpathInjection
+
+/** Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities. */
+module XpathInjection {
+  /**
+   * A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
+   */
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+  }
+
+  import TaintTracking::Global<Config>
+}

ruby/ql/src/change-notes/2023-05-11-xpath-injection-query.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new experimental query, `rb/xpath-injection`, to detect cases where XPath statements are constructed from user input in an unsafe manner.

ruby/ql/src/experimental/xpath-injection/XpathInjection.qhelp

@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+If an XPath expression is built using string concatenation, and the components of the concatenation
+include user input, it makes it very easy for a user to create a malicious XPath expression.
+</p>
+</overview>
+
+<recommendation>
+<p>
+If user input must be included in an XPath expression, either sanitize the data or use variable
+references to safely embed it without altering the structure of the expression.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example uses the <code>nokogiri</code>, <code>rexml</code> and <code>libxml</code> XML parsers to parse a string <code>xml</code>.
+Then the xpath query is controlled by the user and hence leads to a vulnerability.
+</p>
+<sample src="examples/XPathBad.rb"/>
+
+<p>
+To guard against XPath Injection attacks, the user input should be sanitized.
+</p>
+<sample src="examples/XPathGood.rb"/>
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://owasp.org/www-community/attacks/XPATH_Injection">XPath injection</a>.
+</li>
+</references>
+</qhelp>

ruby/ql/src/experimental/xpath-injection/XpathInjection.ql

@@ -0,0 +1,21 @@
+/**
+ * @name XPath query built from user-controlled sources
+ * @description Building a XPath query from user-controlled sources is vulnerable to insertion of
+ *              malicious XPath code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision high
+ * @id rb/xpath-injection
+ * @tags security
+ *       external/cwe/cwe-643
+ */
+
+import codeql.ruby.DataFlow
+import codeql.ruby.security.XpathInjectionQuery
+import XpathInjection::PathGraph
+
+from XpathInjection::PathNode source, XpathInjection::PathNode sink
+where XpathInjection::flowPath(source, sink)
+select sink.getNode(), source, sink, "XPath expression depends on a $@.", source.getNode(),
+  "user-provided value"

ruby/ql/src/experimental/xpath-injection/examples/XPathBad.rb

@@ -0,0 +1,45 @@
+require 'nokogiri'
+require 'rexml'
+require 'libxml'
+
+class BadNokogiriController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    xml = <<-XML
+      <root>
+        <foo>bar</foo>
+        <password>THIS IS SECRET</password>
+      </root>
+    XML
+    doc = Nokogiri::XML.parse(xml)
+    results = doc.xpath("//#{name}")
+  end
+end
+
+class BadRexmlController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    xml = <<-XML
+      <root>
+        <foo>bar</foo>
+        <password>THIS IS SECRET</password>
+      </root>
+    XML
+    doc = REXML::Document.new(xml)
+    results = REXML::XPath.first(doc, "//#{name}")
+  end
+end
+
+class BadLibxmlController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    xml = <<-XML
+      <root>
+        <foo>bar</foo>
+        <password>THIS IS SECRET</password>
+      </root>
+    XML
+    doc = LibXML::XML::Document.string(xml)
+    results = doc.find_first("//#{name}")
+  end
+end

ruby/ql/src/experimental/xpath-injection/examples/XPathGood.rb

@@ -0,0 +1,60 @@
+require 'nokogiri'
+require 'rexml'
+require 'libxml'
+
+class BadNokogiriController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    xml = <<-XML
+      <root>
+        <foo>bar</foo>
+        <password>THIS IS SECRET</password>
+      </root>
+    XML
+    doc = Nokogiri::XML.parse(xml)
+    name = if ["foo", "foo2"].include? name
+      name
+    else 
+      name = "foo"
+    end
+    results = doc.xpath("//#{name}")
+  end
+end
+
+class BadRexmlController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    xml = <<-XML
+      <root>
+        <foo>bar</foo>
+        <password>THIS IS SECRET</password>
+      </root>
+    XML
+    doc = REXML::Document.new(xml)
+    name = if ["foo", "foo2"].include? name
+      name
+    else 
+      name = "foo"
+    end
+    results = REXML::XPath.first(doc, "//#{name}")
+  end
+end
+
+class BadLibxmlController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    xml = <<-XML
+      <root>
+        <foo>bar</foo>
+        <password>THIS IS SECRET</password>
+      </root>
+    XML
+    doc = LibXML::XML::Document.string(xml)
+    name = if ["foo", "foo2"].include? name
+      name
+    else 
+      name = "foo"
+    end
+    results = doc.find_first("//#{name}")
+  end
+end