rb/reflected-xss

ql/src/queries/security/cwe-079/ReflectedXSS.qhelp

@@ -0,0 +1,59 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Directly writing user input (for example, an HTTP request parameter) to a webpage
+without properly sanitizing the input first, allows for a cross-site scripting
+vulnerability.
+</p>
+</overview>
+
+<recommendation>
+<p>
+To guard against cross-site scripting, consider escaping the input before
+writing user input to the page. In some frameworks, such as Rails, escaping will
+be performed implicitly and by default.
+</p>
+</recommendation>
+
+<example>
+<p>
+For instance, the following example is safe because the
+<code>params[:user_name]</code> content within the output tags will be
+automatically HTML escaped before being output.
+</p>
+<sample src="examples/safe.html.erb" />
+</example>
+
+<recommendation>
+<p>
+Care should be taken when using methods such as <code>html_safe</code> or
+<code>raw</code>. These methods can be used to output a string without escaping
+it. As such, they should only be used when the string has already been manually
+escaped (for example, with the Rails <code>html_escape</code> method), or when
+the content is otherwise guaranteed to be safe (such as a hard-coded string).
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example is unsafe because user-controlled input is output without
+escaping due to being marked as <code>html_safe</code>.
+</p>
+<sample src="examples/reflective_xss.html.erb" />
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss">XSS
+Ruby on Rails Cheatsheet</a>.
+</li>
+<li>
+Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
+</li>
+</references>
+</qhelp>

ql/src/queries/security/cwe-079/ReflectedXSS.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Reflected server-side cross-site scripting
+ * @description Writing user input directly to a web page
+ *              allows for a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @sub-severity high
+ * @precision high
+ * @id rb/reflected-xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import ruby
+import codeql.ruby.security.ReflectedXSSQuery
+import codeql.ruby.DataFlow
+import DataFlow::PathGraph
+
+from ReflectedXSS::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
+  source.getNode(), "a user-provided value"

ql/src/queries/security/cwe-079/examples/reflective_xss.html.erb

@@ -0,0 +1 @@
+<p>Hello <%= params[:user_name].html_safe %>!</p>

ql/src/queries/security/cwe-079/examples/safe.html.erb

@@ -0,0 +1 @@
+<p>Hello <%= params[:user_name] %>!</p>