Add Insecure Randomness Query (CWE-338)

ruby/ql/src/experimental/insecure-randomness/InsecureRandomness.qhelp

@@ -0,0 +1,55 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value, 
+such as a password, makes it easier for an attacker to predict the value.
+
+Pseudo-random number generators generate a sequence of numbers that only approximates the
+properties of random numbers. The sequence is not truly random because it is completely 
+determined by a relatively small set of initial values, the seed. If the random number generator is 
+cryptographically weak, then this sequence may be easily predictable through outside observations.
+</p>
+</overview>
+
+<recommendation>
+<p>
+When generating values for use in security-sensitive contexts, it's essential to utilize a 
+cryptographically secure pseudo-random number generator. As a general guideline, a value 
+should be deemed "security-sensitive" if its predictability would empower an attacker to 
+perform actions that would otherwise be beyond their reach. For instance, if an attacker could 
+predict a newly generated user's random password, they would gain unauthorized access to that user's 
+account.
+
+For Ruby, `SecureRandom` provides a cryptographically secure pseudo-random number generator. 
+`rand` is not cryptographically secure, and should be avoided in security contexts. 
+For contexts which are not security sensitive, Random may be preferable as it has a more convenient 
+interface.
+
+</p>
+</recommendation>
+
+<example>
+<p>
+The following examples show different ways of generating a password.
+</p>
+
+<p>The first example uses `Random.rand()` which is not for security purposes</p>
+
+<sample src="examples/InsecureRandomnessBad.rb" />
+
+<p>In the second example, the password is generated using `SecureRandom.random_bytes` which is a 
+cryptographically secure method.</p>
+
+<sample src="examples/InsecureRandomnessGood.rb" />
+</example>
+
+<references>
+<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Pseudorandom_number_generator">Pseudo-random number generator</a>.</li>
+<li>Common Weakness Enumeration: <a href="https://cwe.mitre.org/data/definitions/338.html">CWE-338</a>.</li>
+<li>Ruby-doc: <a href="https://ruby-doc.org/core-3.1.2/Random.html">Random</a>.</li>
+</references>
+</qhelp>

ruby/ql/src/experimental/insecure-randomness/InsecureRandomness.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Insecure randomness
+ * @description Using a cryptographically weak pseudo-random number generator to generate a
+ *              security-sensitive value may allow an attacker to predict what value will
+ *              be generated.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.8
+ * @precision high
+ * @id rb/insecure-randomness
+ * @tags security
+ *       external/cwe/cwe-338
+ */
+
+import codeql.ruby.DataFlow
+import codeql.ruby.security.InsecureRandomnessQuery
+import InsecureRandomnessFlow::PathGraph
+
+from InsecureRandomnessFlow::PathNode source, InsecureRandomnessFlow::PathNode sink
+where InsecureRandomnessFlow::flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "This uses a cryptographically insecure random number generated at $@ in a security context.",
+  source.getNode(), source.getNode().toString()

ruby/ql/src/experimental/insecure-randomness/examples/InsecureRandomnessBad.rb

@@ -0,0 +1,7 @@
+def generate_password()
+  chars = ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a + ['!', '@', '#', '$', '%']
+  # BAD: rand is not cryptographically secure
+  password = (1..10).collect { chars[rand(chars.size)] }.join
+end
+
+password = generate_password

ruby/ql/src/experimental/insecure-randomness/examples/InsecureRandomnessGood.rb

@@ -0,0 +1,12 @@
+require 'securerandom'
+
+def generate_password()
+  chars = ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a + ['!', '@', '#', '$', '%']
+
+  # GOOD: SecureRandom is cryptographically secure
+  password = SecureRandom.random_bytes(10).each_byte.map do |byte|
+    chars[byte % chars.length]
+  end.join
+end
+
+password = generate_password()