hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 16:25:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: configsig rb/reflected-xss

Browse Source
This commit is contained in:
Alex Ford
2023-09-01 15:46:41 +01:00
parent ad2bbfb265
commit 593d9a48d4
3 changed files with 29 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll
View File

@@ -2,8 +2,8 @@
* Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
*
* Note, for performance reasons: only import this file if
* `ReflectedXSS::Configuration` is needed, otherwise
* `XSS::ReflectedXSS` should be imported instead.
* `ReflectedXssFlow` is needed, otherwise
* `XSS::ReflectedXss` should be imported instead.
*/
private import codeql.ruby.AST
@@ -12,14 +12,16 @@ import codeql.ruby.TaintTracking
/**
* Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
* DEPRECATED: Use `ReflectedXssFlow`
*/
module ReflectedXss {
deprecated module ReflectedXss {
import XSS::ReflectedXss
/**
* A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
* DEPRECATED: Use `ReflectedXssFlow`
*/
class Configuration extends TaintTracking::Configuration {
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "ReflectedXSS" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -37,3 +39,22 @@ module ReflectedXss {
}
}
}
private module ReflectedXssConfig implements DataFlow::ConfigSig {
private import XSS::ReflectedXss as RX
predicate isSource(DataFlow::Node source) { source instanceof RX::Source }
predicate isSink(DataFlow::Node sink) { sink instanceof RX::Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof RX::Sanitizer }
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
RX::isAdditionalXssTaintStep(node1, node2)
}
}
/**
* Taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities.
*/
module ReflectedXssFlow = TaintTracking::Global<ReflectedXssConfig>;

6
ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql
View File

@@ -15,9 +15,9 @@
import codeql.ruby.AST
import codeql.ruby.security.ReflectedXSSQuery
import DataFlow::PathGraph
import ReflectedXssFlow::PathGraph
from ReflectedXss::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
from ReflectedXssFlow::PathNode source, ReflectedXssFlow::PathNode sink
where ReflectedXssFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",
source.getNode(), "user-provided value"

2
ruby/ql/test/query-tests/security/cwe-079/ReflectedXSS.expected
View File

@@ -9,9 +9,9 @@ edges
| app/controllers/foo/bars_controller.rb:17:21:17:26 | call to params | app/controllers/foo/bars_controller.rb:17:21:17:36 | ...[...] |
| app/controllers/foo/bars_controller.rb:17:21:17:36 | ...[...] | app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website |
| app/controllers/foo/bars_controller.rb:18:5:18:6 | dt | app/controllers/foo/bars_controller.rb:19:22:19:23 | dt |
| app/controllers/foo/bars_controller.rb:18:5:18:6 | dt | app/controllers/foo/bars_controller.rb:26:53:26:54 | dt |
| app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params | app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] |
| app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] | app/controllers/foo/bars_controller.rb:18:5:18:6 | dt |
| app/controllers/foo/bars_controller.rb:19:22:19:23 | dt | app/controllers/foo/bars_controller.rb:26:53:26:54 | dt |
| app/controllers/foo/bars_controller.rb:19:22:19:23 | dt | app/views/foo/bars/show.html.erb:40:3:40:16 | @instance_text |
| app/controllers/foo/bars_controller.rb:24:39:24:44 | call to params | app/controllers/foo/bars_controller.rb:24:39:24:59 | ...[...] |
| app/controllers/foo/bars_controller.rb:24:39:24:59 | ...[...] | app/controllers/foo/bars_controller.rb:24:39:24:59 | ... = ... |