Merge pull request #9 from GitHubSecurityLab/ruby_packs

Initial Ruby QLPacks

Author: Alvaro Muñoz

.github/workflows/build.yml

@@ -12,7 +12,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'csharp', 'go', 'java', 'python' ]
+        language: [ 'csharp', 'go', 'java', 'python', 'ruby' ]
 
     steps:
       - uses: actions/checkout@v3

.github/workflows/publish.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["csharp", "go", "java", "python"] 
+        language: ["csharp", "go", "java", "python", "ruby"] 
 
     steps:
       - uses: actions/checkout@v3
@@ -54,7 +54,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["csharp", "go", "java", "python"] 
+        language: ["csharp", "go", "java", "python", "ruby"] 
 
     steps:
       - uses: actions/checkout@v3

codeql-workspace.yml

@@ -3,4 +3,5 @@ provide:
 - go/**/qlpack.yml
 - java/**/qlpack.yml
 - python/**/qlpack.yml
+- ruby/**/qlpack.yml
 

ruby/.DS_Store

@@ -0,0 +1,20 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/controlflow:
+    version: 0.0.3
+  codeql/dataflow:
+    version: 0.0.3
+  codeql/mad:
+    version: 0.1.4
+  codeql/regex:
+    version: 0.1.4
+  codeql/ruby-all:
+    version: 0.7.4
+  codeql/ssa:
+    version: 0.1.4
+  codeql/tutorial:
+    version: 0.1.4
+  codeql/util:
+    version: 0.1.4
+compiled: false

ruby/lib/applications/.gitkeep

@@ -0,0 +1,195 @@
+/**
+ * Additional sources to model the Rack request object.
+ * (Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby.)
+ * Ruby web frameworks such as Sinatra make use of the Rack interface.
+ * Please note: Ruby on Rails exposes an a similar request interface like the rack request interface via ActionDispatch.
+ * -> This means this Rack sources also expand the number of Rails sources as a by-product.
+ * (https://api.rubyonrails.org/classes/ActionDispatch/Request.html)
+ */
+
+private import codeql.ruby.AST
+private import codeql.ruby.Concepts
+
+module Rack {
+  /**
+   * A call to the `request` method to retrieve Rack request object.
+   */
+  class RequestCall extends MethodCall {
+    RequestCall() { this.getMethodName() = "request" }
+  }
+
+  /**
+   * A call to the `request.body` method to retrieve the body of the Rack request object.
+   */
+  class RequestBodyCall extends MethodCall {
+    RequestBodyCall() {
+      exists(MethodCall request |
+        request instanceof RequestCall and
+        this.(MethodCall).getReceiver() = request and
+        this.getMethodName() = "body"
+      )
+    }
+  }
+
+  /**
+   * `request.body.read` source
+   */
+  class RequestBodyReadSource extends Http::Server::RequestInputAccess::Range {
+    RequestBodyReadSource() {
+      exists(MethodCall body, MethodCall read |
+        body instanceof RequestBodyCall and
+        read.(MethodCall).getReceiver() = body and
+        read.getMethodName() = "read" and
+        this.asExpr().getExpr() = read
+      )
+    }
+
+    override string getSourceType() { result = "request.body.read" }
+
+    override Http::Server::RequestInputKind getKind() { result = "body" }
+  }
+
+  /**
+   * `request.body.string` source
+   */
+  class RequestBodyStringSource extends Http::Server::RequestInputAccess::Range {
+    RequestBodyStringSource() {
+      exists(MethodCall body, MethodCall stringcall |
+        body instanceof RequestBodyCall and
+        stringcall.(MethodCall).getReceiver() = body and
+        stringcall.getMethodName() = "string" and
+        this.asExpr().getExpr() = stringcall
+      )
+    }
+
+    override string getSourceType() { result = "request.body.string" }
+
+    override Http::Server::RequestInputKind getKind() { result = "body" }
+  }
+
+  /**
+   * `request.query_string` source
+   */
+  class RequestQueryStringSource extends Http::Server::RequestInputAccess::Range {
+    RequestQueryStringSource() {
+      exists(MethodCall request, MethodCall queryString |
+        request instanceof RequestCall and
+        queryString.(MethodCall).getReceiver() = request and
+        queryString.getMethodName() = "query_string" and
+        this.asExpr().getExpr() = queryString
+      )
+    }
+
+    override string getSourceType() { result = "request.query_string" }
+
+    override Http::Server::RequestInputKind getKind() { result = "parameter" }
+  }
+
+  /**
+   * A call to the `request.params` method to retrieve the combined GET/POST params of the Rack request object.
+   */
+  class RequestParamsCall extends MethodCall {
+    RequestParamsCall() {
+      exists(MethodCall request |
+        request instanceof RequestCall and
+        this.(MethodCall).getReceiver() = request and
+        this.getMethodName() = "params"
+      )
+    }
+  }
+
+  /**
+   * `request.params[foo]` source
+   */
+  class RequestParamsSource extends Http::Server::RequestInputAccess::Range {
+    RequestParamsSource() {
+      exists(MethodCall params, ElementReference elementRef |
+        params instanceof RequestParamsCall and
+        elementRef.(ElementReference).getReceiver() = params and
+        this.asExpr().getExpr() = elementRef
+      )
+    }
+
+    override string getSourceType() { result = "request.params[foo]" }
+
+    override Http::Server::RequestInputKind getKind() { result = "parameter" }
+  }
+
+  /**
+   * `request[foo]` source
+   */
+  class RequestParamsDirectSource extends Http::Server::RequestInputAccess::Range {
+    RequestParamsDirectSource() {
+      exists(MethodCall request, ElementReference elementRef |
+        request instanceof RequestCall and
+        elementRef.(ElementReference).getReceiver() = request and
+        this.asExpr().getExpr() = elementRef
+      )
+    }
+
+    override string getSourceType() { result = "request[foo]" }
+
+    override Http::Server::RequestInputKind getKind() { result = "parameter" }
+  }
+
+  /**
+   * A call to the `request.GET` method to retrieve the query params of the Rack request object.
+   */
+  class RequestGETCall extends MethodCall {
+    RequestGETCall() {
+      exists(MethodCall request |
+        request instanceof RequestCall and
+        this.(MethodCall).getReceiver() = request and
+        this.getMethodName() = "GET"
+      )
+    }
+  }
+
+  /**
+   * `request.GET[foo]` source
+   */
+  class RequestGETSource extends Http::Server::RequestInputAccess::Range {
+    RequestGETSource() {
+      exists(MethodCall get, ElementReference elementRef |
+        get instanceof RequestGETCall and
+        elementRef.(ElementReference).getReceiver() = get and
+        this.asExpr().getExpr() = elementRef
+      )
+    }
+
+    override string getSourceType() { result = "request.GET[foo]" }
+
+    override Http::Server::RequestInputKind getKind() { result = "parameter" }
+  }
+
+  /**
+   * A call to the `request.POST` method to retrieve the POST params of the Rack request object.
+   */
+  class RequestPOSTCall extends MethodCall {
+    RequestPOSTCall() {
+      exists(MethodCall request |
+        request instanceof RequestCall and
+        this.(MethodCall).getReceiver() = request and
+        this.getMethodName() = "POST"
+      )
+    }
+  }
+
+  /**
+   * `request.POST[foo]` source
+   */
+  class RequestPOSTSource extends Http::Server::RequestInputAccess::Range {
+    RequestPOSTSource() {
+      exists(MethodCall post, ElementReference elementRef |
+        post instanceof RequestPOSTCall and
+        elementRef.(ElementReference).getReceiver() = post and
+        this.asExpr().getExpr() = elementRef
+      )
+    }
+
+    override string getSourceType() { result = "request.POST[foo]" }
+
+    override Http::Server::RequestInputKind getKind() { result = "parameter" }
+  }
+}
+// TODO: complete sources e.g. headers (incl cookies, user-agent) (https://www.rubydoc.info/gems/rack/Rack/Request)

ruby/lib/codeql-pack.lock.yml

@@ -0,0 +1,23 @@
+/**
+ * Additional sinks that are not yet covered by CodeQL's rails sinks.
+ * Ruby on Rails adds methods to the Object class.
+ * In the case of the `try/try!` methods this looks like this (see try.rb):
+ * 
+ * class Object
+ *      include ActiveSupport::Tryable
+ * 
+ * ref: https://api.rubyonrails.org/classes/Object.html
+ */
+
+private import codeql.ruby.AST
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+
+module RailsAddonSinks {
+
+  class RailsTryCodeExecution extends CodeExecution::Range, DataFlow::CallNode {
+    RailsTryCodeExecution() { this.getMethodName() = ["try", "try!"] }
+
+    override DataFlow::Node getCode() { result = this.getArgument(0) }
+  }
+}

ruby/lib/frameworks/Rack.qll

@@ -0,0 +1,48 @@
+/**
+ * Additional sources that are not yet covered by CodeQL's rails sources (and not included by the Rack sources).
+ * https://api.rubyonrails.org/classes/ActionDispatch/Request.html
+ */
+
+private import codeql.ruby.AST
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.Concepts
+private import codeql.ruby.DataFlow
+private import codeql.ruby.frameworks.ActionController
+
+module RailsAddonSources {
+  
+  /**
+   * A call to `request` in a Rails ActionController controller class.
+   * The class ActionControllerRequest was copied from the experimental WeakParams query.
+   */
+  class ActionControllerRequest extends DataFlow::Node {
+    ActionControllerRequest() {
+      exists(DataFlow::CallNode c |
+        c.asExpr().getExpr().getEnclosingModule() instanceof ActionControllerControllerClass and
+        c.getMethodName() = "request"
+      |
+        c.flowsTo(this)
+      )
+    }
+  }
+
+  //TODO: this needs expansion (e.g., include request.body separately for Rails)
+  class RawPostMethodCall extends DataFlow::CallNode {
+    RawPostMethodCall() {
+      this.getReceiver() instanceof ActionControllerRequest and
+      this.getMethodName() = "raw_post"
+    }
+  }
+
+  class RawPostMethodCallSource extends Http::Server::RequestInputAccess::Range {
+    RawPostMethodCallSource() {
+      exists(DataFlow::CallNode rawPost |
+        rawPost instanceof RawPostMethodCall and
+        this = rawPost
+      )
+    }
+
+    override string getSourceType() { result = "request.raw_post (Rails)" }
+    override Http::Server::RequestInputKind getKind() { result = "body" }
+  }
+}

ruby/lib/frameworks/RailsAddonSinks.qll

@@ -0,0 +1,5 @@
+library: true 
+name: githubsecuritylab/codeql-ruby-libs
+version: 0.0.1
+dependencies:
+  codeql/ruby-all: '*'

ruby/lib/frameworks/RailsAddonSources.qll

@@ -0,0 +1,16 @@
+/**
+ * @name External dependencies
+ * @description Count the number of dependencies that a Java project has on external packages.
+ * @kind treemap
+ * @id githubsecuritylab/external-dependencies
+ * @metricType externalDependency
+ * @tags audit
+ */
+
+import codeql.ruby.AST
+
+from MethodCall c
+where
+  c.getLocation().getFile().getBaseName() = "Gemfile" and
+  c.getMethodName() = "gem"
+select c.getArgument(0), 1

ruby/lib/github/.gitkeep

@@ -0,0 +1,13 @@
+/**
+ * @name Files
+ * @description List of all files in the repository
+ * @kind table
+ * @id githubsecuritylab/files
+ * @tags audit
+ */
+
+import ruby
+
+from File f
+where f.getExtension() = "rb" and not f.getRelativePath().matches("%/test/%")
+select f.getRelativePath()

ruby/lib/qlpack.yml

@@ -0,0 +1,17 @@
+/**
+ * @name Attack Surface
+ * @description Application attack surface
+ * @kind table
+ * @id githubsecuritylab/attack-surface
+ * @tags audit
+ */
+
+import ruby
+import codeql.ruby.dataflow.RemoteFlowSources
+
+from RemoteFlowSource source, Location l
+where
+  not source.getLocation().getFile().getRelativePath().matches("%/test/%") and
+  l = source.getLocation()
+select source, source.getSourceType(), l.getFile().getRelativePath(), l.getStartLine(),
+  l.getEndLine(), l.getStartColumn(), l.getEndColumn()