")
- def with_template(self):
- return {'template_var': 'foo'}
diff --git a/python/ql/test/library-tests/web/twisted/Classes.expected b/python/ql/test/library-tests/web/twisted/Classes.expected
deleted file mode 100644
index b818907e98f..00000000000
--- a/python/ql/test/library-tests/web/twisted/Classes.expected
+++ /dev/null
@@ -1,6 +0,0 @@
-WARNING: Predicate aTwistedRequestHandlerClass has been deprecated and may be removed in future (Classes.ql:6,13-40)
-| class MyRequestHandler1 | test.py:3 |
-| class MyRequestHandler2 | test.py:23 |
-| class MyRequestHandler3 | test.py:27 |
-| class MyRequestHandler4 | test.py:38 |
-| class MyRequestHandler5 | test.py:42 |
diff --git a/python/ql/test/library-tests/web/twisted/Classes.ql b/python/ql/test/library-tests/web/twisted/Classes.ql
deleted file mode 100644
index ccc3618b61e..00000000000
--- a/python/ql/test/library-tests/web/twisted/Classes.ql
+++ /dev/null
@@ -1,7 +0,0 @@
-import python
-import semmle.python.TestUtils
-import semmle.python.web.twisted.Twisted
-
-from ClassValue cls
-where cls = aTwistedRequestHandlerClass()
-select cls.toString(), remove_library_prefix(cls.getScope().getLocation())
diff --git a/python/ql/test/library-tests/web/twisted/HttpResponseSinks.expected b/python/ql/test/library-tests/web/twisted/HttpResponseSinks.expected
deleted file mode 100644
index 763655ffe37..00000000000
--- a/python/ql/test/library-tests/web/twisted/HttpResponseSinks.expected
+++ /dev/null
@@ -1,11 +0,0 @@
-WARNING: Type HttpResponseTaintSink has been deprecated and may be removed in future (HttpResponseSinks.ql:5,6-27)
-| test.py:7:16:7:23 | Twisted response | externally controlled string |
-| test.py:14:16:14:23 | Twisted response | externally controlled string |
-| test.py:21:16:21:23 | Twisted response | externally controlled string |
-| test.py:36:16:36:37 | Twisted response | externally controlled string |
-| test.py:40:23:40:30 | Twisted request setter | externally controlled string |
-| test.py:44:27:44:31 | Twisted request setter | externally controlled string |
-| test.py:44:34:44:38 | Twisted request setter | externally controlled string |
-| test.py:45:27:45:31 | Twisted request setter | externally controlled string |
-| test.py:45:34:45:40 | Twisted request setter | externally controlled string |
-| test.py:46:16:46:37 | Twisted response | externally controlled string |
diff --git a/python/ql/test/library-tests/web/twisted/HttpResponseSinks.ql b/python/ql/test/library-tests/web/twisted/HttpResponseSinks.ql
deleted file mode 100644
index e62ec486da6..00000000000
--- a/python/ql/test/library-tests/web/twisted/HttpResponseSinks.ql
+++ /dev/null
@@ -1,7 +0,0 @@
-import python
-import semmle.python.web.HttpResponse
-import semmle.python.security.strings.Untrusted
-
-from HttpResponseTaintSink sink, TaintKind kind
-where sink.sinks(kind)
-select sink, kind
diff --git a/python/ql/test/library-tests/web/twisted/HttpSources.expected b/python/ql/test/library-tests/web/twisted/HttpSources.expected
deleted file mode 100644
index 4e7cb4c7abb..00000000000
--- a/python/ql/test/library-tests/web/twisted/HttpSources.expected
+++ /dev/null
@@ -1,9 +0,0 @@
-WARNING: Type HttpRequestTaintSource has been deprecated and may be removed in future (HttpSources.ql:5,6-28)
-| test.py:4:22:4:28 | request | twisted.request.http.Request |
-| test.py:9:26:9:32 | request | twisted.request.http.Request |
-| test.py:16:27:16:33 | request | twisted.request.http.Request |
-| test.py:24:24:24:30 | request | twisted.request.http.Request |
-| test.py:28:22:28:30 | myrequest | twisted.request.http.Request |
-| test.py:31:27:31:37 | postrequest | twisted.request.http.Request |
-| test.py:39:22:39:28 | request | twisted.request.http.Request |
-| test.py:43:22:43:28 | request | twisted.request.http.Request |
diff --git a/python/ql/test/library-tests/web/twisted/HttpSources.ql b/python/ql/test/library-tests/web/twisted/HttpSources.ql
deleted file mode 100644
index 6fa1a7d2a6b..00000000000
--- a/python/ql/test/library-tests/web/twisted/HttpSources.ql
+++ /dev/null
@@ -1,7 +0,0 @@
-import python
-import semmle.python.web.HttpRequest
-import semmle.python.security.strings.Untrusted
-
-from HttpRequestTaintSource source, TaintKind kind
-where source.isSourceOf(kind)
-select source.(ControlFlowNode).getNode(), kind
diff --git a/python/ql/test/library-tests/web/twisted/Methods.expected b/python/ql/test/library-tests/web/twisted/Methods.expected
deleted file mode 100644
index 6578ef88da9..00000000000
--- a/python/ql/test/library-tests/web/twisted/Methods.expected
+++ /dev/null
@@ -1,9 +0,0 @@
-WARNING: Predicate getTwistedRequestHandlerMethod has been deprecated and may be removed in future (Methods.ql:6,14-44)
-| myrender | Function MyRequestHandler2.myrender | test.py:24 |
-| render | Function MyRequestHandler1.render | test.py:4 |
-| render | Function MyRequestHandler3.render | test.py:28 |
-| render | Function MyRequestHandler4.render | test.py:39 |
-| render | Function MyRequestHandler5.render | test.py:43 |
-| render_GET | Function MyRequestHandler1.render_GET | test.py:9 |
-| render_POST | Function MyRequestHandler1.render_POST | test.py:16 |
-| render_POST | Function MyRequestHandler3.render_POST | test.py:31 |
diff --git a/python/ql/test/library-tests/web/twisted/Methods.ql b/python/ql/test/library-tests/web/twisted/Methods.ql
deleted file mode 100644
index f997b7deef3..00000000000
--- a/python/ql/test/library-tests/web/twisted/Methods.ql
+++ /dev/null
@@ -1,7 +0,0 @@
-import python
-import semmle.python.TestUtils
-import semmle.python.web.twisted.Twisted
-
-from FunctionValue func, string name
-where func = getTwistedRequestHandlerMethod(name)
-select name, func.toString(), remove_library_prefix(func.getScope().getLocation())
diff --git a/python/ql/test/library-tests/web/twisted/Taint.expected b/python/ql/test/library-tests/web/twisted/Taint.expected
deleted file mode 100644
index 1c793c973bd..00000000000
--- a/python/ql/test/library-tests/web/twisted/Taint.expected
+++ /dev/null
@@ -1,41 +0,0 @@
-| test.py:4 | request | twisted.request.http.Request |
-| test.py:5 | Attribute | externally controlled string |
-| test.py:5 | request | twisted.request.http.Request |
-| test.py:6 | request | twisted.request.http.Request |
-| test.py:9 | request | twisted.request.http.Request |
-| test.py:10 | request | twisted.request.http.Request |
-| test.py:11 | Attribute | externally controlled string |
-| test.py:11 | x | twisted.request.http.Request |
-| test.py:12 | request | twisted.request.http.Request |
-| test.py:13 | request | twisted.request.http.Request |
-| test.py:16 | request | twisted.request.http.Request |
-| test.py:17 | Attribute | {[externally controlled string]} |
-| test.py:17 | request | twisted.request.http.Request |
-| test.py:18 | Attribute | {[externally controlled string]} |
-| test.py:18 | Attribute() | [externally controlled string] |
-| test.py:18 | request | twisted.request.http.Request |
-| test.py:19 | Subscript | externally controlled string |
-| test.py:19 | foo | [externally controlled string] |
-| test.py:20 | quux | externally controlled string |
-| test.py:24 | request | twisted.request.http.Request |
-| test.py:25 | request | twisted.request.http.Request |
-| test.py:28 | myrequest | twisted.request.http.Request |
-| test.py:29 | myrequest | twisted.request.http.Request |
-| test.py:31 | postrequest | twisted.request.http.Request |
-| test.py:32 | Attribute() | externally controlled string |
-| test.py:32 | postrequest | twisted.request.http.Request |
-| test.py:33 | Attribute() | externally controlled string |
-| test.py:33 | postrequest | twisted.request.http.Request |
-| test.py:34 | Attribute() | externally controlled string |
-| test.py:34 | postrequest | twisted.request.http.Request |
-| test.py:35 | Attribute() | externally controlled string |
-| test.py:35 | postrequest | twisted.request.http.Request |
-| test.py:36 | w | externally controlled string |
-| test.py:36 | x | externally controlled string |
-| test.py:36 | y | externally controlled string |
-| test.py:36 | z | externally controlled string |
-| test.py:39 | request | twisted.request.http.Request |
-| test.py:40 | request | twisted.request.http.Request |
-| test.py:43 | request | twisted.request.http.Request |
-| test.py:44 | request | twisted.request.http.Request |
-| test.py:45 | request | twisted.request.http.Request |
diff --git a/python/ql/test/library-tests/web/twisted/Taint.ql b/python/ql/test/library-tests/web/twisted/Taint.ql
deleted file mode 100644
index e92616b6b29..00000000000
--- a/python/ql/test/library-tests/web/twisted/Taint.ql
+++ /dev/null
@@ -1,8 +0,0 @@
-import python
-import semmle.python.TestUtils
-import semmle.python.web.HttpRequest
-import semmle.python.web.HttpResponse
-import semmle.python.security.strings.Untrusted
-
-from TaintedNode node
-select remove_library_prefix(node.getLocation()), node.getAstNode().toString(), node.getTaintKind()
diff --git a/python/ql/test/library-tests/web/twisted/options b/python/ql/test/library-tests/web/twisted/options
deleted file mode 100644
index 4084b102b55..00000000000
--- a/python/ql/test/library-tests/web/twisted/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: --max-import-depth=1 -p ../../../query-tests/Security/lib/
diff --git a/python/ql/test/library-tests/web/twisted/test.py b/python/ql/test/library-tests/web/twisted/test.py
deleted file mode 100644
index f6691b84d95..00000000000
--- a/python/ql/test/library-tests/web/twisted/test.py
+++ /dev/null
@@ -1,51 +0,0 @@
-from twisted.web import resource
-
-class MyRequestHandler1(resource.Resource):
- def render(self, request):
- foo(request.uri)
- response = do_stuff_with(request)
- return response
-
- def render_GET(self, request):
- x = request
- bar(x.uri)
- do_stuff_with(request)
- response = do_stuff_with(request)
- return response
-
- def render_POST(self, request):
- baz(request.args)
- foo = request.args.get("baz")
- quux = foo[5]
- response = do_stuff_with(quux)
- return response
-
-class MyRequestHandler2(resource.Resource):
- def myrender(self, request):
- do_stuff_with(request)
-
-class MyRequestHandler3(resource.Resource):
- def render(self, myrequest):
- do_stuff_with(myrequest)
-
- def render_POST(self, postrequest):
- x = postrequest.getHeader("someheader")
- y = postrequest.getCookie("somecookie")
- z = postrequest.getUser()
- w = postrequest.getPassword()
- return do_stuff_with(x,y,z,w)
-
-class MyRequestHandler4(resource.Resource):
- def render(self, request):
- request.write("Foobar")
-
-class MyRequestHandler5(resource.Resource):
- def render(self, request):
- request.setHeader("foo", "bar")
- request.addCookie("key", "value")
- return "This is my response."
-
-class NotATwistedRequestHandler(object):
- def render(self, request):
- return do_stuff_with(request)
-
diff --git a/python/tools/recorded-call-graph-metrics/ql/lib/BytecodeExpr.qll b/python/tools/recorded-call-graph-metrics/ql/lib/BytecodeExpr.qll
index 4d1bfeb3859..c8d1acff57a 100644
--- a/python/tools/recorded-call-graph-metrics/ql/lib/BytecodeExpr.qll
+++ b/python/tools/recorded-call-graph-metrics/ql/lib/BytecodeExpr.qll
@@ -2,27 +2,18 @@ import python
abstract class XmlBytecodeExpr extends XmlElement { }
-/** DEPRECATED: Alias for XmlBytecodeExpr */
-deprecated class XMLBytecodeExpr = XmlBytecodeExpr;
-
class XmlBytecodeConst extends XmlBytecodeExpr {
XmlBytecodeConst() { this.hasName("BytecodeConst") }
string get_value_data_raw() { result = this.getAChild("value").getTextValue() }
}
-/** DEPRECATED: Alias for XmlBytecodeConst */
-deprecated class XMLBytecodeConst = XmlBytecodeConst;
-
class XmlBytecodeVariableName extends XmlBytecodeExpr {
XmlBytecodeVariableName() { this.hasName("BytecodeVariableName") }
string get_name_data() { result = this.getAChild("name").getTextValue() }
}
-/** DEPRECATED: Alias for XmlBytecodeVariableName */
-deprecated class XMLBytecodeVariableName = XmlBytecodeVariableName;
-
class XmlBytecodeAttribute extends XmlBytecodeExpr {
XmlBytecodeAttribute() { this.hasName("BytecodeAttribute") }
@@ -31,9 +22,6 @@ class XmlBytecodeAttribute extends XmlBytecodeExpr {
XmlBytecodeExpr get_object_data() { result.getParent() = this.getAChild("object") }
}
-/** DEPRECATED: Alias for XmlBytecodeAttribute */
-deprecated class XMLBytecodeAttribute = XmlBytecodeAttribute;
-
class XmlBytecodeSubscript extends XmlBytecodeExpr {
XmlBytecodeSubscript() { this.hasName("BytecodeSubscript") }
@@ -42,9 +30,6 @@ class XmlBytecodeSubscript extends XmlBytecodeExpr {
XmlBytecodeExpr get_object_data() { result.getParent() = this.getAChild("object") }
}
-/** DEPRECATED: Alias for XmlBytecodeSubscript */
-deprecated class XMLBytecodeSubscript = XmlBytecodeSubscript;
-
class XmlBytecodeTuple extends XmlBytecodeExpr {
XmlBytecodeTuple() { this.hasName("BytecodeTuple") }
@@ -53,9 +38,6 @@ class XmlBytecodeTuple extends XmlBytecodeExpr {
}
}
-/** DEPRECATED: Alias for XmlBytecodeTuple */
-deprecated class XMLBytecodeTuple = XmlBytecodeTuple;
-
class XmlBytecodeList extends XmlBytecodeExpr {
XmlBytecodeList() { this.hasName("BytecodeList") }
@@ -64,27 +46,18 @@ class XmlBytecodeList extends XmlBytecodeExpr {
}
}
-/** DEPRECATED: Alias for XmlBytecodeList */
-deprecated class XMLBytecodeList = XmlBytecodeList;
-
class XmlBytecodeCall extends XmlBytecodeExpr {
XmlBytecodeCall() { this.hasName("BytecodeCall") }
XmlBytecodeExpr get_function_data() { result.getParent() = this.getAChild("function") }
}
-/** DEPRECATED: Alias for XmlBytecodeCall */
-deprecated class XMLBytecodeCall = XmlBytecodeCall;
-
class XmlBytecodeUnknown extends XmlBytecodeExpr {
XmlBytecodeUnknown() { this.hasName("BytecodeUnknown") }
string get_opname_data() { result = this.getAChild("opname").getTextValue() }
}
-/** DEPRECATED: Alias for XmlBytecodeUnknown */
-deprecated class XMLBytecodeUnknown = XmlBytecodeUnknown;
-
class XmlBytecodeMakeFunction extends XmlBytecodeExpr {
XmlBytecodeMakeFunction() { this.hasName("BytecodeMakeFunction") }
@@ -93,14 +66,8 @@ class XmlBytecodeMakeFunction extends XmlBytecodeExpr {
}
}
-/** DEPRECATED: Alias for XmlBytecodeMakeFunction */
-deprecated class XMLBytecodeMakeFunction = XmlBytecodeMakeFunction;
-
class XmlSomethingInvolvingScaryBytecodeJump extends XmlBytecodeExpr {
XmlSomethingInvolvingScaryBytecodeJump() { this.hasName("SomethingInvolvingScaryBytecodeJump") }
string get_opname_data() { result = this.getAChild("opname").getTextValue() }
}
-
-/** DEPRECATED: Alias for XmlSomethingInvolvingScaryBytecodeJump */
-deprecated class XMLSomethingInvolvingScaryBytecodeJump = XmlSomethingInvolvingScaryBytecodeJump;
diff --git a/python/tools/recorded-call-graph-metrics/ql/lib/RecordedCalls.qll b/python/tools/recorded-call-graph-metrics/ql/lib/RecordedCalls.qll
index d6ad84ae3a1..4d0c11fa3fd 100644
--- a/python/tools/recorded-call-graph-metrics/ql/lib/RecordedCalls.qll
+++ b/python/tools/recorded-call-graph-metrics/ql/lib/RecordedCalls.qll
@@ -57,9 +57,6 @@ class XmlRecordedCall extends XmlElement {
}
}
-/** DEPRECATED: Alias for XmlRecordedCall */
-deprecated class XMLRecordedCall = XmlRecordedCall;
-
/** The XML data for the call part a recorded call. */
class XmlCall extends XmlElement {
XmlCall() { this.hasName("Call") }
@@ -110,15 +107,9 @@ class XmlCall extends XmlElement {
}
}
-/** DEPRECATED: Alias for XmlCall */
-deprecated class XMLCall = XmlCall;
-
/** The XML data for the callee part a recorded call. */
abstract class XmlCallee extends XmlElement { }
-/** DEPRECATED: Alias for XmlCallee */
-deprecated class XMLCallee = XmlCallee;
-
/** The XML data for the callee part a recorded call, when the callee is a Python function. */
class XmlPythonCallee extends XmlCallee {
XmlPythonCallee() { this.hasName("PythonCallee") }
@@ -140,9 +131,6 @@ class XmlPythonCallee extends XmlCallee {
}
}
-/** DEPRECATED: Alias for XmlPythonCallee */
-deprecated class XMLPythonCallee = XmlPythonCallee;
-
/** The XML data for the callee part a recorded call, when the callee is a C function or builtin. */
class XmlExternalCallee extends XmlCallee {
XmlExternalCallee() { this.hasName("ExternalCallee") }
@@ -161,9 +149,6 @@ class XmlExternalCallee extends XmlCallee {
}
}
-/** DEPRECATED: Alias for XmlExternalCallee */
-deprecated class XMLExternalCallee = XmlExternalCallee;
-
/**
* Helper predicate. If parent = `builtins` and qualname = `list.append`, it will
* return the result of `builtins.list.append`.class
diff --git a/ruby/ql/lib/change-notes/2023-05-27-unsafe-deserialization.md b/ruby/ql/lib/change-notes/2023-05-27-unsafe-deserialization.md
new file mode 100644
index 00000000000..4039e7c90dc
--- /dev/null
+++ b/ruby/ql/lib/change-notes/2023-05-27-unsafe-deserialization.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Additional sinks for `rb/unsafe-deserialization` have been added. This includes various methods from the `yaml` and `plist` gems, which deserialize YAML and Property List data, respectively.
diff --git a/ruby/ql/lib/codeql/ruby/Frameworks.qll b/ruby/ql/lib/codeql/ruby/Frameworks.qll
index 66b8bd71982..2052592b431 100644
--- a/ruby/ql/lib/codeql/ruby/Frameworks.qll
+++ b/ruby/ql/lib/codeql/ruby/Frameworks.qll
@@ -34,4 +34,5 @@ private import codeql.ruby.frameworks.Twirp
private import codeql.ruby.frameworks.Sqlite3
private import codeql.ruby.frameworks.Mysql2
private import codeql.ruby.frameworks.Pg
+private import codeql.ruby.frameworks.Yaml
private import codeql.ruby.frameworks.Sequel
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Yaml.qll b/ruby/ql/lib/codeql/ruby/frameworks/Yaml.qll
new file mode 100644
index 00000000000..65596df7fe2
--- /dev/null
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Yaml.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides modeling for the `YAML` and `Psych` libraries.
+ */
+
+private import codeql.ruby.dataflow.FlowSteps
+private import codeql.ruby.DataFlow
+private import codeql.ruby.ApiGraphs
+
+/**
+ * A taint step related to the result of `YAML.parse` calls, or similar.
+ * In the following example, this step will propagate taint from
+ * `source` to `sink`:
+ *
+ * ```rb
+ * x = source
+ * result = YAML.parse(x)
+ * sink result.to_ruby # Unsafe call
+ * ```
+ */
+private class YamlParseStep extends AdditionalTaintStep {
+ override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+ exists(DataFlow::CallNode yamlParserMethod |
+ succ = yamlParserMethod.getAMethodCall("to_ruby") and
+ (
+ yamlParserMethod = yamlNode().getAMethodCall(["parse", "parse_stream"]) and
+ pred = [yamlParserMethod.getArgument(0), yamlParserMethod.getKeywordArgument("yaml")]
+ or
+ yamlParserMethod = yamlNode().getAMethodCall("parse_file") and
+ pred = [yamlParserMethod.getArgument(0), yamlParserMethod.getKeywordArgument("filename")]
+ )
+ )
+ }
+}
+
+private API::Node yamlNode() { result = API::getTopLevelMember(["YAML", "Psych"]) }
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
index 45e0888eacd..e38a38af2dc 100644
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
@@ -75,13 +75,34 @@ module UnsafeDeserialization {
}
/**
- * An argument in a call to `YAML.load`, considered a sink
+ * An argument in a call to `YAML.unsafe_*` and `YAML.load_stream` , considered a sink
* for unsafe deserialization. The `YAML` module is an alias of `Psych` in
* recent versions of Ruby.
*/
class YamlLoadArgument extends Sink {
YamlLoadArgument() {
- this = API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall("load").getArgument(0)
+ // Note: this is safe in psych/yaml >= 4.0.0.
+ this = yamlNode().getAMethodCall("load").getArgument(0)
+ or
+ this =
+ yamlNode().getAMethodCall(["unsafe_load_file", "unsafe_load", "load_stream"]).getArgument(0)
+ or
+ this = yamlNode().getAMethodCall(["unsafe_load", "load_stream"]).getKeywordArgument("yaml")
+ or
+ this = yamlNode().getAMethodCall("unsafe_load_file").getKeywordArgument("filename")
+ }
+ }
+
+ private API::Node yamlNode() { result = API::getTopLevelMember(["YAML", "Psych"]) }
+
+ /**
+ * An argument in a call to `YAML.parse*`, considered a sink for unsafe deserialization
+ * if there is a call to `to_ruby` on the returned value.
+ */
+ class YamlParseArgument extends Sink {
+ YamlParseArgument() {
+ this =
+ yamlNode().getAMethodCall(["parse", "parse_stream", "parse_file"]).getAMethodCall("to_ruby")
}
}
@@ -208,4 +229,23 @@ module UnsafeDeserialization {
)
}
}
+
+ /**
+ * An argument in a call to `Plist.parse_xml` where `marshal` is `true` (which is
+ * the default), considered a sink for unsafe deserialization.
+ */
+ class UnsafePlistParsexmlArgument extends Sink {
+ UnsafePlistParsexmlArgument() {
+ exists(DataFlow::CallNode plistParseXml |
+ plistParseXml = API::getTopLevelMember("Plist").getAMethodCall("parse_xml")
+ |
+ this = [plistParseXml.getArgument(0), plistParseXml.getKeywordArgument("filename_or_xml")] and
+ (
+ plistParseXml.getKeywordArgument("marshal").getConstantValue().isBoolean(true)
+ or
+ plistParseXml.getNumberOfArguments() = 1
+ )
+ )
+ }
+ }
}
diff --git a/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp b/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp
index 406ba24935b..e361b62338e 100644
--- a/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp
+++ b/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp
@@ -17,6 +17,21 @@ libraries that support it, such as the Ruby standard library's JSON
module, ensure that the parser is configured to disable
deserialization of arbitrary objects.
+
+
+If deserializing an untrusted YAML document using the psych gem,
+prefer the safe_load and safe_load_file methods over
+load and load_file, as the former will safely
+handle untrusted data. Avoid passing untrusted data to the load_stream
+method. In psych version 4.0.0 and above, the load method can
+safely be used.
+
+
+
+To safely deserialize Property List
+files using the plist gem, ensure that you pass marshal: false
+when calling Plist.parse_xml.
+
@@ -27,6 +42,7 @@ on data from an HTTP request. Since these methods are capable of deserializing
to arbitrary objects, this is inherently unsafe.
+
Using JSON.parse and YAML.safe_load instead, as in the
following example, removes the vulnerability. Similarly, calling
@@ -55,6 +71,10 @@ Ruby documentation: security guidance on the YAML library.
+
+You can read that how unsafe yaml load methods can lead to code executions:
+Universal Deserialisation Gadget for Ruby 2.x-3.x .
+
diff --git a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/PlistUnsafeDeserialization.rb b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/PlistUnsafeDeserialization.rb
new file mode 100644
index 00000000000..63f64b5cd22
--- /dev/null
+++ b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/PlistUnsafeDeserialization.rb
@@ -0,0 +1,13 @@
+require 'yaml'
+class UsersController < ActionController::Base
+ def example
+ # not safe
+ result = Plist.parse_xml(params[:yaml_string])
+ result = Plist.parse_xml(params[:yaml_string], marshal: true)
+
+ # safe
+ result = Plist.parse_xml(params[:yaml_string], marshal: false)
+ end
+end
+
+
diff --git a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected
index 6fbbb14ef8a..b1f1d701a73 100644
--- a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected
+++ b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected
@@ -1,4 +1,6 @@
edges
+| PlistUnsafeDeserialization.rb:5:30:5:35 | call to params | PlistUnsafeDeserialization.rb:5:30:5:49 | ...[...] |
+| PlistUnsafeDeserialization.rb:6:30:6:35 | call to params | PlistUnsafeDeserialization.rb:6:30:6:49 | ...[...] |
| UnsafeDeserialization.rb:10:5:10:19 | serialized_data | UnsafeDeserialization.rb:11:27:11:41 | serialized_data |
| UnsafeDeserialization.rb:10:23:10:50 | call to decode64 | UnsafeDeserialization.rb:10:5:10:19 | serialized_data |
| UnsafeDeserialization.rb:10:39:10:44 | call to params | UnsafeDeserialization.rb:10:39:10:50 | ...[...] |
@@ -29,7 +31,21 @@ edges
| UnsafeDeserialization.rb:87:5:87:13 | yaml_data | UnsafeDeserialization.rb:88:25:88:33 | yaml_data |
| UnsafeDeserialization.rb:87:17:87:22 | call to params | UnsafeDeserialization.rb:87:17:87:28 | ...[...] |
| UnsafeDeserialization.rb:87:17:87:28 | ...[...] | UnsafeDeserialization.rb:87:5:87:13 | yaml_data |
+| YAMLUnsafeDeserialization.rb:5:16:5:21 | call to params | YAMLUnsafeDeserialization.rb:5:16:5:35 | ...[...] |
+| YAMLUnsafeDeserialization.rb:11:23:11:28 | call to params | YAMLUnsafeDeserialization.rb:11:23:11:42 | ...[...] |
+| YAMLUnsafeDeserialization.rb:12:28:12:33 | call to params | YAMLUnsafeDeserialization.rb:12:28:12:45 | ...[...] |
+| YAMLUnsafeDeserialization.rb:13:23:13:28 | call to params | YAMLUnsafeDeserialization.rb:13:23:13:42 | ...[...] |
+| YAMLUnsafeDeserialization.rb:14:39:14:44 | call to params | YAMLUnsafeDeserialization.rb:14:39:14:58 | ...[...] |
+| YAMLUnsafeDeserialization.rb:14:39:14:58 | ...[...] | YAMLUnsafeDeserialization.rb:15:5:15:24 | call to to_ruby |
+| YAMLUnsafeDeserialization.rb:16:17:16:22 | call to params | YAMLUnsafeDeserialization.rb:16:17:16:36 | ...[...] |
+| YAMLUnsafeDeserialization.rb:16:17:16:36 | ...[...] | YAMLUnsafeDeserialization.rb:16:5:16:45 | call to to_ruby |
+| YAMLUnsafeDeserialization.rb:17:22:17:27 | call to params | YAMLUnsafeDeserialization.rb:17:22:17:39 | ...[...] |
+| YAMLUnsafeDeserialization.rb:17:22:17:39 | ...[...] | YAMLUnsafeDeserialization.rb:17:5:17:48 | call to to_ruby |
nodes
+| PlistUnsafeDeserialization.rb:5:30:5:35 | call to params | semmle.label | call to params |
+| PlistUnsafeDeserialization.rb:5:30:5:49 | ...[...] | semmle.label | ...[...] |
+| PlistUnsafeDeserialization.rb:6:30:6:35 | call to params | semmle.label | call to params |
+| PlistUnsafeDeserialization.rb:6:30:6:49 | ...[...] | semmle.label | ...[...] |
| UnsafeDeserialization.rb:10:5:10:19 | serialized_data | semmle.label | serialized_data |
| UnsafeDeserialization.rb:10:23:10:50 | call to decode64 | semmle.label | call to decode64 |
| UnsafeDeserialization.rb:10:39:10:44 | call to params | semmle.label | call to params |
@@ -74,8 +90,27 @@ nodes
| UnsafeDeserialization.rb:98:24:98:32 | call to read | semmle.label | call to read |
| UnsafeDeserialization.rb:101:24:101:27 | call to gets | semmle.label | call to gets |
| UnsafeDeserialization.rb:104:24:104:32 | call to readlines | semmle.label | call to readlines |
+| YAMLUnsafeDeserialization.rb:5:16:5:21 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:5:16:5:35 | ...[...] | semmle.label | ...[...] |
+| YAMLUnsafeDeserialization.rb:11:23:11:28 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:11:23:11:42 | ...[...] | semmle.label | ...[...] |
+| YAMLUnsafeDeserialization.rb:12:28:12:33 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:12:28:12:45 | ...[...] | semmle.label | ...[...] |
+| YAMLUnsafeDeserialization.rb:13:23:13:28 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:13:23:13:42 | ...[...] | semmle.label | ...[...] |
+| YAMLUnsafeDeserialization.rb:14:39:14:44 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:14:39:14:58 | ...[...] | semmle.label | ...[...] |
+| YAMLUnsafeDeserialization.rb:15:5:15:24 | call to to_ruby | semmle.label | call to to_ruby |
+| YAMLUnsafeDeserialization.rb:16:5:16:45 | call to to_ruby | semmle.label | call to to_ruby |
+| YAMLUnsafeDeserialization.rb:16:17:16:22 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:16:17:16:36 | ...[...] | semmle.label | ...[...] |
+| YAMLUnsafeDeserialization.rb:17:5:17:48 | call to to_ruby | semmle.label | call to to_ruby |
+| YAMLUnsafeDeserialization.rb:17:22:17:27 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:17:22:17:39 | ...[...] | semmle.label | ...[...] |
subpaths
#select
+| PlistUnsafeDeserialization.rb:5:30:5:49 | ...[...] | PlistUnsafeDeserialization.rb:5:30:5:35 | call to params | PlistUnsafeDeserialization.rb:5:30:5:49 | ...[...] | Unsafe deserialization depends on a $@. | PlistUnsafeDeserialization.rb:5:30:5:35 | call to params | user-provided value |
+| PlistUnsafeDeserialization.rb:6:30:6:49 | ...[...] | PlistUnsafeDeserialization.rb:6:30:6:35 | call to params | PlistUnsafeDeserialization.rb:6:30:6:49 | ...[...] | Unsafe deserialization depends on a $@. | PlistUnsafeDeserialization.rb:6:30:6:35 | call to params | user-provided value |
| UnsafeDeserialization.rb:11:27:11:41 | serialized_data | UnsafeDeserialization.rb:10:39:10:44 | call to params | UnsafeDeserialization.rb:11:27:11:41 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:10:39:10:44 | call to params | user-provided value |
| UnsafeDeserialization.rb:17:30:17:44 | serialized_data | UnsafeDeserialization.rb:16:39:16:44 | call to params | UnsafeDeserialization.rb:17:30:17:44 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:16:39:16:44 | call to params | user-provided value |
| UnsafeDeserialization.rb:23:24:23:32 | json_data | UnsafeDeserialization.rb:22:17:22:22 | call to params | UnsafeDeserialization.rb:23:24:23:32 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:22:17:22:22 | call to params | user-provided value |
@@ -91,3 +126,10 @@ subpaths
| UnsafeDeserialization.rb:98:24:98:32 | call to read | UnsafeDeserialization.rb:98:24:98:32 | call to read | UnsafeDeserialization.rb:98:24:98:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:98:24:98:32 | call to read | value from stdin |
| UnsafeDeserialization.rb:101:24:101:27 | call to gets | UnsafeDeserialization.rb:101:24:101:27 | call to gets | UnsafeDeserialization.rb:101:24:101:27 | call to gets | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:101:24:101:27 | call to gets | value from stdin |
| UnsafeDeserialization.rb:104:24:104:32 | call to readlines | UnsafeDeserialization.rb:104:24:104:32 | call to readlines | UnsafeDeserialization.rb:104:24:104:32 | call to readlines | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:104:24:104:32 | call to readlines | value from stdin |
+| YAMLUnsafeDeserialization.rb:5:16:5:35 | ...[...] | YAMLUnsafeDeserialization.rb:5:16:5:21 | call to params | YAMLUnsafeDeserialization.rb:5:16:5:35 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:5:16:5:21 | call to params | user-provided value |
+| YAMLUnsafeDeserialization.rb:11:23:11:42 | ...[...] | YAMLUnsafeDeserialization.rb:11:23:11:28 | call to params | YAMLUnsafeDeserialization.rb:11:23:11:42 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:11:23:11:28 | call to params | user-provided value |
+| YAMLUnsafeDeserialization.rb:12:28:12:45 | ...[...] | YAMLUnsafeDeserialization.rb:12:28:12:33 | call to params | YAMLUnsafeDeserialization.rb:12:28:12:45 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:12:28:12:33 | call to params | user-provided value |
+| YAMLUnsafeDeserialization.rb:13:23:13:42 | ...[...] | YAMLUnsafeDeserialization.rb:13:23:13:28 | call to params | YAMLUnsafeDeserialization.rb:13:23:13:42 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:13:23:13:28 | call to params | user-provided value |
+| YAMLUnsafeDeserialization.rb:15:5:15:24 | call to to_ruby | YAMLUnsafeDeserialization.rb:14:39:14:44 | call to params | YAMLUnsafeDeserialization.rb:15:5:15:24 | call to to_ruby | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:14:39:14:44 | call to params | user-provided value |
+| YAMLUnsafeDeserialization.rb:16:5:16:45 | call to to_ruby | YAMLUnsafeDeserialization.rb:16:17:16:22 | call to params | YAMLUnsafeDeserialization.rb:16:5:16:45 | call to to_ruby | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:16:17:16:22 | call to params | user-provided value |
+| YAMLUnsafeDeserialization.rb:17:5:17:48 | call to to_ruby | YAMLUnsafeDeserialization.rb:17:22:17:27 | call to params | YAMLUnsafeDeserialization.rb:17:5:17:48 | call to to_ruby | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:17:22:17:27 | call to params | user-provided value |
diff --git a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/YAMLUnsafeDeserialization.rb b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/YAMLUnsafeDeserialization.rb
new file mode 100644
index 00000000000..6e836a0a049
--- /dev/null
+++ b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/YAMLUnsafeDeserialization.rb
@@ -0,0 +1,22 @@
+require 'yaml'
+class UsersController < ActionController::Base
+ def example
+ # safe
+ Psych.load(params[:yaml_string])
+ Psych.load_file(params[:yaml_file])
+ Psych.parse_stream(params[:yaml_string])
+ Psych.parse(params[:yaml_string])
+ Psych.parse_file(params[:yaml_file])
+ # unsafe
+ Psych.unsafe_load(params[:yaml_string])
+ Psych.unsafe_load_file(params[:yaml_file])
+ Psych.load_stream(params[:yaml_string])
+ parse_output = Psych.parse_stream(params[:yaml_string])
+ parse_output.to_ruby
+ Psych.parse(params[:yaml_string]).to_ruby
+ Psych.parse_file(params[:yaml_file]).to_ruby
+
+ end
+end
+
+