Merge branch 'main' into maikypedia/ldap-injection

ruby/ql/src/experimental/cwe-022-zipslip/ZipSlip.qhelp

@@ -4,16 +4,15 @@
 <qhelp>
 
 <overview>
-<p>Extracting files from a malicious tar archive without validating that the destination file path
-is within the destination directory can cause files outside the destination directory to be
-overwritten, due to the possible presence of directory traversal elements (<code>..</code>) in
-archive paths.</p>
+<p>Extracting files from a malicious zip file, or similar type of archive,
+is at risk of directory traversal attacks if filenames from the archive are
+not properly validated.</p>
 
 <p>Tar archives contain archive entries representing each file in the archive. These entries
 include a file path for the entry, but these file paths are not restricted and may contain
 unexpected special elements such as the directory traversal element (<code>..</code>). If these
-file paths are used to determine an output file to write the contents of the archive item to, then
-the file may be written to an unexpected location. This can result in sensitive information being
+file paths are used to create a filesystem path, then a file operation may happen in an 
+unexpected location. This can result in sensitive information being
 revealed or deleted, or an attacker being able to influence behavior by modifying unexpected
 files.</p>
 

ruby/ql/src/experimental/cwe-022-zipslip/ZipSlip.ql

@@ -1,8 +1,8 @@
 /**
- * @name Arbitrary file write during zipfile/tarfile extraction
- * @description Extracting files from a malicious tar archive without validating that the
- *              destination file path is within the destination directory can cause files outside
- *              the destination directory to be overwritten.
+ * @name Arbitrary file access during archive extraction ("Zip Slip")
+ * @description Extracting files from a malicious ZIP file, or similar type of archive, without
+ *              validating that the destination file path is within the destination directory
+ *              can allow an attacker to unexpectedly gain access to resources.
  * @kind path-problem
  * @id rb/zip-slip
  * @problem.severity error

ruby/ql/src/experimental/cwe-176/UnicodeBypassValidation.qhelp

@@ -0,0 +1,50 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>Security checks bypass due to a Unicode transformation</p>
+        <p>
+            If ever a unicode tranformation is performed after some security checks or logical
+            validation, the
+            latter could be bypassed due to a potential Unicode characters collision.
+            The validation of concern are any character escaping, any regex validation or any string
+            verification.
+        </p>
+    </overview>
+    <recommendation>
+        <p> Perform a Unicode normalization before the logical validation. </p>
+    </recommendation>
+    <example>
+
+        <p> The following example showcases the bypass of all checks performed by <code>
+            html_escape()</code> due to a post-unicode normalization.</p>
+        <p>For instance: the character U+FE64 (<code>﹤</code>) is not filtered-out by the
+            html_escape() function. But due to the Unicode normalization, the character is
+            transformed and would become U+003C (<code> &lt; </code> ).</p>
+
+        <sample src="./examples/unicode_normalization.rb" />
+
+    </example>
+    <example>
+
+        <p> The next example shows how an early deletion of a character may be bypassed due to a
+            potential Unicode character collision.</p>
+        <p>The character <code>&lt;</code> was expected to be omitted from the string <code>s</code>.
+            However, a malicious user may consider using its colliding Unicode character U+FE64 <code>
+            ﹤</code> as an alternative. Due to the Late-Unicode normalization with the form NFKC,
+            the resulting string would contain the unintended character <code>&lt;</code> . </p>
+
+        <sample src="./examples/unicode_normalization2.rb" />
+
+    </example>
+    <references>
+        <li> Research study: <a
+                href="https://gosecure.github.io/presentations/2021-02-unicode-owasp-toronto/philippe_arteau_owasp_unicode_v4.pdf">
+            Unicode vulnerabilities that could bYte you
+            </a>
+        </li>
+        <li>
+            <a
+                href="https://gosecure.github.io/unicode-pentester-cheatsheet/">Unicode pentest
+            cheatsheet</a>. </li>
+    </references>
+</qhelp>

ruby/ql/src/experimental/cwe-176/UnicodeBypassValidation.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Bypass Logical Validation Using Unicode Characters
+ * @description A Unicode transformation is using a remote user-controlled data. The transformation is a Unicode normalization using the algorithms "NFC" or "NFKC". In all cases, the security measures implemented or the logical validation performed to escape any injection characters, to validate using regex patterns or to perform string-based checks, before the Unicode transformation are **bypassable** by special Unicode characters.
+ * @kind path-problem
+ * @id rb/unicode-bypass-validation
+ * @precision high
+ * @problem.severity error
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-176
+ *       external/cwe/cwe-179
+ *       external/cwe/cwe-180
+ */
+
+import ruby
+import codeql.ruby.experimental.UnicodeBypassValidationQuery
+import DataFlow::PathGraph
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters.",
+  sink.getNode(), "Unicode transformation (Unicode normalization)", source.getNode(),
+  "remote user-controlled data"

ruby/ql/src/experimental/cwe-176/examples/unicode_normalization.rb

@@ -0,0 +1,10 @@
+require "erb"
+
+class UnicodeNormalizationHtMLSafeController < ActionController::Base
+  def unicodeNormalize
+    unicode_input = params[:unicode_input]
+    unicode_html_safe = ERB::Util.html_escape(unicode_input)
+    normalized_nfkc = unicode_html_safe.unicode_normalize(:nfkc) # $result=BAD
+    normalized_nfc = unicode_html_safe.unicode_normalize(:nfc) # $result=BAD
+  end
+end

ruby/ql/src/experimental/cwe-176/examples/unicode_normalization2.rb

@@ -0,0 +1,2 @@
+s = "﹤xss>"
+puts s.delete("<").unicode_normalize(:nfkc).include?("<")