Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d46eceb

Browse files
alexrfordalexrford
committed
Ruby: configsig rb/kernel-open
1 parent a8ad0d8 commit d46eceb

2 files changed

Lines changed: 24 additions & 24 deletions

File tree

ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,12 @@
44

55
private import codeql.ruby.AST
66
private import codeql.ruby.DataFlow
7-
private import codeql.ruby.AST
87
private import codeql.ruby.ApiGraphs
8+
private import codeql.ruby.dataflow.BarrierGuards
9+
private import codeql.ruby.dataflow.RemoteFlowSources
910
private import codeql.ruby.frameworks.core.Kernel::Kernel
1011
private import codeql.ruby.frameworks.Files
12+
private import codeql.ruby.TaintTracking
1113

1214
/** A call to a method that might access a file or start a process. */
1315
class AmbiguousPathCall extends DataFlow::CallNode {
@@ -72,3 +74,20 @@ abstract class Sanitizer extends DataFlow::Node { }
7274
private class FileJoinSanitizer extends Sanitizer {
7375
FileJoinSanitizer() { this = any(File::FileJoinSummary s).getParameter("1..") }
7476
}
77+
78+
private module KernelOpenConfig implements DataFlow::ConfigSig {
79+
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
80+
81+
predicate isSink(DataFlow::Node sink) { sink = any(AmbiguousPathCall r).getPathArgument() }
82+
83+
predicate isBarrier(DataFlow::Node node) {
84+
node instanceof StringConstCompareBarrier or
85+
node instanceof StringConstArrayInclusionCallBarrier or
86+
node instanceof Sanitizer
87+
}
88+
}
89+
90+
/**
91+
* Taint-tracking for detecting insecure uses of `Kernel.open` and similar sinks.
92+
*/
93+
module KernelOpenFlow = TaintTracking::Global<KernelOpenConfig>;

ruby/ql/src/queries/security/cwe-078/KernelOpen.ql

Lines changed: 4 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -16,33 +16,14 @@
1616
*/
1717

1818
import codeql.ruby.DataFlow
19-
import codeql.ruby.TaintTracking
20-
import codeql.ruby.dataflow.RemoteFlowSources
21-
import codeql.ruby.dataflow.BarrierGuards
22-
import DataFlow::PathGraph
2319
import codeql.ruby.security.KernelOpenQuery
24-
25-
class Configuration extends TaintTracking::Configuration {
26-
Configuration() { this = "KernelOpen" }
27-
28-
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
29-
30-
override predicate isSink(DataFlow::Node sink) {
31-
sink = any(AmbiguousPathCall r).getPathArgument()
32-
}
33-
34-
override predicate isSanitizer(DataFlow::Node node) {
35-
node instanceof StringConstCompareBarrier or
36-
node instanceof StringConstArrayInclusionCallBarrier or
37-
node instanceof Sanitizer
38-
}
39-
}
20+
import KernelOpenFlow::PathGraph
4021

4122
from
42-
Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
43-
DataFlow::Node sourceNode, DataFlow::CallNode call
23+
KernelOpenFlow::PathNode source, KernelOpenFlow::PathNode sink, DataFlow::Node sourceNode,
24+
DataFlow::CallNode call
4425
where
45-
config.hasFlowPath(source, sink) and
26+
KernelOpenFlow::flowPath(source, sink) and
4627
sourceNode = source.getNode() and
4728
call.getArgument(0) = sink.getNode()
4829
select sink.getNode(), source, sink,

0 commit comments

Comments
 (0)