hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix flow steps from controller instance var assignement to view read access

Browse Source
This commit is contained in:
Alex Ford
2021-09-07 15:50:16 +01:00
parent b993723595
commit 3445a6a5e7
4 changed files with 51 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ql/lib/codeql/ruby/security/ReflectedXSSCustomizations.qll
View File

@@ -139,15 +139,18 @@ module ReflectedXSS {
// instance variables in the controller
exists(
ActionControllerActionMethod action, VariableReadAccess viewVarRead,
VariableWriteAccess controllerVarWrite
AssignExpr ae, VariableWriteAccess controllerVarWrite
|
viewVarRead = node2.asExpr().(CfgNodes::ExprNodes::VariableReadAccessCfgNode).getExpr() and
action.getDefaultTemplateFile() = viewVarRead.getLocation().getFile() and
controllerVarWrite.getVariable() instanceof InstanceVariable and
// match read to write on variable name
viewVarRead.getVariable().getName() = controllerVarWrite.getVariable().getName() and
// TODO: include only final assignment along a path
node1.asExpr().getExpr() = controllerVarWrite and
controllerVarWrite.getParent+() = action
// propagate taint from assignment RHS expr to variable read access in view
node1.asExpr().getExpr() = ae.getRightOperand() and
ae.getLeftOperand() = controllerVarWrite and
ae.getParent+() = action
)
or
// flow from template into controller helper method

53
ql/test/query-tests/security/cwe-079/ReflectedXSS.expected
View File

@@ -1,38 +1,49 @@
edges
| app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params : | app/controllers/foo/bars_controller.rb:10:12:10:29 | ...[...] : |
| app/controllers/foo/bars_controller.rb:10:12:10:29 | ...[...] : | app/views/foo/bars/show.html.erb:46:5:46:13 | call to user_name |
| app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params : | app/controllers/foo/bars_controller.rb:20:53:20:54 | dt : |
| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt : | app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text |
| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt : | app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] |
| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt : | app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] |
| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt : | app/views/foo/bars/show.html.erb:33:3:33:14 | call to display_text |
| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt : | app/views/foo/bars/show.html.erb:43:76:43:87 | call to display_text : |
| app/views/foo/bars/show.html.erb:43:64:43:87 | ... + ... : | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text |
| app/views/foo/bars/show.html.erb:43:64:43:87 | ... + ... : | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] |
| app/views/foo/bars/show.html.erb:43:76:43:87 | call to display_text : | app/views/foo/bars/show.html.erb:43:64:43:87 | ... + ... : |
| app/views/foo/bars/show.html.erb:53:29:53:34 | call to params : | app/views/foo/bars/show.html.erb:53:29:53:44 | ...[...] |
| app/controllers/foo/bars_controller.rb:10:12:10:29 | ...[...] : | app/views/foo/bars/show.html.erb:54:5:54:13 | call to user_name |
| app/controllers/foo/bars_controller.rb:18:21:18:26 | call to params : | app/controllers/foo/bars_controller.rb:18:21:18:36 | ...[...] : |
| app/controllers/foo/bars_controller.rb:18:21:18:36 | ...[...] : | app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website |
| app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params : | app/controllers/foo/bars_controller.rb:20:22:20:23 | dt : |
| app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params : | app/controllers/foo/bars_controller.rb:21:53:21:54 | dt : |
| app/controllers/foo/bars_controller.rb:20:22:20:23 | dt : | app/views/foo/bars/show.html.erb:41:3:41:16 | @instance_text |
| app/controllers/foo/bars_controller.rb:21:53:21:54 | dt : | app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text |
| app/controllers/foo/bars_controller.rb:21:53:21:54 | dt : | app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] |
| app/controllers/foo/bars_controller.rb:21:53:21:54 | dt : | app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] |
| app/controllers/foo/bars_controller.rb:21:53:21:54 | dt : | app/views/foo/bars/show.html.erb:36:3:36:14 | call to display_text |
| app/controllers/foo/bars_controller.rb:21:53:21:54 | dt : | app/views/foo/bars/show.html.erb:51:76:51:87 | call to display_text : |
| app/views/foo/bars/show.html.erb:51:64:51:87 | ... + ... : | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text |
| app/views/foo/bars/show.html.erb:51:64:51:87 | ... + ... : | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] |
| app/views/foo/bars/show.html.erb:51:76:51:87 | call to display_text : | app/views/foo/bars/show.html.erb:51:64:51:87 | ... + ... : |
| app/views/foo/bars/show.html.erb:61:29:61:34 | call to params : | app/views/foo/bars/show.html.erb:61:29:61:44 | ...[...] |
nodes
| app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params : | semmle.label | call to params : |
| app/controllers/foo/bars_controller.rb:10:12:10:29 | ...[...] : | semmle.label | ...[...] : |
| app/controllers/foo/bars_controller.rb:18:21:18:26 | call to params : | semmle.label | call to params : |
| app/controllers/foo/bars_controller.rb:18:21:18:36 | ...[...] : | semmle.label | ...[...] : |
| app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params : | semmle.label | call to params : |
| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt : | semmle.label | dt : |
| app/controllers/foo/bars_controller.rb:20:22:20:23 | dt : | semmle.label | dt : |
| app/controllers/foo/bars_controller.rb:21:53:21:54 | dt : | semmle.label | dt : |
| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | semmle.label | call to display_text |
| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | semmle.label | ...[...] |
| app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website | semmle.label | @user_website |
| app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text | semmle.label | call to display_text |
| app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] | semmle.label | ...[...] |
| app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] | semmle.label | ...[...] |
| app/views/foo/bars/show.html.erb:33:3:33:14 | call to display_text | semmle.label | call to display_text |
| app/views/foo/bars/show.html.erb:43:64:43:87 | ... + ... : | semmle.label | ... + ... : |
| app/views/foo/bars/show.html.erb:43:76:43:87 | call to display_text : | semmle.label | call to display_text : |
| app/views/foo/bars/show.html.erb:46:5:46:13 | call to user_name | semmle.label | call to user_name |
| app/views/foo/bars/show.html.erb:53:29:53:34 | call to params : | semmle.label | call to params : |
| app/views/foo/bars/show.html.erb:53:29:53:44 | ...[...] | semmle.label | ...[...] |
| app/views/foo/bars/show.html.erb:36:3:36:14 | call to display_text | semmle.label | call to display_text |
| app/views/foo/bars/show.html.erb:41:3:41:16 | @instance_text | semmle.label | @instance_text |
| app/views/foo/bars/show.html.erb:51:64:51:87 | ... + ... : | semmle.label | ... + ... : |
| app/views/foo/bars/show.html.erb:51:76:51:87 | call to display_text : | semmle.label | call to display_text : |
| app/views/foo/bars/show.html.erb:54:5:54:13 | call to user_name | semmle.label | call to user_name |
| app/views/foo/bars/show.html.erb:61:29:61:34 | call to params : | semmle.label | call to params : |
| app/views/foo/bars/show.html.erb:61:29:61:44 | ...[...] | semmle.label | ...[...] |
#select
| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params : | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params : | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
| app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website | app/controllers/foo/bars_controller.rb:18:21:18:26 | call to params : | app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:18:21:18:26 | call to params | a user-provided value |
| app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params : | app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
| app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params : | app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
| app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params : | app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
| app/views/foo/bars/show.html.erb:33:3:33:14 | call to display_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params : | app/views/foo/bars/show.html.erb:33:3:33:14 | call to display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
| app/views/foo/bars/show.html.erb:46:5:46:13 | call to user_name | app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params : | app/views/foo/bars/show.html.erb:46:5:46:13 | call to user_name | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params | a user-provided value |
| app/views/foo/bars/show.html.erb:53:29:53:44 | ...[...] | app/views/foo/bars/show.html.erb:53:29:53:34 | call to params : | app/views/foo/bars/show.html.erb:53:29:53:44 | ...[...] | Cross-site scripting vulnerability due to $@. | app/views/foo/bars/show.html.erb:53:29:53:34 | call to params | a user-provided value |
| app/views/foo/bars/show.html.erb:36:3:36:14 | call to display_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params : | app/views/foo/bars/show.html.erb:36:3:36:14 | call to display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
| app/views/foo/bars/show.html.erb:41:3:41:16 | @instance_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params : | app/views/foo/bars/show.html.erb:41:3:41:16 | @instance_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
| app/views/foo/bars/show.html.erb:54:5:54:13 | call to user_name | app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params : | app/views/foo/bars/show.html.erb:54:5:54:13 | call to user_name | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params | a user-provided value |
| app/views/foo/bars/show.html.erb:61:29:61:44 | ...[...] | app/views/foo/bars/show.html.erb:61:29:61:34 | call to params : | app/views/foo/bars/show.html.erb:61:29:61:44 | ...[...] | Cross-site scripting vulnerability due to $@. | app/views/foo/bars/show.html.erb:61:29:61:34 | call to params | a user-provided value |

1
ql/test/query-tests/security/cwe-079/app/controllers/foo/bars_controller.rb
View File

@@ -17,6 +17,7 @@ class BarsController < ApplicationController
def show
@user_website = params[:website]
dt = params[:text]
@instance_text = dt
render "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }
end
end

16
ql/test/query-tests/security/cwe-079/app/views/foo/bars/show.html.erb
View File

@@ -1,5 +1,5 @@
<%# BAD: An instance variable rendered without escaping %>
<a href="<%= raw user_website %>">website</a>
<a href="<%= raw @user_website %>">website</a>
<%# BAD: A local rendered raw as a local variable %>
<%= raw display_text %>
@@ -28,16 +28,24 @@
full_text
%>
<%# GOOD: default escaping of rendered text (from instance var) %>
<%= @instance_text %>
<%# BAD: html_safe marks string as not requiring HTML escaping %>
<%=
display_text.html_safe
%>
<%# BAD: html_safe marks string as not requiring HTML escaping %>
<%# TODO: we miss that `@display_text` is marked here %>
<%=
@display_text.html_safe
@display_text
@instance_text.html_safe
%>
<%# BAD: html_safe marks string as not requiring HTML escaping %>
<%# TODO: we miss that `@instance_text` is marked here %>
<%=
@instance_text.html_safe
@instance_text
%>
<%= render partial: 'foo/bars/widget', locals: { display_text: "widget_" + display_text } %>