Ruby: add rb/sensitive-get-query query

alexrford · alexrford · commit f84035a65cfc · 2022-09-10T17:43:15.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/Concepts.qll b/ruby/ql/lib/codeql/ruby/Concepts.qll
@@ -250,6 +250,11 @@ module HTTP {
 
       /** Gets a string that identifies the framework used for this route setup. */
       string getFramework() { result = super.getFramework() }
+
+      /**
+       * Gets the HTTP method name, in lowercase, that this handler will respond to.
+       */
+      string getHttpMethod() { result = super.getHttpMethod() }
     }
 
     /** Provides a class for modeling new HTTP routing APIs. */
@@ -287,6 +292,11 @@ module HTTP {
 
         /** Gets a string that identifies the framework used for this route setup. */
         abstract string getFramework();
+
+        /**
+         * Gets the HTTP method name, in all caps, that this handler will respond to.
+         */
+        abstract string getHttpMethod();
       }
     }
 
@@ -343,6 +353,12 @@ module HTTP {
 
       /** Gets a string that identifies the framework used for this route setup. */
       string getFramework() { result = super.getFramework() }
+
+      /**
+       * Gets an HTTP method name, in all caps, that this handler will respond to.
+       * Handlers can potentially respond to multiple HTTP methods.
+       */
+      string getAnHttpMethod() { result = super.getAnHttpMethod() }
     }
 
     /** Provides a class for modeling new HTTP request handlers. */
@@ -364,6 +380,12 @@ module HTTP {
 
         /** Gets a string that identifies the framework used for this request handler. */
         abstract string getFramework();
+
+        /**
+         * Gets an HTTP method name, in all caps, that this handler will respond to.
+         * Handlers can potentially respond to multiple HTTP methods.
+         */
+        abstract string getAnHttpMethod();
       }
     }
 
@@ -378,6 +400,8 @@ module HTTP {
       }
 
       override string getFramework() { result = rs.getFramework() }
+
+      override string getAnHttpMethod() { result = rs.getHttpMethod() }
     }
 
     /** A parameter that will receive parts of the url when handling an incoming request. */
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -67,6 +67,8 @@ class ActionControllerActionMethod extends Method, HTTP::Server::RequestHandler:
 
   override string getFramework() { result = "ActionController" }
 
+  override string getAnHttpMethod() { result = this.getARoute().getHttpMethod() }
+
   /** Gets a call to render from within this method. */
   RenderCall getARenderCall() { result.getParent+() = this }
 
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/GraphQL.qll b/ruby/ql/lib/codeql/ruby/frameworks/GraphQL.qll
@@ -85,6 +85,9 @@ private class GraphqlSchemaResolverClass extends ClassDeclaration {
   }
 }
 
+/** Gets an HTTP method that is supported for querying a GraphQL server. */
+private string getASupportedHTTPMethod() { result = ["get", "post"] }
+
 /**
  * A `ClassDeclaration` for a class that extends `GraphQL::Schema::Object`.
  * For example,
@@ -173,6 +176,8 @@ class GraphqlResolveMethod extends Method, HTTP::Server::RequestHandler::Range {
 
   override string getFramework() { result = "GraphQL" }
 
+  override string getAnHttpMethod() { result = getASupportedHTTPMethod() }
+
   /** Gets the mutation class containing this method. */
   GraphqlResolvableClass getMutationClass() { result = resolvableClass }
 }
@@ -220,6 +225,8 @@ class GraphqlLoadMethod extends Method, HTTP::Server::RequestHandler::Range {
 
   override string getFramework() { result = "GraphQL" }
 
+  override string getAnHttpMethod() { result = getASupportedHTTPMethod() }
+
   /** Gets the mutation class containing this method. */
   GraphqlResolvableClass getMutationClass() { result = resolvableClass }
 }
@@ -389,6 +396,8 @@ class GraphqlFieldResolutionMethod extends Method, HTTP::Server::RequestHandler:
 
   override string getFramework() { result = "GraphQL" }
 
+  override string getAnHttpMethod() { result = getASupportedHTTPMethod() }
+
   /** Gets the class containing this method. */
   GraphqlSchemaObjectClass getGraphqlClass() { result = schemaObjectClass }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/SensitiveActions.qll b/ruby/ql/lib/codeql/ruby/security/SensitiveActions.qll
@@ -11,6 +11,130 @@
 
 private import codeql.ruby.AST
 private import codeql.ruby.DataFlow
+import codeql.ruby.security.internal.SensitiveDataHeuristics
+private import HeuristicNames
+
+/** An expression that might contain sensitive data. */
+cached
+abstract class SensitiveExpr extends Expr {
+  /** Gets a human-readable description of this expression for use in alert messages. */
+  cached
+  abstract string describe();
+
+  /** Gets a classification of the kind of sensitive data this expression might contain. */
+  cached
+  abstract SensitiveDataClassification getClassification();
+}
+
+/** A method call that might produce sensitive data. */
+class SensitiveCall extends SensitiveExpr, MethodCall {
+  SensitiveDataClassification classification;
+
+  SensitiveCall() {
+    classification = this.getMethodName().(SensitiveDataMethodName).getClassification()
+    or
+    // This is particularly to pick up methods with an argument like "password", which
+    // may indicate a lookup.
+    exists(string s | this.getAnArgument().getConstantValue().isStringlikeValue(s) |
+      nameIndicatesSensitiveData(s, classification)
+    )
+  }
+
+  override string describe() { result = "a call to " + this.getMethodName() }
+
+  override SensitiveDataClassification getClassification() { result = classification }
+}
+
+/** An access to a variable or hash value that might contain sensitive data. */
+abstract class SensitiveVariableAccess extends SensitiveExpr {
+  string name;
+
+  SensitiveVariableAccess() {
+    this.(VariableAccess).getVariable().hasName(name)
+    or
+    this.(ElementReference).getAnArgument().getConstantValue().isStringlikeValue(name)
+  }
+
+  override string describe() { result = "an access to " + name }
+}
+
+/** A write to a location that might contain sensitive data. */
+abstract class SensitiveWrite extends DataFlow::Node { }
+
+/**
+ * Holds if `node` is a write to a variable or hash value named `name`.
+ *
+ * Helper predicate factored out for performance,
+ * to filter `name` as much as possible before using it in
+ * regex matching.
+ */
+pragma[nomagic]
+private predicate writesProperty(DataFlow::Node node, string name) {
+  exists(VariableWriteAccess vwa | vwa.getVariable().getName() = name |
+    node.asExpr().getExpr() = vwa
+  )
+  or
+  // hash value assignment
+  node.(DataFlow::CallNode).getMethodName() = "[]=" and
+  node.(DataFlow::CallNode).getArgument(0).asExpr().getConstantValue().isStringlikeValue(name)
+}
+
+/** A write to a variable or property that might contain sensitive data. */
+private class BasicSensitiveWrite extends SensitiveWrite {
+  SensitiveDataClassification classification;
+
+  BasicSensitiveWrite() {
+    exists(string name |
+      /*
+       * PERFORMANCE OPTIMISATION:
+       * `nameIndicatesSensitiveData` performs a `regexpMatch` on `name`.
+       * To carry out a regex match, we must first compute the Cartesian product
+       * of all possible `name`s and regexes, then match.
+       * To keep this product as small as possible,
+       * we want to filter `name` as much as possible before the product.
+       *
+       * Do this by factoring out a helper predicate containing the filtering
+       * logic that restricts `name`. This helper predicate will get picked first
+       * in the join order, since it is the only call here that binds `name`.
+       */
+
+      writesProperty(this, name) and
+      nameIndicatesSensitiveData(name, classification)
+    )
+  }
+
+  /** Gets a classification of the kind of sensitive data the write might handle. */
+  SensitiveDataClassification getClassification() { result = classification }
+}
+
+/** An access to a variable or hash value that might contain sensitive data. */
+private class BasicSensitiveVariableAccess extends SensitiveVariableAccess {
+  SensitiveDataClassification classification;
+
+  BasicSensitiveVariableAccess() { nameIndicatesSensitiveData(name, classification) }
+
+  override SensitiveDataClassification getClassification() { result = classification }
+}
+
+/** A method name that suggests it may be sensitive. */
+abstract class SensitiveMethodName extends string {
+  SensitiveMethodName() { this = any(MethodBase m).getName() }
+}
+
+/** A method name that suggests it may produce sensitive data. */
+abstract class SensitiveDataMethodName extends SensitiveMethodName {
+  /** Gets a classification of the kind of sensitive data this method may produce. */
+  abstract SensitiveDataClassification getClassification();
+}
+
+/** A method name that might return sensitive credential data. */
+class CredentialsMethodName extends SensitiveDataMethodName {
+  SensitiveDataClassification classification;
+
+  CredentialsMethodName() { nameIndicatesSensitiveData(this, classification) }
+
+  override SensitiveDataClassification getClassification() { result = classification }
+}
 
 /**
  * A sensitive action, such as transfer of sensitive data.
diff --git a/ruby/ql/src/change-notes/2022-09-10-sensitive-get-query.md b/ruby/ql/src/change-notes/2022-09-10-sensitive-get-query.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `rb/sensitive-get-query`, to detect cases where sensitive data is read from the query parameters of an HTTP `GET` request.
diff --git a/ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.qhelp b/ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.qhelp
@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Sensitive information such as user passwords should not be transmitted within the query string of the requested URL.
+Sensitive information within URLs may be logged in various locations, including the user's browser, the web server,
+and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked
+or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are
+followed. Placing sensitive information into the URL therefore increases the risk that it will be captured by an attacker.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Use HTTP POST to send sensitive information as part of the request body; for example, as form data.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows two route handlers that both receive a username and a password.
+The first receives this sensitive information from the query parameters of a GET request, which is
+transmitted in the URL. The second receives this sensitive information from the request body of a POST request.
+</p>
+<sample src="examples/routes.rb" />
+<sample src="examples/users_controller.rb" />
+</example>
+
+<references>
+  <li>
+    CWE:
+    <a href="https://cwe.mitre.org/data/definitions/598.html">CWE-598: Use of GET Request Method with Sensitive Query Strings</a>
+  </li>
+  <li>
+    PortSwigger (Burp):
+    <a href="https://portswigger.net/kb/issues/00400300_password-submitted-using-get-method">Password Submitted using GET Method</a>
+  </li>
+  <li>
+    OWASP:
+    <a href="https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url">Information Exposure through Query Strings in URL</a>
+  </li>
+</references>
+</qhelp>
diff --git a/ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.ql b/ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.ql
@@ -0,0 +1,44 @@
+/**
+ * @name Sensitive data read from GET request
+ * @description Placing sensitive data in a GET request increases the risk of
+ *              the data being exposed to an attacker.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 6.5
+ * @precision high
+ * @id rb/sensitive-get-query
+ * @tags security
+ *       external/cwe/cwe-598
+ */
+
+import ruby
+private import codeql.ruby.DataFlow
+private import codeql.ruby.security.SensitiveActions
+private import codeql.ruby.Concepts
+private import codeql.ruby.frameworks.ActionDispatch
+private import codeql.ruby.frameworks.ActionController
+private import codeql.ruby.frameworks.core.Array
+
+// Local flow augmented with flow through element references
+private predicate localFlowWithElementReference(DataFlow::LocalSourceNode src, DataFlow::Node to) {
+  src.flowsTo(to)
+  or
+  exists(DataFlow::Node midRecv, DataFlow::LocalSourceNode mid, ElementReference ref |
+    src.flowsTo(midRecv) and
+    midRecv.asExpr().getExpr() = ref.getReceiver() and
+    mid.asExpr().getExpr() = ref
+  |
+    localFlowWithElementReference(mid, to)
+  )
+}
+
+from
+  HTTP::Server::RequestHandler handler, HTTP::Server::RequestInputAccess input,
+  DataFlow::Node sensitive
+where
+  handler.getAnHttpMethod() = "get" and
+  input.asExpr().getExpr().getEnclosingMethod() = handler and
+  sensitive.asExpr().getExpr() instanceof SensitiveExpr and
+  localFlowWithElementReference(input, sensitive)
+select input, "$@ for GET requests uses query parameter as sensitive data.", handler,
+  "Request handler"
diff --git a/ruby/ql/src/queries/security/cwe-598/examples/routes.rb b/ruby/ql/src/queries/security/cwe-598/examples/routes.rb
@@ -0,0 +1,4 @@
+Rails.application.routes.draw do
+  get "users/login", to: "#login_get" # BAD: sensitive data transmitted through query parameters
+  post "users/login", to: "users#login_post" # GOOD: sensitive data transmitted in the request body
+end
diff --git a/ruby/ql/src/queries/security/cwe-598/examples/users_controller.rb b/ruby/ql/src/queries/security/cwe-598/examples/users_controller.rb
@@ -0,0 +1,16 @@
+class UsersController < ActionController::Base
+  def login_get
+    password = params[:password]
+    authenticate_user(params[:username], password)
+  end
+
+  def login_post
+    password = params[:password]
+    authenticate_user(params[:username], password)
+  end
+
+  private
+  def authenticate_user(username, password)
+    # ... authenticate the user here
+  end
+end
diff --git a/ruby/ql/test/query-tests/security/cwe-598/SensitiveGetQuery.expected b/ruby/ql/test/query-tests/security/cwe-598/SensitiveGetQuery.expected
@@ -0,0 +1,2 @@
+| app/controllers/users_controller.rb:4:16:4:21 | call to params | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get | Request handler |
+| app/controllers/users_controller.rb:5:23:5:28 | call to params | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get | Request handler |
diff --git a/ruby/ql/test/query-tests/security/cwe-598/SensitiveGetQuery.qlref b/ruby/ql/test/query-tests/security/cwe-598/SensitiveGetQuery.qlref
@@ -0,0 +1 @@
+queries/security/cwe-598/SensitiveGetQuery.ql
diff --git a/ruby/ql/test/query-tests/security/cwe-598/app/controllers/users_controller.rb b/ruby/ql/test/query-tests/security/cwe-598/app/controllers/users_controller.rb
@@ -0,0 +1,17 @@
+class UsersController < ApplicationController
+
+  def login_get
+    password = params[:password] # BAD: route handler uses GET query parameters to receive sensitive data
+    authenticate_user(params[:username], password) # BAD: route handler uses GET query parameters to receive sensitive data
+  end
+
+  def login_post
+    password = params[:password] # GOOD: handler uses POST form parameters to receive sensitive data
+    authenticate_user(params[:username], password) # GOOD: handler uses POST form parameters to receive sensitive data
+  end
+
+  private
+  def authenticate_user(username, password)
+    # ... authenticate the user here
+  end
+end
diff --git a/ruby/ql/test/query-tests/security/cwe-598/config/routes.rb b/ruby/ql/test/query-tests/security/cwe-598/config/routes.rb
@@ -0,0 +1,5 @@
+Rails.application.routes.draw do
+  match "users/login1", to: "users#login_get", via: :get
+  get "users/login2", to: "users#login_get"
+  post "users/login3", to: "users#login_post"
+end

Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,9 @@ private class GraphqlSchemaResolverClass extends ClassDeclaration {`
`85`	`85`	`}`
`86`	`86`	`}`
`87`	`87`
	`88`	`+/** Gets an HTTP method that is supported for querying a GraphQL server. */`
	`89`	`+private string getASupportedHTTPMethod() { result = ["get", "post"] }`
	`90`	`+`
`88`	`91`	`/**`
`89`	`92`	* A `ClassDeclaration` for a class that extends `GraphQL::Schema::Object`.
`90`	`93`	`* For example,`
`@@ -173,6 +176,8 @@ class GraphqlResolveMethod extends Method, HTTP::Server::RequestHandler::Range {`
`173`	`176`
`174`	`177`	`override string getFramework() { result = "GraphQL" }`
`175`	`178`
	`179`	`+ override string getAnHttpMethod() { result = getASupportedHTTPMethod() }`
	`180`	`+`
`176`	`181`	`/** Gets the mutation class containing this method. */`
`177`	`182`	`GraphqlResolvableClass getMutationClass() { result = resolvableClass }`
`178`	`183`	`}`
`@@ -220,6 +225,8 @@ class GraphqlLoadMethod extends Method, HTTP::Server::RequestHandler::Range {`
`220`	`225`
`221`	`226`	`override string getFramework() { result = "GraphQL" }`
`222`	`227`
	`228`	`+ override string getAnHttpMethod() { result = getASupportedHTTPMethod() }`
	`229`	`+`
`223`	`230`	`/** Gets the mutation class containing this method. */`
`224`	`231`	`GraphqlResolvableClass getMutationClass() { result = resolvableClass }`
`225`	`232`	`}`
`@@ -389,6 +396,8 @@ class GraphqlFieldResolutionMethod extends Method, HTTP::Server::RequestHandler:`
`389`	`396`
`390`	`397`	`override string getFramework() { result = "GraphQL" }`
`391`	`398`
	`399`	`+ override string getAnHttpMethod() { result = getASupportedHTTPMethod() }`
	`400`	`+`
`392`	`401`	`/** Gets the class containing this method. */`
`393`	`402`	`GraphqlSchemaObjectClass getGraphqlClass() { result = schemaObjectClass }`
`394`	`403`	`}`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: newQuery
 +---
 +* Added a new query, `rb/sensitive-get-query`, to detect cases where sensitive data is read from the query parameters of an HTTP `GET` request.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| app/controllers/users_controller.rb:4:16:4:21 \| call to params \| $@ for GET requests uses query parameter as sensitive data. \| app/controllers/users_controller.rb:3:3:6:5 \| login_get \| Request handler \|`
	`2`	`+\| app/controllers/users_controller.rb:5:23:5:28 \| call to params \| $@ for GET requests uses query parameter as sensitive data. \| app/controllers/users_controller.rb:3:3:6:5 \| login_get \| Request handler \|`