Ruby: Add basic model for Terrapin library

This commit is contained in:
Harry Maclean
2024-02-26 10:57:17 +00:00
parent 9d13a1ff51
commit 8bed3fbed4
3 changed files with 61 additions and 1 deletions

View File

@@ -0,0 +1,41 @@
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: sourceModel
data: []
- addsTo:
pack: codeql/ruby-all
extensible: sinkModel
data:
- ["Terrapin::CommandLine!","Method[new].Argument[0]","command-injection"]
- ["Terrapin::CommandLine!","Method[new].Argument[1]","command-injection"]
- addsTo:
pack: codeql/ruby-all
extensible: summaryModel
data:
- ["Terrapin::CommandLine::Output!","Method[new]","Argument[1]","ReturnValue","value"]
- ["Terrapin::CommandLine!","Method[path=]","Argument[0]","ReturnValue","taint"]
- ["Terrapin::CommandLine!","Method[new]","Argument[2]","ReturnValue","taint"]
- addsTo:
pack: codeql/ruby-all
extensible: neutralModel
data: []
- addsTo:
pack: codeql/ruby-all
extensible: typeModel
data:
- ["Terrapin::CommandLine::Output","Terrapin::CommandLine::MultiPipe","Method[output].ReturnValue"]
- ["Terrapin::CommandLine::Output","Terrapin::CommandLine::FakeRunner","Method[call].ReturnValue"]
- ["Terrapin::CommandLine::Output","Terrapin::CommandLine::ProcessRunner","Method[call].ReturnValue"]
- ["Terrapin::CommandLine::Output","Terrapin::CommandLine!","Method[runner].ReturnValue.ReturnValue"]
- ["Terrapin::CommandLine::FakeRunner","Terrapin::CommandLine!","Method[runner].ReturnValue"]
- ["Terrapin::CommandLine::Output","Terrapin::CommandLine!","Method[fake!].ReturnValue.ReturnValue"]
- ["Terrapin::CommandLine::FakeRunner","Terrapin::CommandLine!","Method[fake!].ReturnValue"]
- ["Terrapin::CommandLine::Output","Terrapin::CommandLine","Method[output].ReturnValue"]
- ["Terrapin::CommandLineError","Terrapin::CommandNotFoundError",""]
- ["Terrapin::CommandLineError","Terrapin::ExitStatusError",""]
- ["Terrapin::CommandLineError","Terrapin::InterpolationError",""]

View File

@@ -21,6 +21,9 @@ edges
| CommandInjection.rb:103:9:103:12 | file | CommandInjection.rb:104:16:104:28 | "cat #{...}" | provenance | |
| CommandInjection.rb:103:16:103:21 | call to params | CommandInjection.rb:103:16:103:28 | ...[...] | provenance | |
| CommandInjection.rb:103:16:103:28 | ...[...] | CommandInjection.rb:103:9:103:12 | file | provenance | |
| CommandInjection.rb:111:33:111:38 | call to params | CommandInjection.rb:111:33:111:44 | ...[...] | provenance | |
| CommandInjection.rb:113:44:113:49 | call to params | CommandInjection.rb:113:44:113:54 | ...[...] | provenance | |
| CommandInjection.rb:113:44:113:54 | ...[...] | CommandInjection.rb:113:41:113:56 | "#{...}" | provenance | |
nodes
| CommandInjection.rb:6:9:6:11 | cmd | semmle.label | cmd |
| CommandInjection.rb:6:15:6:20 | call to params | semmle.label | call to params |
@@ -51,6 +54,11 @@ nodes
| CommandInjection.rb:103:16:103:21 | call to params | semmle.label | call to params |
| CommandInjection.rb:103:16:103:28 | ...[...] | semmle.label | ...[...] |
| CommandInjection.rb:104:16:104:28 | "cat #{...}" | semmle.label | "cat #{...}" |
| CommandInjection.rb:111:33:111:38 | call to params | semmle.label | call to params |
| CommandInjection.rb:111:33:111:44 | ...[...] | semmle.label | ...[...] |
| CommandInjection.rb:113:41:113:56 | "#{...}" | semmle.label | "#{...}" |
| CommandInjection.rb:113:44:113:49 | call to params | semmle.label | call to params |
| CommandInjection.rb:113:44:113:54 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| CommandInjection.rb:7:10:7:15 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:7:10:7:15 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
@@ -67,3 +75,5 @@ subpaths
| CommandInjection.rb:82:14:82:34 | "echo #{...}" | CommandInjection.rb:81:23:81:33 | blah_number | CommandInjection.rb:82:14:82:34 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:81:23:81:33 | blah_number | user-provided value |
| CommandInjection.rb:91:14:91:39 | "echo #{...}" | CommandInjection.rb:91:22:91:37 | ...[...] | CommandInjection.rb:91:14:91:39 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:91:22:91:37 | ...[...] | user-provided value |
| CommandInjection.rb:104:16:104:28 | "cat #{...}" | CommandInjection.rb:103:16:103:21 | call to params | CommandInjection.rb:104:16:104:28 | "cat #{...}" | This command depends on a $@. | CommandInjection.rb:103:16:103:21 | call to params | user-provided value |
| CommandInjection.rb:111:33:111:44 | ...[...] | CommandInjection.rb:111:33:111:38 | call to params | CommandInjection.rb:111:33:111:44 | ...[...] | This command depends on a $@. | CommandInjection.rb:111:33:111:38 | call to params | user-provided value |
| CommandInjection.rb:113:41:113:56 | "#{...}" | CommandInjection.rb:113:44:113:49 | call to params | CommandInjection.rb:113:41:113:56 | "#{...}" | This command depends on a $@. | CommandInjection.rb:113:44:113:49 | call to params | user-provided value |

View File

@@ -106,4 +106,13 @@ class Foo < ActionController::Base
system("cat #{file.shellescape}") # OK, because file is shell escaped
end
end
def index
Terrapin::CommandLine.new(params[:foo], "bar") # BAD
Terrapin::CommandLine.new("echo", "#{params[foo]}") # BAD
cmd = Terrapin::CommandLine.new("echo", ":msg")
cmd.run(msg: params[:foo]) # GOOD
end
end