hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12208 from gregxsunday/main

Browse Source 
Add ZipSlip and TarSlip query to ruby
This commit is contained in:
Arthur Baars
2023-03-06 10:40:06 +01:00
committed by GitHub
parent b8e123dc08 48007d14d5
commit d2ab40c184
10 changed files with 513 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.expected Normal file
View File

@@ -0,0 +1,54 @@
edges
| zip_slip.rb:8:15:8:54 | call to new : | zip_slip.rb:9:5:9:11 | tarfile : |
| zip_slip.rb:9:5:9:11 | tarfile : | zip_slip.rb:9:22:9:26 | entry : |
| zip_slip.rb:9:22:9:26 | entry : | zip_slip.rb:10:19:10:33 | call to full_name |
| zip_slip.rb:20:50:20:56 | tarfile : | zip_slip.rb:21:7:21:13 | tarfile : |
| zip_slip.rb:21:7:21:13 | tarfile : | zip_slip.rb:21:30:21:34 | entry : |
| zip_slip.rb:21:30:21:34 | entry : | zip_slip.rb:22:21:22:35 | call to full_name |
| zip_slip.rb:46:5:46:24 | call to open : | zip_slip.rb:46:35:46:39 | entry : |
| zip_slip.rb:46:35:46:39 | entry : | zip_slip.rb:47:17:47:26 | call to name |
| zip_slip.rb:56:30:56:37 | zip_file : | zip_slip.rb:57:7:57:14 | zip_file : |
| zip_slip.rb:57:7:57:14 | zip_file : | zip_slip.rb:57:25:57:29 | entry : |
| zip_slip.rb:57:25:57:29 | entry : | zip_slip.rb:58:19:58:28 | call to name |
| zip_slip.rb:90:12:90:54 | call to open : | zip_slip.rb:91:11:91:14 | gzip : |
| zip_slip.rb:91:11:91:14 | gzip : | zip_slip.rb:97:42:97:56 | compressed_file : |
| zip_slip.rb:97:42:97:56 | compressed_file : | zip_slip.rb:98:7:98:21 | compressed_file : |
| zip_slip.rb:98:7:98:21 | compressed_file : | zip_slip.rb:98:32:98:36 | entry : |
| zip_slip.rb:98:32:98:36 | entry : | zip_slip.rb:100:21:100:30 | entry_path |
| zip_slip.rb:123:12:123:34 | call to new : | zip_slip.rb:124:7:124:8 | gz : |
| zip_slip.rb:124:7:124:8 | gz : | zip_slip.rb:124:19:124:23 | entry : |
| zip_slip.rb:124:19:124:23 | entry : | zip_slip.rb:126:21:126:30 | entry_path |
nodes
| zip_slip.rb:8:15:8:54 | call to new : | semmle.label | call to new : |
| zip_slip.rb:9:5:9:11 | tarfile : | semmle.label | tarfile : |
| zip_slip.rb:9:22:9:26 | entry : | semmle.label | entry : |
| zip_slip.rb:10:19:10:33 | call to full_name | semmle.label | call to full_name |
| zip_slip.rb:20:50:20:56 | tarfile : | semmle.label | tarfile : |
| zip_slip.rb:21:7:21:13 | tarfile : | semmle.label | tarfile : |
| zip_slip.rb:21:30:21:34 | entry : | semmle.label | entry : |
| zip_slip.rb:22:21:22:35 | call to full_name | semmle.label | call to full_name |
| zip_slip.rb:46:5:46:24 | call to open : | semmle.label | call to open : |
| zip_slip.rb:46:35:46:39 | entry : | semmle.label | entry : |
| zip_slip.rb:47:17:47:26 | call to name | semmle.label | call to name |
| zip_slip.rb:56:30:56:37 | zip_file : | semmle.label | zip_file : |
| zip_slip.rb:57:7:57:14 | zip_file : | semmle.label | zip_file : |
| zip_slip.rb:57:25:57:29 | entry : | semmle.label | entry : |
| zip_slip.rb:58:19:58:28 | call to name | semmle.label | call to name |
| zip_slip.rb:90:12:90:54 | call to open : | semmle.label | call to open : |
| zip_slip.rb:91:11:91:14 | gzip : | semmle.label | gzip : |
| zip_slip.rb:97:42:97:56 | compressed_file : | semmle.label | compressed_file : |
| zip_slip.rb:98:7:98:21 | compressed_file : | semmle.label | compressed_file : |
| zip_slip.rb:98:32:98:36 | entry : | semmle.label | entry : |
| zip_slip.rb:100:21:100:30 | entry_path | semmle.label | entry_path |
| zip_slip.rb:123:12:123:34 | call to new : | semmle.label | call to new : |
| zip_slip.rb:124:7:124:8 | gz : | semmle.label | gz : |
| zip_slip.rb:124:19:124:23 | entry : | semmle.label | entry : |
| zip_slip.rb:126:21:126:30 | entry_path | semmle.label | entry_path |
subpaths
#select
| zip_slip.rb:10:19:10:33 | call to full_name | zip_slip.rb:8:15:8:54 | call to new : | zip_slip.rb:10:19:10:33 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:8:15:8:54 | call to new | potentially untrusted source |
| zip_slip.rb:22:21:22:35 | call to full_name | zip_slip.rb:20:50:20:56 | tarfile : | zip_slip.rb:22:21:22:35 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:20:50:20:56 | tarfile | potentially untrusted source |
| zip_slip.rb:47:17:47:26 | call to name | zip_slip.rb:46:5:46:24 | call to open : | zip_slip.rb:47:17:47:26 | call to name | This file extraction depends on a $@. | zip_slip.rb:46:5:46:24 | call to open | potentially untrusted source |
| zip_slip.rb:58:19:58:28 | call to name | zip_slip.rb:56:30:56:37 | zip_file : | zip_slip.rb:58:19:58:28 | call to name | This file extraction depends on a $@. | zip_slip.rb:56:30:56:37 | zip_file | potentially untrusted source |
| zip_slip.rb:100:21:100:30 | entry_path | zip_slip.rb:90:12:90:54 | call to open : | zip_slip.rb:100:21:100:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:90:12:90:54 | call to open | potentially untrusted source |
| zip_slip.rb:126:21:126:30 | entry_path | zip_slip.rb:123:12:123:34 | call to new : | zip_slip.rb:126:21:126:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:123:12:123:34 | call to new | potentially untrusted source |

1
ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/cwe-022-zipslip/ZipSlip.ql

133
ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/zip_slip.rb Normal file
View File

@@ -0,0 +1,133 @@
require 'zip'
class TestController < ActionController::Base
# BAD
def tarReaderUnsafe
path = params[:path]
file_stream = IO.new(IO.sysopen(path))
tarfile = Gem::Package::TarReader.new(file_stream)
tarfile.each do |entry|
::File.open(entry.full_name, "wb") do |os|
entry.read
end
end
end
# BAD
def tarReaderBlockUnsafe
path = params[:path]
file_stream = IO.new(IO.sysopen(path))
Gem::Package::TarReader.new(file_stream) do |tarfile|
tarfile.each_entry do |entry|
::File.open(entry.full_name, "wb") do |os|
entry.read
end
end
end
end
# GOOD
def tarReadeSanitizedExpandPath
path = params[:path]
file_stream = IO.new(IO.sysopen(path))
tarfile = Gem::Package::TarReader.new(file_stream)
tarfile.each do |entry|
entry_path = entry.full_name
next if !File.expand_path(entry_path).start_with?("/safepath/")
::File.open(entry_path, "wb") do |os|
entry.read
end
end
end
# BAD
def zipFileUnsafe
path = params[:path]
Zip::File.open(path).each do |entry|
File.open(entry.name, "wb") do |os|
entry.read
end
end
end
# BAD
def zipFileBlockUnsafe
path = params[:path]
Zip::File.open(path) do |zip_file|
zip_file.each do |entry|
File.open(entry.name, "wb") do |os|
entry.read
end
end
end
end
# GOOD
def zipFileBlockSafeHardcodedPath
path = '/safepath.zip'
Zip::File.open(path) do |zip_file|
zip_file.each do |entry|
File.open(entry.name, "wb") do |os|
entry.read
end
end
end
end
# GOOD
def zipFileSanitizedConstCompare
path = params[:path]
Zip::File.open(path).each do |entry|
entry_path = entry.name
raise ExtractFailed if entry_path != "/safepath"
File.open(entry_path, "wb") do |os|
entry.read
end
end
end
def get_compressed_file_stream(compressed_file_path)
gzip = Zlib::GzipReader.open(compressed_file_path)
yield(gzip)
end
# BAD
def gzipReaderUnsafe
path = params[:path]
get_compressed_file_stream(path) do |compressed_file|
compressed_file.each do |entry|
entry_path = entry.full_name
::File.open(entry_path, 'wb') do |os|
entry.read
end
end
end
end
# GOOD
def gzipReaderSafeConstPath
path = "/safe.zip"
zlib = Zlib::GzipReader.open(path)
zlib.each do |entry|
entry_path = entry.full_name
::File.open(entry_path, 'wb') do |os|
entry.read
end
end
end
# BAD
def gzipReaderUnsafeNewInstance
path = params[:path]
File.open(path, 'rb') do |f|
gz = Zlib::GzipReader.new(f)
gz.each do |entry|
entry_path = entry.full_name
::File.open(entry_path, 'wb') do |os|
entry.read
end
end
end
end
end