Merge branch 'main' into experimental-decompression-api

2026-04-30 11:15:13 +02:00 · 2022-06-16 17:23:55 -04:00
parent 6416b8ddb9 e95194ce67
commit 01cb408393
38 changed files with 1153 additions and 123 deletions
--- a/ruby/ql/test/query-tests/security/cwe-022/ArchiveApiPathTraversal.rb
+++ b/ruby/ql/test/query-tests/security/cwe-022/ArchiveApiPathTraversal.rb
@@ -0,0 +1,82 @@
+class TestContoller < ActionController::Base
+  
+  # this is vulnerable
+  def upload
+    untar params[:file], params[:filename]
+  end
+
+  # this is vulnerable
+  def unpload_zip
+    unzip params[:file]
+  end
+
+  # this is vulnerable
+  def create_new_zip
+    zip params[:filename], files
+  end
+
+  # these are not vulnerable because of the string compare sanitizer
+  def safe_upload_string_compare
+    filename = params[:filename]
+    if filename == "safefile.tar"
+      untar params[:file], filename
+    end
+  end
+
+  def safe_upload_zip_string_compare
+    filename = params[:filename]
+    if filename == "safefile.zip"
+      unzip filename
+    end
+  end
+
+  # these are not vulnerable beacuse of the string array compare sanitizer
+  def safe_upload_string_array_compare
+    filename = params[:filename]
+    if ["safefile1.tar", "safefile2.tar"].include? filename
+      untar params[:file], filename
+    end
+  end
+
+  def safe_upload_zip_string_array_compare
+    filename = params[:filename]
+    if ["safefile1.zip", "safefile2.zip"].include? filename
+      unzip filename
+    end
+  end
+
+  # these are our two sinks
+  def untar(io, destination)
+    Gem::Package::TarReader.new io do |tar|
+      tar.each do |tarfile|
+        destination_file = File.join destination, tarfile.full_name
+        
+        if tarfile.directory?
+          FileUtils.mkdir_p destination_file
+        else
+          destination_directory = File.dirname(destination_file)
+          FileUtils.mkdir_p destination_directory unless File.directory?(destination_directory)
+          File.open destination_file, "wb" do |f|
+            f.print tarfile.read
+          end
+        end
+      end
+    end
+  end
+
+  def unzip(file)
+    Zip::File.open(file) do |zip_file|
+      zip_file.each do |entry|
+        entry.extract
+      end
+    end
+  end
+
+  def zip(filename, files = [])
+    Zip::File.new(filename) do |zf|
+      files.each do |f|
+        zf.add f
+      end
+    end
+  end
+end
--- a/ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected
+++ b/ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected
@@ -1,4 +1,15 @@
 edges
+| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  |
+| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | ArchiveApiPathTraversal.rb:49:17:49:27 | destination :  |
+| ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  |
+| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  | ArchiveApiPathTraversal.rb:67:13:67:16 | file :  |
+| ArchiveApiPathTraversal.rb:15:9:15:14 | call to params :  | ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] :  |
+| ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] :  | ArchiveApiPathTraversal.rb:75:11:75:18 | filename :  |
+| ArchiveApiPathTraversal.rb:49:17:49:27 | destination :  | ArchiveApiPathTraversal.rb:52:38:52:48 | destination :  |
+| ArchiveApiPathTraversal.rb:52:28:52:67 | call to join :  | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file |
+| ArchiveApiPathTraversal.rb:52:38:52:48 | destination :  | ArchiveApiPathTraversal.rb:52:28:52:67 | call to join :  |
+| ArchiveApiPathTraversal.rb:67:13:67:16 | file :  | ArchiveApiPathTraversal.rb:68:20:68:23 | file |
+| ArchiveApiPathTraversal.rb:75:11:75:18 | filename :  | ArchiveApiPathTraversal.rb:76:19:76:26 | filename |
 | tainted_path.rb:4:12:4:17 | call to params :  | tainted_path.rb:4:12:4:24 | ...[...] :  |
 | tainted_path.rb:4:12:4:24 | ...[...] :  | tainted_path.rb:5:26:5:29 | path |
 | tainted_path.rb:10:12:10:43 | call to absolute_path :  | tainted_path.rb:11:26:11:29 | path |
@@ -26,6 +37,20 @@ edges
 | tainted_path.rb:59:40:59:45 | call to params :  | tainted_path.rb:59:40:59:52 | ...[...] :  |
 | tainted_path.rb:59:40:59:52 | ...[...] :  | tainted_path.rb:59:12:59:53 | call to new :  |
 nodes
+| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | semmle.label | call to params :  |
+| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | semmle.label | ...[...] :  |
+| ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | semmle.label | call to params :  |
+| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  | semmle.label | ...[...] :  |
+| ArchiveApiPathTraversal.rb:15:9:15:14 | call to params :  | semmle.label | call to params :  |
+| ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] :  | semmle.label | ...[...] :  |
+| ArchiveApiPathTraversal.rb:49:17:49:27 | destination :  | semmle.label | destination :  |
+| ArchiveApiPathTraversal.rb:52:28:52:67 | call to join :  | semmle.label | call to join :  |
+| ArchiveApiPathTraversal.rb:52:38:52:48 | destination :  | semmle.label | destination :  |
+| ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | semmle.label | destination_file |
+| ArchiveApiPathTraversal.rb:67:13:67:16 | file :  | semmle.label | file :  |
+| ArchiveApiPathTraversal.rb:68:20:68:23 | file | semmle.label | file |
+| ArchiveApiPathTraversal.rb:75:11:75:18 | filename :  | semmle.label | filename :  |
+| ArchiveApiPathTraversal.rb:76:19:76:26 | filename | semmle.label | filename |
 | tainted_path.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
 | tainted_path.rb:4:12:4:24 | ...[...] :  | semmle.label | ...[...] :  |
 | tainted_path.rb:5:26:5:29 | path | semmle.label | path |
@@ -63,6 +88,9 @@ nodes
 | tainted_path.rb:60:26:60:29 | path | semmle.label | path |
 subpaths
 #select
+| ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | This path depends on $@. | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | a user-provided value |
+| ArchiveApiPathTraversal.rb:68:20:68:23 | file | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | ArchiveApiPathTraversal.rb:68:20:68:23 | file | This path depends on $@. | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params | a user-provided value |
+| ArchiveApiPathTraversal.rb:76:19:76:26 | filename | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params :  | ArchiveApiPathTraversal.rb:76:19:76:26 | filename | This path depends on $@. | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params | a user-provided value |
 | tainted_path.rb:5:26:5:29 | path | tainted_path.rb:4:12:4:17 | call to params :  | tainted_path.rb:5:26:5:29 | path | This path depends on $@. | tainted_path.rb:4:12:4:17 | call to params | a user-provided value |
 | tainted_path.rb:11:26:11:29 | path | tainted_path.rb:10:31:10:36 | call to params :  | tainted_path.rb:11:26:11:29 | path | This path depends on $@. | tainted_path.rb:10:31:10:36 | call to params | a user-provided value |
 | tainted_path.rb:17:26:17:29 | path | tainted_path.rb:16:28:16:33 | call to params :  | tainted_path.rb:17:26:17:29 | path | This path depends on $@. | tainted_path.rb:16:28:16:33 | call to params | a user-provided value |