Ruby: Restrict regexp taint flow to String summaries

2026-04-28 18:25:24 +02:00 · 2022-10-10 20:58:02 +02:00
parent 60fe370f2a
commit 6c2eee3eb8
3 changed files with 25 additions and 1 deletions
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -735,6 +735,9 @@ class SummaryNode extends NodeImpl, TSummaryNode {

  SummaryNode() { this = TSummaryNode(c, state) }

+  /** Gets the summarized callable that this node belongs to. */
+  FlowSummaryImpl::Public::SummarizedCallable getSummarizedCallable() { result = c }
+
  override CfgScope getCfgScope() { none() }

  override DataFlowCallable getEnclosingCallable() { result.asLibraryCallable() = c }
--- a/ruby/ql/lib/codeql/ruby/frameworks/core/String.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/core/String.qll
@@ -3,7 +3,7 @@
 private import codeql.ruby.AST
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.DataFlow
-private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.dataflow.FlowSummary as FlowSummary
 private import codeql.ruby.dataflow.internal.DataFlowDispatch
 private import codeql.ruby.controlflow.CfgNodes
 private import codeql.ruby.Regexp as RE
@@ -107,6 +107,18 @@ module String {
    preservesValue = false
  }

+  /** A `String` callable with a flow summary. */
+  abstract class SummarizedCallable extends FlowSummary::SummarizedCallable {
+    bindingset[this]
+    SummarizedCallable() { any() }
+  }
+
+  abstract private class SimpleSummarizedCallable extends SummarizedCallable,
+    FlowSummary::SimpleSummarizedCallable {
+    bindingset[this]
+    SimpleSummarizedCallable() { any() }
+  }
+
  private class NewSummary extends SummarizedCallable {
    NewSummary() { this = "String.new" }

--- a/ruby/ql/lib/codeql/ruby/regexp/internal/RegExpConfiguration.qll
+++ b/ruby/ql/lib/codeql/ruby/regexp/internal/RegExpConfiguration.qll
@@ -5,6 +5,10 @@ private import codeql.ruby.controlflow.CfgNodes
 private import codeql.ruby.dataflow.internal.tainttrackingforregexp.TaintTrackingImpl
 private import codeql.ruby.typetracking.TypeTracker
 private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+private import codeql.ruby.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
+private import codeql.ruby.dataflow.FlowSummary as FlowSummary
+private import codeql.ruby.frameworks.core.String

 class RegExpConfiguration extends Configuration {
  RegExpConfiguration() { this = "RegExpConfiguration" }
@@ -30,6 +34,11 @@ class RegExpConfiguration extends Configuration {
      node = mce.getArgument(0) and
      mce.getReceiver() = trackRegexpType()
    )
+    or
+    // only include taint flow through `String` summaries
+    FlowSummaryImpl::Private::Steps::summaryLocalStep(_, node, false) and
+    not node.(DataFlowPrivate::SummaryNode).getSummarizedCallable() instanceof
+      String::SummarizedCallable
  }
 }