From 6df919a9172be377a38b247f89da69a8a64d19b2 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 11 Oct 2023 10:06:11 +0200 Subject: [PATCH 1/2] JS/Ruby: remove sync between two queries --- config/identical-files.json | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/config/identical-files.json b/config/identical-files.json index 5c801c387a1d..144031d5a686 100644 --- a/config/identical-files.json +++ b/config/identical-files.json @@ -498,22 +498,6 @@ "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll", "python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll" ], - "TaintedFormatStringQuery Ruby/JS": [ - "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll", - "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll" - ], - "TaintedFormatStringCustomizations Ruby/JS": [ - "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll", - "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll" - ], - "HttpToFileAccessQuery JS/Ruby": [ - "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll", - "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll" - ], - "HttpToFileAccessCustomizations JS/Ruby": [ - "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll", - "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll" - ], "Typo database": [ "javascript/ql/src/Expressions/TypoDatabase.qll", "ql/ql/src/codeql_ql/style/TypoDatabase.qll" From 89bd00a4ecbca6aa74852418f16852e6fc6e51cf Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 11 Oct 2023 10:06:19 +0200 Subject: [PATCH 2/2] Ruby: port queries to ConfigSig-style --- .../ruby/security/HttpToFileAccessQuery.qll | 18 +++++++++++++++++- .../ruby/security/TaintedFormatStringQuery.qll | 18 +++++++++++++++++- .../security/cwe-134/TaintedFormatString.ql | 6 +++--- .../security/cwe-912/HttpToFileAccess.ql | 6 +++--- 4 files changed, 40 insertions(+), 8 deletions(-) diff --git a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll index 992b0cd1e8dd..9b3d7635c870 100644 --- a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll @@ -11,7 +11,23 @@ private import HttpToFileAccessCustomizations::HttpToFileAccess /** * A taint tracking configuration for writing user-controlled data to files. */ -class Configuration extends TaintTracking::Configuration { +module HttpToFileAccessConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof Source } + + predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } +} + +/** + * Taint tracking for writing user-controlled data to files. + */ +module HttpToFileAccessFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `HttpToFileAccessFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { Configuration() { this = "HttpToFileAccess" } override predicate isSource(DataFlow::Node source) { source instanceof Source } diff --git a/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll b/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll index 0475999ed3c9..b10088af82ee 100644 --- a/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll @@ -13,7 +13,23 @@ private import TaintedFormatStringCustomizations::TaintedFormatString /** * A taint-tracking configuration for format injections. */ -class Configuration extends TaintTracking::Configuration { +module TaintedFormatStringConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof Source } + + predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } +} + +/** + * Taint-tracking for format injections. + */ +module TaintedFormatStringFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `TaintedFormatStringFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { Configuration() { this = "TaintedFormatString" } override predicate isSource(DataFlow::Node source) { source instanceof Source } diff --git a/ruby/ql/src/queries/security/cwe-134/TaintedFormatString.ql b/ruby/ql/src/queries/security/cwe-134/TaintedFormatString.ql index 3a6a2dcf5a04..9d85b1764822 100644 --- a/ruby/ql/src/queries/security/cwe-134/TaintedFormatString.ql +++ b/ruby/ql/src/queries/security/cwe-134/TaintedFormatString.ql @@ -13,9 +13,9 @@ import codeql.ruby.AST import codeql.ruby.DataFlow import codeql.ruby.security.TaintedFormatStringQuery -import DataFlow::PathGraph +import TaintedFormatStringFlow::PathGraph -from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasFlowPath(source, sink) +from TaintedFormatStringFlow::PathNode source, TaintedFormatStringFlow::PathNode sink +where TaintedFormatStringFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Format string depends on a $@.", source.getNode(), "user-provided value" diff --git a/ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.ql b/ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.ql index 10a892f8b0fb..a4e6fc828114 100644 --- a/ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.ql +++ b/ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.ql @@ -13,10 +13,10 @@ import codeql.ruby.AST import codeql.ruby.DataFlow -import codeql.ruby.DataFlow::DataFlow::PathGraph import codeql.ruby.security.HttpToFileAccessQuery +import HttpToFileAccessFlow::PathGraph -from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasFlowPath(source, sink) +from HttpToFileAccessFlow::PathNode source, HttpToFileAccessFlow::PathNode sink +where HttpToFileAccessFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Write to file system depends on $@.", source.getNode(), "untrusted data"