v2 add plist.parse_xml as a dangerous sink and enhancements on documents

2026-04-27 17:55:19 +02:00 · 2023-02-25 20:49:48 +01:00
parent 0521ffe175
commit 4360a56b45
16 changed files with 152 additions and 201 deletions
--- a/ruby/ql/src/experimental/CWE-502/YAMLUnsafeYamlDeserialization.qhelp
+++ b/ruby/ql/src/experimental/CWE-502/YAMLUnsafeYamlDeserialization.qhelp
@@ -1,20 +0,0 @@
-<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
-<qhelp>
-    <overview>
-        <p>
-            Processing an unvalidated user input can allow an attacker to execute arbitrary code in your application.
-            Unsafe deserializing the malicious serialized yaml document through the Psych (YAML) library, making it possible to execute some code or execute arbitrary code with the help of a complete gadget chain.
-        </p>
-    </overview>
-    <recommendation>
-        <p>
-            After Psych(YAML) 4.0.0, the load method is same as safe_load method.
-            This vulnerability can be prevented by using YAML.load (same as <code>YAML.safe_load</code>), <code>YAML.load_file</code> (same as <code>YAML.safe_load_file</code>) instead of <code>YAML.unsafe_*</code> methods.
-            Be careful that <code>YAML.load_stream</code> don't use safe_load method, Also Be careful the <code>to_ruby</code> method of Psych get called on a trusted parsed (<code>YAML.parse*</code>) yaml document.
-        </p>
-    </recommendation>
-    <example>
-        <p>In the example below, you can see safe and unsafe methods get called by a remote user input. You can give correct authorization to users, or you can use safe methods for loading yaml documents.</p>
-        <sample src="YAMLUnsafeYamlDeserialization.rb" />
-    </example>
-</qhelp>
--- a/ruby/ql/src/experimental/CWE-502/YAMLUnsafeYamlDeserialization.ql
+++ b/ruby/ql/src/experimental/CWE-502/YAMLUnsafeYamlDeserialization.ql
@@ -1,88 +0,0 @@
-/**
- * @name Deserialization of user-controlled data by YAML
- * @description Deserializing user-controlled data may allow attackers to
- *              execute arbitrary code.
- * @kind path-problem
- * @problem.severity warning
- * @security-severity 9.8
- * @precision high
- * @id rb/YAML-unsafe-deserialization
- * @tags security
- *       experimental
- *       external/cwe/cwe-502
- */
-
-import codeql.ruby.ApiGraphs
-import codeql.ruby.DataFlow
-import codeql.ruby.TaintTracking
-import DataFlow::PathGraph
-import codeql.ruby.security.UnsafeDeserializationCustomizations
-
-abstract class YamlSink extends DataFlow::Node { }
-
-class YamlUnsafeLoadArgument extends YamlSink {
-  YamlUnsafeLoadArgument() {
-    this =
-      API::getTopLevelMember(["YAML", "Psych"])
-          .getAMethodCall(["unsafe_load_file", "unsafe_load", "load_stream"])
-          .getArgument(0)
-    or
-    this =
-      API::getTopLevelMember(["YAML", "Psych"])
-          .getAMethodCall(["unsafe_load", "load_stream"])
-          .getKeywordArgument("yaml")
-    or
-    this =
-      API::getTopLevelMember(["YAML", "Psych"])
-          .getAMethodCall("unsafe_load_file")
-          .getKeywordArgument("filename")
-    or
-    this =
-      API::getTopLevelMember(["YAML", "Psych"])
-          .getAMethodCall(["parse", "parse_stream", "parse_file"])
-          .getAMethodCall("to_ruby")
-  }
-}
-
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnsafeYAMLDeserialization" }
-
-  override predicate isSource(DataFlow::Node source) {
-    // to detect CVE-2022-32224, we should uncomment following line instead of current UnsafeDeserialization::Source
-    // source instanceof DataFlow::LocalSourceNode
-    source instanceof UnsafeDeserialization::Source
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    // after changing the isSource for detecting CVE-2022-32224
-    // uncomment the following line only see the CVE sink not other files similar sinks
-    // sink.getLocation().getFile().toString().matches("%yaml_column%") and
-    sink instanceof YamlSink
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    exists(DataFlow::CallNode yaml_parser_methods |
-      yaml_parser_methods =
-        API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall(["parse", "parse_stream"]) and
-      (
-        nodeFrom = yaml_parser_methods.getArgument(0) or
-        nodeFrom = yaml_parser_methods.getKeywordArgument("yaml")
-      ) and
-      nodeTo = yaml_parser_methods.getAMethodCall("to_ruby")
-    )
-    or
-    exists(DataFlow::CallNode yaml_parser_methods |
-      yaml_parser_methods = API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall("parse_file") and
-      (
-        nodeFrom = yaml_parser_methods.getArgument(0) or
-        nodeFrom = yaml_parser_methods.getKeywordArgument("filename")
-      ) and
-      nodeTo = yaml_parser_methods.getAMethodCall("to_ruby")
-    )
-  }
-}
-
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
-  "potentially untrusted source"
--- a/ruby/ql/src/experimental/CWE-502/YAMLUnsafeYamlDeserialization.rb
+++ b/ruby/ql/src/experimental/CWE-502/YAMLUnsafeYamlDeserialization.rb
@@ -1,22 +0,0 @@
-require 'yaml'
-class UsersController < ActionController::Base
-  def example
-    # safe
-    Psych.load(params[:yaml_string])
-    Psych.load_file(params[:yaml_file])
-    Psych.parse_stream(params[:yaml_string])
-    Psych.parse(params[:yaml_string])
-    Psych.parse_file(params[:yaml_file])
-    # unsafe
-    Psych.unsafe_load(params[:yaml_string])
-    Psych.unsafe_load_file(params[:yaml_file])
-    Psych.load_stream(params[:yaml_string])
-    parse_output = Psych.parse_stream(params[:yaml_string])
-    parse_output.to_ruby
-    Psych.parse(params[:yaml_string]).to_ruby
-    Psych.parse_file(params[:yaml_file]).to_ruby
-
-  end
-end
-
-
--- a/ruby/ql/src/experimental/cwe-502/PlistUnsafeYamlDeserialization.qhelp
+++ b/ruby/ql/src/experimental/cwe-502/PlistUnsafeYamlDeserialization.qhelp
@@ -0,0 +1,25 @@
+<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+            Processing an unvalidated user input can allow an attacker to execute arbitrary code in your application.
+            Unsafe deserializing the malicious serialized xml document through the Plist library, making it possible to execute some code or execute arbitrary code with the help of a complete gadget chain.
+        </p>
+    </overview>
+    <recommendation>
+        <p>
+            This vulnerability can be prevented by using <code>Plist.parse_xml</code>.
+        </p>
+    </recommendation>
+    <example>
+        <p>In the example below, you can see safe and unsafe call of this dangerous method that can be abused by a remote user input. You can use "marshal: false" as an arugument for <code>Plist.parse_xml</code> to use it safe.
+        </p>
+        <sample src="PlistUnsafeYamlDeserialization.rb" />
+    </example>
+    <references>
+    <li>
+    Security considerations from library documentation
+    <a href="https://github.com/patsplat/plist#label-Security+considerations">patsplat/plist</a>.
+    </li>
+    </references>
+</qhelp>
--- a/ruby/ql/src/experimental/cwe-502/PlistUnsafeYamlDeserialization.ql
+++ b/ruby/ql/src/experimental/cwe-502/PlistUnsafeYamlDeserialization.ql
@@ -0,0 +1,68 @@
+/**
+ * @name Unsafe Deserialization of user-controlled data by Plist
+ * @description Deserializing user-controlled data may allow attackers to
+ *              execute arbitrary code.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 9.8
+ * @precision high
+ * @id rb/Plist-unsafe-deserialization
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-502
+ */
+
+import codeql.ruby.ApiGraphs
+import codeql.ruby.DataFlow
+import codeql.ruby.TaintTracking
+import codeql.ruby.CFG
+import DataFlow::PathGraph
+import codeql.ruby.security.UnsafeDeserializationCustomizations
+
+abstract class PlistUnsafeSinks extends DataFlow::Node { }
+
+/**
+ * check whether an input argument has desired "key: value" input or not.
+ * borrowed from UnsafeDeserialization module with some changes
+ */
+predicate checkkeyBalue(CfgNodes::ExprNodes::PairCfgNode p, string key, string value) {
+  p.getKey().getConstantValue().isStringlikeValue(key) and
+  DataFlow::exprNode(p.getValue()).getALocalSource().getConstantValue().toString() = value
+}
+
+/**
+ * An argument in a call to `Plist.parse_xml` where the marshal is `true` (which is
+ * the default), considered a sink for unsafe deserialization.
+ * borrowed from UnsafeDeserialization module with some changes
+ */
+class UnsafePlistParsexmlArgument extends PlistUnsafeSinks {
+  UnsafePlistParsexmlArgument() {
+    exists(DataFlow::CallNode plistParsexml |
+      plistParsexml = API::getTopLevelMember("Plist").getAMethodCall("parse_xml")
+    |
+      this = [plistParsexml.getArgument(0), plistParsexml.getKeywordArgument("filename_or_xml")] and
+      // Exclude calls that explicitly pass a safe mode option.
+      checkkeyBalue(plistParsexml.getArgument(1).asExpr(), "marshal", "true")
+      or
+      this = [plistParsexml.getArgument(0), plistParsexml.getKeywordArgument("filename_or_xml")] and
+      plistParsexml.getNumberOfArguments() = 1
+    )
+  }
+}
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "PlistUnsafeDeserialization" }
+
+  override predicate isSource(DataFlow::Node source) {
+    // to detect CVE-2021-33575, we should uncomment following line instead of current UnsafeDeserialization::Source
+    // source instanceof DataFlow::LocalSourceNode
+    source instanceof UnsafeDeserialization::Source
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof PlistUnsafeSinks }
+}
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
+  "potentially untrusted source"
--- a/ruby/ql/src/experimental/cwe-502/PlistUnsafeYamlDeserialization.rb
+++ b/ruby/ql/src/experimental/cwe-502/PlistUnsafeYamlDeserialization.rb
@@ -0,0 +1,13 @@
+require 'yaml'
+class UsersController < ActionController::Base
+  def example
+    # not safe
+    result = Plist.parse_xml(params[:yaml_string])
+    result = Plist.parse_xml(params[:yaml_string], marshal: true)
+
+    # safe
+    result = Plist.parse_xml(params[:yaml_string], marshal: false)
+  end
+end
+
+
--- a/ruby/ql/src/experimental/cwe-502/YAMLUnsafeYamlDeserialization.qhelp
+++ b/ruby/ql/src/experimental/cwe-502/YAMLUnsafeYamlDeserialization.qhelp
@@ -17,4 +17,10 @@
        <p>In the example below, you can see safe and unsafe methods get called by a remote user input. You can give correct authorization to users, or you can use safe methods for loading yaml documents.</p>
        <sample src="YAMLUnsafeYamlDeserialization.rb" />
    </example>
+    <references>
+    <li>
+    You can read that how unsafe yaml load methods can lead to code executions.
+    <a href="https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html">Universal Deserialisation Gadget for Ruby 2.x-3.x </a>.
+    </li>
+    </references>
 </qhelp>
--- a/ruby/ql/src/experimental/cwe-502/YAMLUnsafeYamlDeserialization.ql
+++ b/ruby/ql/src/experimental/cwe-502/YAMLUnsafeYamlDeserialization.ql
@@ -1,5 +1,5 @@
 /**
- * @name Deserialization of user-controlled data by YAML
+ * @name Unsafe Deserialization of user-controlled data by YAML
 * @description Deserializing user-controlled data may allow attackers to
 *              execute arbitrary code.
 * @kind path-problem
@@ -18,10 +18,10 @@ import codeql.ruby.TaintTracking
 import DataFlow::PathGraph
 import codeql.ruby.security.UnsafeDeserializationCustomizations

-abstract class YamlSink extends DataFlow::Node { }
+abstract class YamlUnsafeSinks extends DataFlow::Node { }

-class YamlUnsafeLoadArgument extends YamlSink {
-  YamlUnsafeLoadArgument() {
+class YamlUnsafeArgument extends YamlUnsafeSinks {
+  YamlUnsafeArgument() {
    this =
      API::getTopLevelMember(["YAML", "Psych"])
          .getAMethodCall(["unsafe_load_file", "unsafe_load", "load_stream"])
@@ -45,7 +45,7 @@ class YamlUnsafeLoadArgument extends YamlSink {
 }

 class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnsafeYAMLDeserialization" }
+  Configuration() { this = "YamlUnsafeDeserialization" }

  override predicate isSource(DataFlow::Node source) {
    // to detect CVE-2022-32224, we should uncomment following line instead of current UnsafeDeserialization::Source
@@ -57,7 +57,7 @@ class Configuration extends TaintTracking::Configuration {
    // after changing the isSource for detecting CVE-2022-32224
    // uncomment the following line only see the CVE sink not other files similar sinks
    // sink.getLocation().getFile().toString().matches("%yaml_column%") and
-    sink instanceof YamlSink
+    sink instanceof YamlUnsafeSinks
  }

  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
@@ -84,5 +84,5 @@ class Configuration extends TaintTracking::Configuration {

 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
+select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
  "potentially untrusted source"
--- a/ruby/ql/test/query-tests/experimental/Security/CWE-502/YAMLUnsafeYamlDeserialization.expected
+++ b/ruby/ql/test/query-tests/experimental/Security/CWE-502/YAMLUnsafeYamlDeserialization.expected
@@ -1,34 +0,0 @@
-edges
-| YAMLUnsafeYamlDeserialization.rb:11:23:11:28 | call to params :  | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] |
-| YAMLUnsafeYamlDeserialization.rb:12:28:12:33 | call to params :  | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] |
-| YAMLUnsafeYamlDeserialization.rb:13:23:13:28 | call to params :  | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] |
-| YAMLUnsafeYamlDeserialization.rb:14:39:14:44 | call to params :  | YAMLUnsafeYamlDeserialization.rb:14:39:14:58 | ...[...] :  |
-| YAMLUnsafeYamlDeserialization.rb:14:39:14:58 | ...[...] :  | YAMLUnsafeYamlDeserialization.rb:15:5:15:24 | call to to_ruby |
-| YAMLUnsafeYamlDeserialization.rb:16:17:16:22 | call to params :  | YAMLUnsafeYamlDeserialization.rb:16:17:16:36 | ...[...] :  |
-| YAMLUnsafeYamlDeserialization.rb:16:17:16:36 | ...[...] :  | YAMLUnsafeYamlDeserialization.rb:16:5:16:45 | call to to_ruby |
-| YAMLUnsafeYamlDeserialization.rb:17:22:17:27 | call to params :  | YAMLUnsafeYamlDeserialization.rb:17:22:17:39 | ...[...] :  |
-| YAMLUnsafeYamlDeserialization.rb:17:22:17:39 | ...[...] :  | YAMLUnsafeYamlDeserialization.rb:17:5:17:48 | call to to_ruby |
-nodes
-| YAMLUnsafeYamlDeserialization.rb:11:23:11:28 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | semmle.label | ...[...] |
-| YAMLUnsafeYamlDeserialization.rb:12:28:12:33 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | semmle.label | ...[...] |
-| YAMLUnsafeYamlDeserialization.rb:13:23:13:28 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | semmle.label | ...[...] |
-| YAMLUnsafeYamlDeserialization.rb:14:39:14:44 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeYamlDeserialization.rb:14:39:14:58 | ...[...] :  | semmle.label | ...[...] :  |
-| YAMLUnsafeYamlDeserialization.rb:15:5:15:24 | call to to_ruby | semmle.label | call to to_ruby |
-| YAMLUnsafeYamlDeserialization.rb:16:5:16:45 | call to to_ruby | semmle.label | call to to_ruby |
-| YAMLUnsafeYamlDeserialization.rb:16:17:16:22 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeYamlDeserialization.rb:16:17:16:36 | ...[...] :  | semmle.label | ...[...] :  |
-| YAMLUnsafeYamlDeserialization.rb:17:5:17:48 | call to to_ruby | semmle.label | call to to_ruby |
-| YAMLUnsafeYamlDeserialization.rb:17:22:17:27 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeYamlDeserialization.rb:17:22:17:39 | ...[...] :  | semmle.label | ...[...] :  |
-subpaths
-#select
-| YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | YAMLUnsafeYamlDeserialization.rb:11:23:11:28 | call to params :  | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:11:23:11:28 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | YAMLUnsafeYamlDeserialization.rb:12:28:12:33 | call to params :  | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:12:28:12:33 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | YAMLUnsafeYamlDeserialization.rb:13:23:13:28 | call to params :  | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:13:23:13:28 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:15:5:15:24 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:14:39:14:44 | call to params :  | YAMLUnsafeYamlDeserialization.rb:15:5:15:24 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:14:39:14:44 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:16:5:16:45 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:16:17:16:22 | call to params :  | YAMLUnsafeYamlDeserialization.rb:16:5:16:45 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:16:17:16:22 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:17:5:17:48 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:17:22:17:27 | call to params :  | YAMLUnsafeYamlDeserialization.rb:17:5:17:48 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:17:22:17:27 | call to params | potentially untrusted source |
--- a/ruby/ql/test/query-tests/experimental/Security/CWE-502/YAMLUnsafeYamlDeserialization.qlref
+++ b/ruby/ql/test/query-tests/experimental/Security/CWE-502/YAMLUnsafeYamlDeserialization.qlref
@@ -1 +0,0 @@
-experimental/CWE-502/YAMLUnsafeYamlDeserialization.ql
--- a/ruby/ql/test/query-tests/experimental/Security/CWE-502/YAMLUnsafeYamlDeserialization.rb
+++ b/ruby/ql/test/query-tests/experimental/Security/CWE-502/YAMLUnsafeYamlDeserialization.rb
@@ -1,22 +0,0 @@
-require 'yaml'
-class UsersController < ActionController::Base
-  def example
-    # safe
-    Psych.load(params[:yaml_string])
-    Psych.load_file(params[:yaml_file])
-    Psych.parse_stream(params[:yaml_string])
-    Psych.parse(params[:yaml_string])
-    Psych.parse_file(params[:yaml_file])
-    # unsafe
-    Psych.unsafe_load(params[:yaml_string])
-    Psych.unsafe_load_file(params[:yaml_file])
-    Psych.load_stream(params[:yaml_string])
-    parse_output = Psych.parse_stream(params[:yaml_string])
-    parse_output.to_ruby
-    Psych.parse(params[:yaml_string]).to_ruby
-    Psych.parse_file(params[:yaml_file]).to_ruby
-
-  end
-end
-
-
--- a/ruby/ql/test/query-tests/experimental/Security/cwe-502/PlistUnsafeYamlDeserialization.expected
+++ b/ruby/ql/test/query-tests/experimental/Security/cwe-502/PlistUnsafeYamlDeserialization.expected
@@ -0,0 +1,12 @@
+edges
+| PlistUnsafeYamlDeserialization.rb:5:30:5:35 | call to params :  | PlistUnsafeYamlDeserialization.rb:5:30:5:49 | ...[...] |
+| PlistUnsafeYamlDeserialization.rb:6:30:6:35 | call to params :  | PlistUnsafeYamlDeserialization.rb:6:30:6:49 | ...[...] |
+nodes
+| PlistUnsafeYamlDeserialization.rb:5:30:5:35 | call to params :  | semmle.label | call to params :  |
+| PlistUnsafeYamlDeserialization.rb:5:30:5:49 | ...[...] | semmle.label | ...[...] |
+| PlistUnsafeYamlDeserialization.rb:6:30:6:35 | call to params :  | semmle.label | call to params :  |
+| PlistUnsafeYamlDeserialization.rb:6:30:6:49 | ...[...] | semmle.label | ...[...] |
+subpaths
+#select
+| PlistUnsafeYamlDeserialization.rb:5:30:5:49 | ...[...] | PlistUnsafeYamlDeserialization.rb:5:30:5:35 | call to params :  | PlistUnsafeYamlDeserialization.rb:5:30:5:49 | ...[...] | Unsafe deserialization depends on a $@. | PlistUnsafeYamlDeserialization.rb:5:30:5:35 | call to params | potentially untrusted source |
+| PlistUnsafeYamlDeserialization.rb:6:30:6:49 | ...[...] | PlistUnsafeYamlDeserialization.rb:6:30:6:35 | call to params :  | PlistUnsafeYamlDeserialization.rb:6:30:6:49 | ...[...] | Unsafe deserialization depends on a $@. | PlistUnsafeYamlDeserialization.rb:6:30:6:35 | call to params | potentially untrusted source |
--- a/ruby/ql/test/query-tests/experimental/Security/cwe-502/PlistUnsafeYamlDeserialization.qlref
+++ b/ruby/ql/test/query-tests/experimental/Security/cwe-502/PlistUnsafeYamlDeserialization.qlref
@@ -0,0 +1 @@
+experimental/cwe-502/PlistUnsafeYamlDeserialization.ql
--- a/ruby/ql/test/query-tests/experimental/Security/cwe-502/PlistUnsafeYamlDeserialization.rb
+++ b/ruby/ql/test/query-tests/experimental/Security/cwe-502/PlistUnsafeYamlDeserialization.rb
@@ -0,0 +1,13 @@
+require 'yaml'
+class UsersController < ActionController::Base
+  def example
+    # not safe
+    result = Plist.parse_xml(params[:yaml_string])
+    result = Plist.parse_xml(params[:yaml_string], marshal: true)
+
+    # safe
+    result = Plist.parse_xml(params[:yaml_string], marshal: false)
+  end
+end
+
+
--- a/ruby/ql/test/query-tests/experimental/Security/cwe-502/YAMLUnsafeYamlDeserialization.expected
+++ b/ruby/ql/test/query-tests/experimental/Security/cwe-502/YAMLUnsafeYamlDeserialization.expected
@@ -26,9 +26,9 @@ nodes
 | YAMLUnsafeYamlDeserialization.rb:17:22:17:39 | ...[...] :  | semmle.label | ...[...] :  |
 subpaths
 #select
-| YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | YAMLUnsafeYamlDeserialization.rb:11:23:11:28 | call to params :  | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:11:23:11:28 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | YAMLUnsafeYamlDeserialization.rb:12:28:12:33 | call to params :  | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:12:28:12:33 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | YAMLUnsafeYamlDeserialization.rb:13:23:13:28 | call to params :  | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:13:23:13:28 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:15:5:15:24 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:14:39:14:44 | call to params :  | YAMLUnsafeYamlDeserialization.rb:15:5:15:24 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:14:39:14:44 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:16:5:16:45 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:16:17:16:22 | call to params :  | YAMLUnsafeYamlDeserialization.rb:16:5:16:45 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:16:17:16:22 | call to params | potentially untrusted source |
-| YAMLUnsafeYamlDeserialization.rb:17:5:17:48 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:17:22:17:27 | call to params :  | YAMLUnsafeYamlDeserialization.rb:17:5:17:48 | call to to_ruby | This file extraction depends on a $@. | YAMLUnsafeYamlDeserialization.rb:17:22:17:27 | call to params | potentially untrusted source |
+| YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | YAMLUnsafeYamlDeserialization.rb:11:23:11:28 | call to params :  | YAMLUnsafeYamlDeserialization.rb:11:23:11:42 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeYamlDeserialization.rb:11:23:11:28 | call to params | potentially untrusted source |
+| YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | YAMLUnsafeYamlDeserialization.rb:12:28:12:33 | call to params :  | YAMLUnsafeYamlDeserialization.rb:12:28:12:45 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeYamlDeserialization.rb:12:28:12:33 | call to params | potentially untrusted source |
+| YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | YAMLUnsafeYamlDeserialization.rb:13:23:13:28 | call to params :  | YAMLUnsafeYamlDeserialization.rb:13:23:13:42 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeYamlDeserialization.rb:13:23:13:28 | call to params | potentially untrusted source |
+| YAMLUnsafeYamlDeserialization.rb:15:5:15:24 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:14:39:14:44 | call to params :  | YAMLUnsafeYamlDeserialization.rb:15:5:15:24 | call to to_ruby | Unsafe deserialization depends on a $@. | YAMLUnsafeYamlDeserialization.rb:14:39:14:44 | call to params | potentially untrusted source |
+| YAMLUnsafeYamlDeserialization.rb:16:5:16:45 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:16:17:16:22 | call to params :  | YAMLUnsafeYamlDeserialization.rb:16:5:16:45 | call to to_ruby | Unsafe deserialization depends on a $@. | YAMLUnsafeYamlDeserialization.rb:16:17:16:22 | call to params | potentially untrusted source |
+| YAMLUnsafeYamlDeserialization.rb:17:5:17:48 | call to to_ruby | YAMLUnsafeYamlDeserialization.rb:17:22:17:27 | call to params :  | YAMLUnsafeYamlDeserialization.rb:17:5:17:48 | call to to_ruby | Unsafe deserialization depends on a $@. | YAMLUnsafeYamlDeserialization.rb:17:22:17:27 | call to params | potentially untrusted source |
--- a/ruby/ql/test/query-tests/experimental/Security/cwe-502/YAMLUnsafeYamlDeserialization.qlref
+++ b/ruby/ql/test/query-tests/experimental/Security/cwe-502/YAMLUnsafeYamlDeserialization.qlref
@@ -1 +1 @@
-experimental/CWE-502/YAMLUnsafeYamlDeserialization.ql
+experimental/cwe-502/YAMLUnsafeYamlDeserialization.ql
				`@@ -1 +0,0 @@`
				`experimental/CWE-502/YAMLUnsafeYamlDeserialization.ql`
				`@@ -0,0 +1 @@`
				`experimental/cwe-502/PlistUnsafeYamlDeserialization.ql`