Add query for Code Injection

This query finds cases where user input flows to an argument to `eval` or `send`, which can execute arbitrary Ruby code.
2026-05-03 20:58:03 +02:00 · 2021-09-14 10:58:25 +01:00
parent 916b844557
commit 95e50cedad
13 changed files with 294 additions and 0 deletions
--- a/ql/test/library-tests/frameworks/Eval.rb
+++ b/ql/test/library-tests/frameworks/Eval.rb
@@ -0,0 +1,23 @@
+# Uses of eval and send
+
+eval("raise \"error\"")
+send("raise", "error")
+
+a = []
+a.send("raise", "error")
+
+class Foo
+  def eval(x)
+    x + 1
+  end
+
+  def send(*args)
+    2
+  end
+
+  def run
+    eval("exit 1")
+  end
+end
+
+Foo.new.send("exit", 1)
--- a/ql/test/library-tests/frameworks/StandardLibrary.expected
+++ b/ql/test/library-tests/frameworks/StandardLibrary.expected
@@ -58,3 +58,8 @@ open3PipelineCallExecutions
 | CommandExecution.rb:63:1:63:40 | call to pipeline_w |
 | CommandExecution.rb:64:1:64:44 | call to pipeline_start |
 | CommandExecution.rb:65:1:65:38 | call to pipeline |
+evalCallCodeExecutions
+| Eval.rb:3:1:3:23 | call to eval |
+sendCallCodeExecutions
+| Eval.rb:4:1:4:22 | call to send |
+| Eval.rb:7:1:7:24 | call to send |
--- a/ql/test/library-tests/frameworks/StandardLibrary.ql
+++ b/ql/test/library-tests/frameworks/StandardLibrary.ql
@@ -13,3 +13,7 @@ query predicate kernelSpawnCallExecutions(KernelSpawnCall c) { any() }
 query predicate open3CallExecutions(Open3Call c) { any() }

 query predicate open3PipelineCallExecutions(Open3PipelineCall c) { any() }
+
+query predicate evalCallCodeExecutions(EvalCallCodeExecution e) { any() }
+
+query predicate sendCallCodeExecutions(SendCallCodeExecution e) { any() }
--- a/ql/test/query-tests/security/cwe-094/CodeInjection.expected
+++ b/ql/test/query-tests/security/cwe-094/CodeInjection.expected
@@ -0,0 +1,10 @@
+edges
+| CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:6:10:6:13 | code |
+nodes
+| CodeInjection.rb:3:12:3:17 | call to params :  | semmle.label | call to params :  |
+| CodeInjection.rb:6:10:6:13 | code | semmle.label | code |
+| CodeInjection.rb:9:10:9:15 | call to params | semmle.label | call to params |
+subpaths
+#select
+| CodeInjection.rb:6:10:6:13 | code | CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:6:10:6:13 | code | This code execution depends on $@. | CodeInjection.rb:3:12:3:17 | call to params | a user-provided value |
+| CodeInjection.rb:9:10:9:15 | call to params | CodeInjection.rb:9:10:9:15 | call to params | CodeInjection.rb:9:10:9:15 | call to params | This code execution depends on $@. | CodeInjection.rb:9:10:9:15 | call to params | a user-provided value |
--- a/ql/test/query-tests/security/cwe-094/CodeInjection.qlref
+++ b/ql/test/query-tests/security/cwe-094/CodeInjection.qlref
@@ -0,0 +1 @@
+queries/security/cwe-094/CodeInjection.ql
--- a/ql/test/query-tests/security/cwe-094/CodeInjection.rb
+++ b/ql/test/query-tests/security/cwe-094/CodeInjection.rb
@@ -0,0 +1,29 @@
+class UsersController < ActionController::Base
+  def create
+    code = params[:code]
+
+    # BAD
+    eval(code)
+
+    # BAD
+    eval(params)
+
+    # GOOD
+    Foo.new.bar(code)
+  end
+
+  def update
+    # GOOD
+    eval("foo")
+  end
+end
+
+class Foo
+  def eval(x)
+    true
+  end
+
+  def bar(x)
+    eval(x)
+  end
+end