Add taint step for Base64.decode64

2026-04-14 11:34:00 +02:00 · 2021-09-08 17:48:54 +01:00
parent adceb0a2a1
commit 9b9fc18605
2 changed files with 25 additions and 0 deletions
--- a/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
+++ b/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
@@ -25,6 +25,13 @@ module UnsafeDeserialization {
   */
  abstract class Sanitizer extends DataFlow::Node { }

+  /**
+   * Additional taint steps for "unsafe deserialization" vulnerabilities.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+    base64DecodeTaintStep(fromNode, toNode)
+  }
+
  /** A source of remote user input, considered as a flow source for unsafe deserialization. */
  class RemoteFlowSourceAsSource extends Source {
    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
@@ -59,4 +66,18 @@ module UnsafeDeserialization {
      this = API::getTopLevelMember("JSON").getAMethodCall(["load", "restore"]).getArgument(0)
    }
  }
+
+  /**
+   * `Base64.decode64` propagates taint from its argument to its return value.
+   */
+  predicate base64DecodeTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+    exists(DataFlow::CallNode callNode |
+      callNode =
+        API::getTopLevelMember("Base64")
+            .getAMethodCall(["decode64", "strict_decode64", "urlsafe_decode64"])
+    |
+      fromNode = callNode.getArgument(0) and
+      toNode = callNode
+    )
+  }
 }
--- a/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll
+++ b/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll
@@ -27,4 +27,8 @@ class Configuration extends TaintTracking::Configuration {
    super.isSanitizer(node) or
    node instanceof UnsafeDeserialization::Sanitizer
  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+    UnsafeDeserialization::isAdditionalTaintStep(fromNode, toNode)
+  }
 }