Share HttpToFileAccessQuery between JS and Ruby

hmac · hmac · commit 91a7e9405c02 · 2022-03-22T11:10:08.000+13:00
There's so little in this query that it may not be worth sharing, but
it's an interesting exercise in figuring out how we do it nicely.
diff --git a/config/identical-files.json b/config/identical-files.json
@@ -533,5 +533,13 @@
   "TaintedFormatStringCustomizations Ruby/JS": [
     "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll",
     "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll"
+  ],
+  "HttpToFileAccessQuery JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll",
+    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll"
+  ],
+  "HttpToFileAccessCustomizations JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",
+    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"
   ]
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll
@@ -3,11 +3,9 @@
  * writing user-controlled data to files, as well as extension points
  * for adding your own.
  */
-
-import javascript
-import semmle.javascript.security.dataflow.RemoteFlowSources
-
 module HttpToFileAccess {
+  import HttpToFileAccessSpecific
+
   /**
    * A data flow source for writing user-controlled data to files.
    */
@@ -23,18 +21,6 @@ module HttpToFileAccess {
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
-  /**
-   * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
-   */
-  private class RequestInputAccessAsSource extends Source {
-    RequestInputAccessAsSource() { this instanceof HTTP::RequestInputAccess }
-  }
-
-  /** A response from a server, considered as a flow source for writing user-controlled data to files. */
-  private class ServerResponseAsSource extends Source {
-    ServerResponseAsSource() { this = any(ClientRequest r).getAResponseDataNode() }
-  }
-
   /** A sink that represents file access method (write, append) argument */
   class FileAccessAsSink extends Sink {
     FileAccessAsSink() { exists(FileSystemWriteAccess src | this = src.getADataNode()) }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll
@@ -6,8 +6,7 @@
  * `HttpToFileAccessCustomizations` should be imported instead.
  */
 
-import javascript
-import HttpToFileAccessCustomizations::HttpToFileAccess
+private import HttpToFileAccessCustomizations::HttpToFileAccess
 
 /**
  * A taint tracking configuration for writing user-controlled data to files.
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessSpecific.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessSpecific.qll
@@ -0,0 +1,19 @@
+/**
+ * Provides imports and classes needed for `HttpToFileAccessQuery` and `HttpToFileAccessCustomizations`.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.RemoteFlowSources
+private import HttpToFileAccessCustomizations::HttpToFileAccess
+
+/**
+ * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
+ */
+private class RequestInputAccessAsSource extends Source {
+  RequestInputAccessAsSource() { this instanceof HTTP::RequestInputAccess }
+}
+
+/** A response from a server, considered as a flow source for writing user-controlled data to files. */
+private class ServerResponseAsSource extends Source {
+  ServerResponseAsSource() { this = any(ClientRequest r).getAResponseDataNode() }
+}
diff --git a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll
@@ -1,20 +1,11 @@
-/**
- * Provides default sources, sinks and sanitizers for reasoning about
- * writing user-controlled data to files, as well as extension points
- * for adding your own.
- */
-
-import ruby
-import codeql.ruby.DataFlow
-import codeql.ruby.dataflow.RemoteFlowSources
-import codeql.ruby.Concepts
-
 /**
  * Provides default sources, sinks and sanitizers for reasoning about
  * writing user-controlled data to files, as well as extension points
  * for adding your own.
  */
 module HttpToFileAccess {
+  import HttpToFileAccessSpecific
+
   /**
    * A data flow source for writing user-controlled data to files.
    */
@@ -30,17 +21,6 @@ module HttpToFileAccess {
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
-  /**
-   * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
-   */
-  private class RequestInputAccessAsSource extends Source instanceof HTTP::Server::RequestInputAccess {
-  }
-
-  /** A response from an outgoing HTTP request, considered as a flow source for writing user-controlled data to files. */
-  private class HttpResponseAsSource extends Source {
-    HttpResponseAsSource() { this = any(HTTP::Client::Request r).getResponseBody() }
-  }
-
   /** A sink that represents file access method (write, append) argument */
   class FileAccessAsSink extends Sink {
     FileAccessAsSink() { exists(FileSystemWriteAccess src | this = src.getADataNode()) }
diff --git a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll
@@ -6,10 +6,7 @@
  * `HttpToFileAccessCustomizations` should be imported instead.
  */
 
-import ruby
-import codeql.ruby.TaintTracking
-import codeql.ruby.DataFlow
-import codeql.ruby.security.HttpToFileAccessCustomizations::HttpToFileAccess
+private import HttpToFileAccessCustomizations::HttpToFileAccess
 
 /**
  * A taint tracking configuration for writing user-controlled data to files.
diff --git a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessSpecific.qll b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessSpecific.qll
@@ -0,0 +1,21 @@
+/**
+ * Provides imports and classes needed for `HttpToFileAccessQuery` and `HttpToFileAccessCustomizations`.
+ */
+
+import ruby
+import codeql.ruby.DataFlow
+import codeql.ruby.dataflow.RemoteFlowSources
+import codeql.ruby.Concepts
+import codeql.ruby.TaintTracking
+private import HttpToFileAccessCustomizations::HttpToFileAccess
+
+/**
+ * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
+ */
+private class RequestInputAccessAsSource extends Source instanceof HTTP::Server::RequestInputAccess {
+}
+
+/** A response from an outgoing HTTP request, considered as a flow source for writing user-controlled data to files. */
+private class HttpResponseAsSource extends Source {
+  HttpResponseAsSource() { this = any(HTTP::Client::Request r).getResponseBody() }
+}
diff --git a/ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.ql b/ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.ql
@@ -12,6 +12,7 @@
  */
 
 import ruby
+import codeql.ruby.DataFlow
 import codeql.ruby.DataFlow::DataFlow::PathGraph
 import codeql.ruby.security.HttpToFileAccessQuery
 

Original file line number	Diff line number	Diff line change
`@@ -533,5 +533,13 @@`
`533`	`533`	`"TaintedFormatStringCustomizations Ruby/JS": [`
`534`	`534`	`"javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll",`
`535`	`535`	`"ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll"`
	`536`	`+ ],`
	`537`	`+ "HttpToFileAccessQuery JS/Ruby": [`
	`538`	`+ "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll",`
	`539`	`+ "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll"`
	`540`	`+ ],`
	`541`	`+ "HttpToFileAccessCustomizations JS/Ruby": [`
	`542`	`+ "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",`
	`543`	`+ "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"`
`536`	`544`	`]`
`537`	`545`	`}`