Merge remote-tracking branch 'origin/main' into polynomial_redos

2026-04-28 02:05:14 +02:00 · 2021-09-07 17:35:07 +01:00
parent 4d5928ae5a 8fbe5c0adf
commit 7666d856b7
26 changed files with 565 additions and 104 deletions
--- a/ql/test/query-tests/security/cwe-601/UrlRedirect.expected
+++ b/ql/test/query-tests/security/cwe-601/UrlRedirect.expected
@@ -0,0 +1,25 @@
+edges
+| UrlRedirect.rb:9:17:9:22 | call to params :  | UrlRedirect.rb:9:17:9:28 | ...[...] |
+| UrlRedirect.rb:14:17:14:22 | call to params :  | UrlRedirect.rb:14:17:14:43 | call to fetch |
+| UrlRedirect.rb:19:17:19:22 | call to params :  | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash |
+| UrlRedirect.rb:24:31:24:36 | call to params :  | UrlRedirect.rb:24:17:24:37 | call to filter_params |
+| UrlRedirect.rb:34:20:34:25 | call to params :  | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" |
+nodes
+| UrlRedirect.rb:4:17:4:22 | call to params | semmle.label | call to params |
+| UrlRedirect.rb:9:17:9:22 | call to params :  | semmle.label | call to params :  |
+| UrlRedirect.rb:9:17:9:28 | ...[...] | semmle.label | ...[...] |
+| UrlRedirect.rb:14:17:14:22 | call to params :  | semmle.label | call to params :  |
+| UrlRedirect.rb:14:17:14:43 | call to fetch | semmle.label | call to fetch |
+| UrlRedirect.rb:19:17:19:22 | call to params :  | semmle.label | call to params :  |
+| UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | semmle.label | call to to_unsafe_hash |
+| UrlRedirect.rb:24:17:24:37 | call to filter_params | semmle.label | call to filter_params |
+| UrlRedirect.rb:24:31:24:36 | call to params :  | semmle.label | call to params :  |
+| UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | semmle.label | "#{...}/foo" |
+| UrlRedirect.rb:34:20:34:25 | call to params :  | semmle.label | call to params :  |
+#select
+| UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | Untrusted URL redirection due to $@. | UrlRedirect.rb:4:17:4:22 | call to params | a user-provided value |
+| UrlRedirect.rb:9:17:9:28 | ...[...] | UrlRedirect.rb:9:17:9:22 | call to params :  | UrlRedirect.rb:9:17:9:28 | ...[...] | Untrusted URL redirection due to $@. | UrlRedirect.rb:9:17:9:22 | call to params | a user-provided value |
+| UrlRedirect.rb:14:17:14:43 | call to fetch | UrlRedirect.rb:14:17:14:22 | call to params :  | UrlRedirect.rb:14:17:14:43 | call to fetch | Untrusted URL redirection due to $@. | UrlRedirect.rb:14:17:14:22 | call to params | a user-provided value |
+| UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | UrlRedirect.rb:19:17:19:22 | call to params :  | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | Untrusted URL redirection due to $@. | UrlRedirect.rb:19:17:19:22 | call to params | a user-provided value |
+| UrlRedirect.rb:24:17:24:37 | call to filter_params | UrlRedirect.rb:24:31:24:36 | call to params :  | UrlRedirect.rb:24:17:24:37 | call to filter_params | Untrusted URL redirection due to $@. | UrlRedirect.rb:24:31:24:36 | call to params | a user-provided value |
+| UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | UrlRedirect.rb:34:20:34:25 | call to params :  | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | Untrusted URL redirection due to $@. | UrlRedirect.rb:34:20:34:25 | call to params | a user-provided value |
--- a/ql/test/query-tests/security/cwe-601/UrlRedirect.qlref
+++ b/ql/test/query-tests/security/cwe-601/UrlRedirect.qlref
@@ -0,0 +1 @@
+queries/security/cwe-601/UrlRedirect.ql
--- a/ql/test/query-tests/security/cwe-601/UrlRedirect.rb
+++ b/ql/test/query-tests/security/cwe-601/UrlRedirect.rb
@@ -0,0 +1,59 @@
+class UsersController < ActionController::Base
+  # BAD
+  def route1
+    redirect_to params
+  end
+
+  # BAD
+  def route2
+    redirect_to params[:key]
+  end
+
+  # BAD
+  def route3
+    redirect_to params.fetch(:specific_arg)
+  end
+
+  # BAD
+  def route4
+    redirect_to params.to_unsafe_hash
+  end
+
+  # BAD
+  def route5
+    redirect_to filter_params(params)
+  end
+
+  # GOOD
+  def route6
+    redirect_to "/foo/#{params[:key]}"
+  end
+
+  # BAD
+  def route7
+    redirect_to "#{params[:key]}/foo"
+  end
+
+  # GOOD
+  def route8
+    key = params[:key]
+    if key == "foo"
+      redirect_to key
+    else
+      redirect_to "/default"
+    end
+  end
+
+  # GOOD
+  # Technically vulnerable, but we assume this is a handler for a POST request,
+  # so can't be triggered by following a link.
+  def create
+    redirect_to params[:key]
+  end
+
+  private
+
+  def filter_params(input_params)
+    input_params.permit(:key)
+  end
+end