first draft of weak params query

2026-04-28 02:05:14 +02:00 · 2022-06-18 20:43:58 +00:00
parent 9fe238f20c
commit 83b720d730
4 changed files with 62 additions and 0 deletions
--- a/ruby/ql/src/experimental/weak-params/WeakParams.ql
+++ b/ruby/ql/src/experimental/weak-params/WeakParams.ql
@@ -0,0 +1,46 @@
+/**
+ * @name Weak or direct parameter references are used
+ * @description Directly checking request parameters without following a strong params pattern can lead to unintentional avenues for injection attacks.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 5.0
+ * @precision low
+ * @id rb/weak-params
+ * @tags security
+ */
+
+import ruby
+
+class WeakParams extends AstNode {
+  WeakParams() {
+    this instanceof UnspecificParamsMethod or
+    this instanceof ParamsReference
+  }
+}
+
+class StrongParamsMethod extends Method {
+  StrongParamsMethod() { this.getName().regexpMatch(".*_params") }
+}
+
+class UnspecificParamsMethod extends MethodCall {
+  UnspecificParamsMethod() {
+    (
+      this.getMethodName() = "expose_all" or
+      this.getMethodName() = "original_hash" or
+      this.getMethodName() = "path_parametes" or
+      this.getMethodName() = "query_parameters" or
+      this.getMethodName() = "request_parameters" or
+      this.getMethodName() = "GET" or
+      this.getMethodName() = "POST"
+    )
+  }
+}
+
+class ParamsReference extends ElementReference {
+  ParamsReference() { this.getAChild().toString() = "params" }
+}
+
+from WeakParams params
+where not params.getEnclosingMethod() instanceof StrongParamsMethod
+select params,
+  "By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects."
--- a/ruby/ql/test/query-tests/security/weak-params/WeakParams.expected
+++ b/ruby/ql/test/query-tests/security/weak-params/WeakParams.expected
--- a/ruby/ql/test/query-tests/security/weak-params/WeakParams.qlref
+++ b/ruby/ql/test/query-tests/security/weak-params/WeakParams.qlref
@@ -0,0 +1 @@
+experimental/weak-params/WeakParams.ql
--- a/ruby/ql/test/query-tests/security/weak-params/WeakParams.rb
+++ b/ruby/ql/test/query-tests/security/weak-params/WeakParams.rb
@@ -0,0 +1,15 @@
+class TestController < ActionController::Base
+  def create
+    TestObject.new(request.request_parameters)
+  end
+
+  def create_query
+    TestObject.new(request.query_parameters)
+  end
+
+  # 
+  def object_params
+    p = params.query_parameters
+    params.require(:uuid).permit(:notes)
+  end
+end