v3 add global taint steps for to_ruby of YAML/Psych

am0o0 · hmac · commit e76ed9454ab9 · 2023-05-27T01:15:24.000Z
diff --git a/ruby/ql/lib/codeql/ruby/Frameworks.qll b/ruby/ql/lib/codeql/ruby/Frameworks.qll
@@ -33,3 +33,4 @@ private import codeql.ruby.frameworks.Sinatra
 private import codeql.ruby.frameworks.Twirp
 private import codeql.ruby.frameworks.Sqlite3
 private import codeql.ruby.frameworks.Pg
+private import codeql.ruby.frameworks.Yaml
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Yaml.qll b/ruby/ql/lib/codeql/ruby/frameworks/Yaml.qll
@@ -0,0 +1,30 @@
+/**
+ * add additional steps for to_ruby method of YAML/Psych library
+ */
+
+private import codeql.ruby.dataflow.FlowSteps
+private import codeql.ruby.DataFlow
+private import codeql.ruby.ApiGraphs
+
+private class YamlParseStep extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode yaml_parser_methods |
+      yaml_parser_methods =
+        API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall(["parse", "parse_stream"]) and
+      (
+        pred = yaml_parser_methods.getArgument(0) or
+        pred = yaml_parser_methods.getKeywordArgument("yaml")
+      ) and
+      succ = yaml_parser_methods.getAMethodCall("to_ruby")
+    )
+    or
+    exists(DataFlow::CallNode yaml_parser_methods |
+      yaml_parser_methods = API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall("parse_file") and
+      (
+        pred = yaml_parser_methods.getArgument(0) or
+        pred = yaml_parser_methods.getKeywordArgument("filename")
+      ) and
+      succ = yaml_parser_methods.getAMethodCall("to_ruby")
+    )
+  }
+}
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll
@@ -24,27 +24,6 @@ class Configuration extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserialization::Sink }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    exists(DataFlow::CallNode yaml_parser_methods |
-      yaml_parser_methods =
-        API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall(["parse", "parse_stream"]) and
-      (
-        nodeFrom = yaml_parser_methods.getArgument(0) or
-        nodeFrom = yaml_parser_methods.getKeywordArgument("yaml")
-      ) and
-      nodeTo = yaml_parser_methods.getAMethodCall("to_ruby")
-    )
-    or
-    exists(DataFlow::CallNode yaml_parser_methods |
-      yaml_parser_methods = API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall("parse_file") and
-      (
-        nodeFrom = yaml_parser_methods.getArgument(0) or
-        nodeFrom = yaml_parser_methods.getKeywordArgument("filename")
-      ) and
-      nodeTo = yaml_parser_methods.getAMethodCall("to_ruby")
-    )
-  }
-
   override predicate isSanitizer(DataFlow::Node node) {
     super.isSanitizer(node) or
     node instanceof UnsafeDeserialization::Sanitizer
