Add initial query for Ruby SSTI

Author: maikypedia

ruby/ql/lib/codeql/ruby/Concepts.qll

@@ -1059,3 +1059,69 @@ module Cryptography {
 
   class BlockMode = SC::BlockMode;
 }
+
+/**
+ * A data-flow node that constructs a template.
+ *
+ * Often, it is worthy of an alert if a template is constructed such that
+ * executing it would be a security risk.
+ *
+ * If it is important that the template is rendered, use `TemplateRendering`.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `TemplateConstruction::Range` instead.
+ */
+class TemplateConstruction extends DataFlow::Node instanceof TemplateConstruction::Range {
+  /** Gets the argument that specifies the template to be constructed. */
+  DataFlow::Node getTemplate() { result = super.getTemplate() }
+}
+
+/** Provides a class for modeling new template rendering APIs. */
+module TemplateConstruction {
+  /**
+   * A data-flow node that constructs a template.
+   *
+   * Often, it is worthy of an alert if a template is constructed such that
+   * executing it would be a security risk.
+   *
+   * If it is important that the template is rendered, use `TemplateRendering`.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `TemplateConstruction` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the template to be constructed. */
+    abstract DataFlow::Node getTemplate();
+  }
+}
+
+/**
+ * A data-flow node that renders templates.
+ *
+ * If the context of interest is such that merely constructing a template
+ * would be valuable to report, consider using `TemplateConstruction`.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `TemplateRendering::Range` instead.
+ */
+class TemplateRendering extends DataFlow::Node instanceof TemplateRendering::Range {
+  /** Gets the argument that specifies the template to be rendered. */
+  DataFlow::Node getTemplate() { result = super.getTemplate() }
+}
+
+/** Provides a class for modeling new template rendering APIs. */
+module TemplateRendering {
+  /**
+   * A data-flow node that renders templates.
+   *
+   * If the context of interest is such that merely constructing a template
+   * would be valuable to report, consider using `TemplateConstruction`.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `TemplateRendering` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the template to be rendered. */
+    abstract DataFlow::Node getTemplate();
+  }
+}

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -27,3 +27,5 @@ private import codeql.ruby.frameworks.ActionDispatch
 private import codeql.ruby.frameworks.PosixSpawn
 private import codeql.ruby.frameworks.StringFormatters
 private import codeql.ruby.frameworks.Json
+private import codeql.ruby.frameworks.Erb
+private import codeql.ruby.frameworks.Slim

ruby/ql/lib/codeql/ruby/frameworks/Erb.qll

@@ -0,0 +1,48 @@
+/**
+ * Provides templating for embedding Ruby code into text files, allowing dynamic content generation in web applications.
+ */
+
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.Concepts
+
+/**
+ * Provides templating for embedding Ruby code into text files, allowing dynamic content generation in web applications.
+ */
+module ERB {
+  /**
+   * Flow summary for `ERB.new`. This method wraps a template string, compiling it.
+   */
+  private class TemplateSummary extends SummarizedCallable {
+    TemplateSummary() { this = "ERB.new" }
+
+    override MethodCall getACall() {
+      result = API::getTopLevelMember("ERB").getAMethodCall("new").asExpr().getExpr()
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
+    }
+  }
+
+  /** A call to `ERB.new`, considered as a template construction. */
+  private class ERBTemplateNewCall extends TemplateConstruction::Range, DataFlow::CallNode {
+    ERBTemplateNewCall() { this = API::getTopLevelMember("ERB").getAMethodCall("new") }
+
+    override DataFlow::Node getTemplate() { result = this.getArgument(0) }
+  }
+
+  /** A call to `ERB.new(foo).result(binding)`, considered as a template rendering. */
+  private class ERBTemplateRendering extends TemplateRendering::Range, DataFlow::CallNode {
+    DataFlow::Node template;
+
+    ERBTemplateRendering() {
+      exists(ERBTemplateNewCall templateConstruction |
+        this = templateConstruction.getAMethodCall("result") and
+        template = templateConstruction.getTemplate()
+      )
+    }
+
+    override DataFlow::Node getTemplate() { result = template }
+  }
+}

ruby/ql/lib/codeql/ruby/frameworks/Slim.qll

@@ -0,0 +1,38 @@
+/**
+ * Provides templating for embedding Ruby code into text files, allowing dynamic content generation in web applications.
+ */
+
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.Concepts
+
+/**
+ * Provides templating for embedding Ruby code into text files, allowing dynamic content generation in web applications.
+ */
+module Slim {
+  /** A call to `Slim::Template.new`, considered as a template construction. */
+  private class SlimTemplateNewCall extends TemplateConstruction::Range, DataFlow::CallNode {
+    SlimTemplateNewCall() {
+      this = API::getTopLevelMember("Slim").getMember("Template").getAMethodCall("new")
+    }
+
+    override DataFlow::Node getTemplate() {
+      result.asExpr().getExpr() =
+        this.getBlock().(DataFlow::BlockNode).asCallableAstNode().getAStmt()
+    }
+  }
+
+  /** A call to `Slim::Template.new{ foo }.render`, considered as a template rendering */
+  private class SlimTemplateRendering extends TemplateRendering::Range, DataFlow::CallNode {
+    DataFlow::Node template;
+
+    SlimTemplateRendering() {
+      exists(SlimTemplateNewCall templateConstruction |
+        this = templateConstruction.getAMethodCall("render") and
+        template = templateConstruction.getTemplate()
+      )
+    }
+
+    override DataFlow::Node getTemplate() { result = template }
+  }
+}

ruby/ql/lib/codeql/ruby/security/TemplateInjectionCustomizations.qll

@@ -0,0 +1,50 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * ERB Server Side Template Injections, as well as extension points for adding your own
+ */
+
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.BarrierGuards
+private import codeql.ruby.dataflow.RemoteFlowSources
+import codeql.ruby.ApiGraphs
+import codeql.ruby.AST
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * Server Side Template Injections, as well as extension points for adding your own
+ */
+module TemplateInjection {
+  /** A data flow source for SSTI vulnerabilities */
+  abstract class Source extends DataFlow::Node { }
+
+  /** A data flow sink for SSTI vulnerabilities */
+  abstract class Sink extends DataFlow::Node { }
+
+  /** A sanitizer for SSTI vulnerabilities. */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  private class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * An Server Side Template Injection rendering, considered as a flow sink.
+   */
+  private class TemplateRenderingAsSink extends Sink {
+    TemplateRenderingAsSink() { this = any(TemplateRendering e).getTemplate() }
+  }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  private class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
+
+  /**
+   * An inclusion check against an array of constant strings, considered as a
+   * sanitizer-guard.
+   */
+  class StringConstArrayInclusionCallAsSanitizer extends Sanitizer,
+    StringConstArrayInclusionCallBarrier { }
+}

ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll

@@ -0,0 +1,21 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * Server Side Template Injections, as well as extension points for adding your own
+ */
+
+private import codeql.ruby.DataFlow
+private import codeql.ruby.TaintTracking
+import TemplateInjectionCustomizations::TemplateInjection
+
+/**
+ * A taint-tracking configuration for detecting Server Side Template Injections vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "TemplateInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node source) { source instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+}

ruby/ql/src/queries/security/cwe-094/TemplateInjection.qhelp

@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Template Injection occurs when user input is embedded in a template's code in an unsafe manner.
+An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side.
+This permits the attacker to run arbitrary code in the server's context.
+</p>
+</overview>
+
+<recommendation>
+<p>
+To fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this,
+use a sandboxed environment where access to unsafe attributes and methods is prohibited.
+</p>
+</recommendation>
+
+<example>
+<p>
+        <p>Consider the example given below, an untrusted HTTP parameter `name` is used to generate a template string. This can lead to remote code execution. </p>
+        <sample src="examples/SSTIBad.rb" />
+        
+        <p>Here we have fixed the problem by including ERB/Slim syntax in the string, then the user input will be rendered but no evaluated.</p>
+        <sample src="examples/SSTIGood.rb" />
+</example>
+
+<references>
+<li>
+Wikipedia: <a href="https://en.wikipedia.org/wiki/Code_injection#Server_Side_Template_Injection">Server Side Template Injection</a>.
+</li>
+<li>
+Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)
+</li>
+</references>
+</qhelp>

ruby/ql/src/queries/security/cwe-094/TemplateInjection.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Server-side template injection
+ * @description Building a server-side template from user-controlled sources is vulnerable to
+ *              insertion of malicious code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id rb/ssti
+ * @tags security
+ *       external/cwe/cwe-94
+ */
+
+import codeql.ruby.DataFlow
+import codeql.ruby.security.TemplateInjectionQuery
+import DataFlow::PathGraph
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This template depends on a $@.", source.getNode(),
+  "user-provided value"

ruby/ql/src/queries/security/cwe-094/examples/SSTIBad.rb

@@ -0,0 +1,24 @@
+require 'erb'
+require 'slim'
+
+class BadERBController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    html_text = "
+      <!DOCTYPE html><html><body>
+      <h2>Hello %s </h2></body></html>
+      " % name
+    template = ERB.new(html_text).result(binding) 
+  end
+end
+
+class BadSlimController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    html_text = "
+      <!DOCTYPE html><html><body>
+      <h2>Hello %s </h2></body></html>
+      " % name
+    Slim::Template.new{ html_text }.render 
+  end
+end

ruby/ql/src/queries/security/cwe-094/examples/SSTIGood.rb

@@ -0,0 +1,26 @@
+require 'erb'
+require 'slim'
+
+class GoodController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    html_text = "
+      <!DOCTYPE html><html><body>
+      <h2>Hello <%= name %> </h2></body></html>
+      "
+    template = ERB.new(html_text).result(binding) 
+  end
+end
+
+class GoodController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    html_text = "
+    <!DOCTYPE html>
+      html
+        body
+          h2  == name;
+    "
+    Slim::Template.new{ html_text }.render(Object.new, name: name)
+  end
+end