Ruby: Add InsecureDependencyResolution query

This query looks for places in a Gemfile where URLs with insecure protocols (HTTP or FTP) are specified.
2025-12-22 11:46:32 +01:00 · 2022-03-30 13:35:49 +13:00
parent 8d21c8b7c5
commit 37cedda63a
9 changed files with 243 additions and 0 deletions
--- a/ruby/ql/src/queries/security/cwe-300/InsecureDependencyResolution.qhelp
+++ b/ruby/ql/src/queries/security/cwe-300/InsecureDependencyResolution.qhelp
@@ -0,0 +1,54 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Using an insecure protocol like HTTP or FTP to download dependencies makes the build process vulnerable to a 
+man-in-the-middle (MITM) attack.
+</p>
+<p>
+This can allow attackers to inject malicious code into the downloaded dependencies, and thereby 
+infect the build artifacts and execute arbitrary code on the machine building the artifacts.
+</p>
+
+</overview>
+<recommendation>
+
+<p>Always use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.</p>
+
+</recommendation>
+
+<example>
+<p>
+The below example shows a <code>Gemfile</code> that specifies a gem source using the insecure HTTP protocol.
+</p>
+<sample src="examples/bad_gemfile.rb" />
+<p>
+The fix is to change the protocol to HTTPS.
+</p>
+<sample src="examples/good_gemfile.rb" />
+</example>
+
+<references>
+<li>
+  Jonathan Leitschuh: 
+  <a href="https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb">
+    Want to take over the Java ecosystem? All you need is a MITM!
+  </a>
+</li>
+<li>
+  Max Veytsman: 
+  <a href="https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/">
+    How to take over the computer of any Java (or Clojure or Scala) Developer.
+  </a>
+</li>
+<li>
+  Wikipedia: <a href="https://en.wikipedia.org/wiki/Supply_chain_attack">Supply chain attack.</a>
+</li>
+<li>
+  Wikipedia: <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">Man-in-the-middle attack.</a>
+</li>
+</references>
+</qhelp>
--- a/ruby/ql/src/queries/security/cwe-300/InsecureDependencyResolution.ql
+++ b/ruby/ql/src/queries/security/cwe-300/InsecureDependencyResolution.ql
@@ -0,0 +1,22 @@
+/**
+ * @name Dependency download using unencrypted communication channel
+ * @description Using unencrypted protocols to fetch dependencies can leave an application
+ *              open to man-in-the-middle attacks.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.1
+ * @precision high
+ * @id rb/insecure-dependency
+ * @tags security
+ *       external/cwe/cwe-300
+ *       external/cwe/cwe-319
+ *       external/cwe/cwe-494
+ *       external/cwe/cwe-829
+ */
+
+import ruby
+import codeql.ruby.security.InsecureDependencyQuery
+
+from Expr url, string msg
+where insecureDependencyUrl(url, msg)
+select url, msg
--- a/ruby/ql/src/queries/security/cwe-300/examples/bad_gemfile.rb
+++ b/ruby/ql/src/queries/security/cwe-300/examples/bad_gemfile.rb
@@ -0,0 +1,3 @@
+source "http://rubygems.org"
+
+gem "my-gem-a", "1.2.3"
--- a/ruby/ql/src/queries/security/cwe-300/examples/good_gemfile.rb
+++ b/ruby/ql/src/queries/security/cwe-300/examples/good_gemfile.rb
@@ -0,0 +1,3 @@
+source "https://rubygems.org"
+
+gem "my-gem-a", "1.2.3"