Ruby: Add sinks from external models

hmac · hmac · commit e9277a56a9fe · 2023-11-27T09:18:00.000Z
diff --git a/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll
@@ -4,6 +4,7 @@ private import codeql.ruby.Concepts
 private import codeql.ruby.Frameworks
 private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.dataflow.BarrierGuards
+private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 
 /**
  * Provides default sources, sinks and sanitizers for detecting
@@ -156,4 +157,8 @@ module CodeInjection {
 
     override FlowState::State getAState() { result instanceof FlowState::Full }
   }
+
+  private class ExternalCodeInjectionSink extends Sink {
+    ExternalCodeInjectionSink() { this = ModelOutput::getASinkNode("code-injection").asSink() }
+  }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll
@@ -9,6 +9,7 @@ private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.Concepts
 private import codeql.ruby.Frameworks
 private import codeql.ruby.ApiGraphs
+private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 
 module CommandInjection {
   /**
@@ -52,4 +53,10 @@ module CommandInjection {
       this.(DataFlow::CallNode).getMethodName() = "shellescape"
     }
   }
+
+  private class ExternalCommandInjectionSink extends Sink {
+    ExternalCommandInjectionSink() {
+      this = ModelOutput::getASinkNode("command-injection").asSink()
+    }
+  }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
@@ -8,6 +8,7 @@ import codeql.ruby.DataFlow
 import codeql.ruby.TaintTracking
 import codeql.ruby.dataflow.RemoteFlowSources
 import codeql.ruby.frameworks.Core
+private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 
 /**
  * A data flow source for user input used in log entries.
@@ -50,6 +51,10 @@ class LoggingSink extends Sink {
   LoggingSink() { this = any(Logging logging).getAnInput() }
 }
 
+private class ExternalLogInjectionSink extends Sink {
+  ExternalLogInjectionSink() { this = ModelOutput::getASinkNode("log-injection").asSink() }
+}
+
 /**
  * A call to `String#replace` that replaces `\n` is considered to sanitize the replaced string (reduce false positive).
  */
diff --git a/ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll
@@ -11,6 +11,7 @@ private import codeql.ruby.Concepts
 private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.BarrierGuards
 private import codeql.ruby.dataflow.RemoteFlowSources
+private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 
 module PathInjection {
   /**
@@ -52,4 +53,8 @@ module PathInjection {
   class StringConstArrayInclusionCallAsSanitizer extends Sanitizer,
     StringConstArrayInclusionCallBarrier
   { }
+
+  private class ExternalPathInjectionSink extends Sink {
+    ExternalPathInjectionSink() { this = ModelOutput::getASinkNode("path-injection").asSink() }
+  }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll
@@ -11,6 +11,7 @@ private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.dataflow.BarrierGuards
 private import codeql.ruby.dataflow.Sanitizers
 private import codeql.ruby.frameworks.ActionController
+private import codeql.ruby.frameworks.data.internal.ApiGraphModels
 
 /**
  * Provides default sources, sinks and sanitizers for detecting
@@ -73,6 +74,10 @@ module UrlRedirect {
     }
   }
 
+  private class ExternalUrlRedirectSink extends Sink {
+    ExternalUrlRedirectSink() { this = ModelOutput::getASinkNode("url-redirect").asSink() }
+  }
+
   /**
    * A comparison with a constant string, considered as a sanitizer-guard.
    */

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ private import codeql.ruby.Concepts`
`4`	`4`	`private import codeql.ruby.Frameworks`
`5`	`5`	`private import codeql.ruby.dataflow.RemoteFlowSources`
`6`	`6`	`private import codeql.ruby.dataflow.BarrierGuards`
	`7`	`+private import codeql.ruby.frameworks.data.internal.ApiGraphModels`
`7`	`8`
`8`	`9`	`/**`
`9`	`10`	`* Provides default sources, sinks and sanitizers for detecting`
`@@ -156,4 +157,8 @@ module CodeInjection {`
`156`	`157`
`157`	`158`	`override FlowState::State getAState() { result instanceof FlowState::Full }`
`158`	`159`	`}`
	`160`	`+`
	`161`	`+ private class ExternalCodeInjectionSink extends Sink {`
	`162`	`+ ExternalCodeInjectionSink() { this = ModelOutput::getASinkNode("code-injection").asSink() }`
	`163`	`+ }`
`159`	`164`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ private import codeql.ruby.dataflow.RemoteFlowSources`
`9`	`9`	`private import codeql.ruby.Concepts`
`10`	`10`	`private import codeql.ruby.Frameworks`
`11`	`11`	`private import codeql.ruby.ApiGraphs`
	`12`	`+private import codeql.ruby.frameworks.data.internal.ApiGraphModels`
`12`	`13`
`13`	`14`	`module CommandInjection {`
`14`	`15`	`/**`
`@@ -52,4 +53,10 @@ module CommandInjection {`
`52`	`53`	`this.(DataFlow::CallNode).getMethodName() = "shellescape"`
`53`	`54`	`}`
`54`	`55`	`}`
	`56`	`+`
	`57`	`+ private class ExternalCommandInjectionSink extends Sink {`
	`58`	`+ ExternalCommandInjectionSink() {`
	`59`	`+ this = ModelOutput::getASinkNode("command-injection").asSink()`
	`60`	`+ }`
	`61`	`+ }`
`55`	`62`	`}`