rb/reflected-xss

ql/test/query-tests/security/cwe-079/ReflectedXSS.expected

@@ -0,0 +1,44 @@
+edges
+| app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params :  | app/controllers/foo/bars_controller.rb:10:12:10:29 | ...[...] :  |
+| app/controllers/foo/bars_controller.rb:10:12:10:29 | ...[...] :  | app/views/foo/bars/show.html.erb:49:5:49:13 | call to user_name |
+| app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/controllers/foo/bars_controller.rb:20:53:20:54 | dt :  |
+| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt :  | app/views/foo/bars/show.html.erb:5:9:5:21 | @display_text |
+| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt :  | app/views/foo/bars/show.html.erb:8:9:8:20 | call to display_text |
+| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt :  | app/views/foo/bars/show.html.erb:11:9:11:29 | ...[...] |
+| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt :  | app/views/foo/bars/show.html.erb:15:9:15:19 | ...[...] |
+| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt :  | app/views/foo/bars/show.html.erb:36:3:36:15 | @display_text |
+| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt :  | app/views/foo/bars/show.html.erb:46:76:46:87 | call to display_text :  |
+| app/views/foo/bars/show.html.erb:46:64:46:87 | ... + ... :  | app/views/foo/bars/_widget.html.erb:2:9:2:21 | @display_text |
+| app/views/foo/bars/show.html.erb:46:64:46:87 | ... + ... :  | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text |
+| app/views/foo/bars/show.html.erb:46:64:46:87 | ... + ... :  | app/views/foo/bars/_widget.html.erb:8:9:8:29 | ...[...] |
+| app/views/foo/bars/show.html.erb:46:76:46:87 | call to display_text :  | app/views/foo/bars/show.html.erb:46:64:46:87 | ... + ... :  |
+| app/views/foo/bars/show.html.erb:56:29:56:34 | call to params :  | app/views/foo/bars/show.html.erb:56:29:56:44 | ...[...] |
+nodes
+| app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params :  | semmle.label | call to params :  |
+| app/controllers/foo/bars_controller.rb:10:12:10:29 | ...[...] :  | semmle.label | ...[...] :  |
+| app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | semmle.label | call to params :  |
+| app/controllers/foo/bars_controller.rb:20:53:20:54 | dt :  | semmle.label | dt :  |
+| app/views/foo/bars/_widget.html.erb:2:9:2:21 | @display_text | semmle.label | @display_text |
+| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | semmle.label | call to display_text |
+| app/views/foo/bars/_widget.html.erb:8:9:8:29 | ...[...] | semmle.label | ...[...] |
+| app/views/foo/bars/show.html.erb:5:9:5:21 | @display_text | semmle.label | @display_text |
+| app/views/foo/bars/show.html.erb:8:9:8:20 | call to display_text | semmle.label | call to display_text |
+| app/views/foo/bars/show.html.erb:11:9:11:29 | ...[...] | semmle.label | ...[...] |
+| app/views/foo/bars/show.html.erb:15:9:15:19 | ...[...] | semmle.label | ...[...] |
+| app/views/foo/bars/show.html.erb:36:3:36:15 | @display_text | semmle.label | @display_text |
+| app/views/foo/bars/show.html.erb:46:64:46:87 | ... + ... :  | semmle.label | ... + ... :  |
+| app/views/foo/bars/show.html.erb:46:76:46:87 | call to display_text :  | semmle.label | call to display_text :  |
+| app/views/foo/bars/show.html.erb:49:5:49:13 | call to user_name | semmle.label | call to user_name |
+| app/views/foo/bars/show.html.erb:56:29:56:34 | call to params :  | semmle.label | call to params :  |
+| app/views/foo/bars/show.html.erb:56:29:56:44 | ...[...] | semmle.label | ...[...] |
+#select
+| app/views/foo/bars/_widget.html.erb:2:9:2:21 | @display_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/_widget.html.erb:2:9:2:21 | @display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
+| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
+| app/views/foo/bars/_widget.html.erb:8:9:8:29 | ...[...] | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/_widget.html.erb:8:9:8:29 | ...[...] | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:5:9:5:21 | @display_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/show.html.erb:5:9:5:21 | @display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:8:9:8:20 | call to display_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/show.html.erb:8:9:8:20 | call to display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:11:9:11:29 | ...[...] | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/show.html.erb:11:9:11:29 | ...[...] | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:15:9:15:19 | ...[...] | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/show.html.erb:15:9:15:19 | ...[...] | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:36:3:36:15 | @display_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/show.html.erb:36:3:36:15 | @display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:49:5:49:13 | call to user_name | app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params :  | app/views/foo/bars/show.html.erb:49:5:49:13 | call to user_name | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:56:29:56:44 | ...[...] | app/views/foo/bars/show.html.erb:56:29:56:34 | call to params :  | app/views/foo/bars/show.html.erb:56:29:56:44 | ...[...] | Cross-site scripting vulnerability due to $@. | app/views/foo/bars/show.html.erb:56:29:56:34 | call to params | a user-provided value |

ql/test/query-tests/security/cwe-079/ReflectedXSS.qlref

@@ -0,0 +1 @@
+queries/security/cwe-079/ReflectedXSS.ql

ql/test/query-tests/security/cwe-079/app/controllers/foo/bars_controller.rb

@@ -0,0 +1,22 @@
+class BarsController < ApplicationController
+
+  helper_method :user_name, :user_name_memo
+
+  def index
+    render template: "foo/bars/index"
+  end
+
+  def user_name
+    return params[:user_name]
+  end
+
+  def user_name_memo
+    @user_name ||= params[:user_name]
+  end
+
+  def show
+    @user_website = params[:website]
+    dt = params[:text]
+    render "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }
+  end
+end

ql/test/query-tests/security/cwe-079/app/views/foo/bars/_widget.html.erb

@@ -0,0 +1,11 @@
+<%# BAD: A local rendered raw as an instance variable %>
+<%= raw @display_text %>
+
+<%# BAD: A local rendered raw as a local variable %>
+<%= raw display_text %>
+
+<%# BAD: A local rendered raw via the locals hash %>
+<%= raw locals[:display_text] %>
+
+<%# GOOD: A local rendered with default escaping via the locals hash %>
+<%= @display_text %>

ql/test/query-tests/security/cwe-079/app/views/foo/bars/show.html.erb

@@ -0,0 +1,56 @@
+<%# BAD: An instance variable rendered without escaping %>
+<a href="<%= raw user_website %>">website</a>
+
+<%# BAD: A local rendered raw as an instance variable %>
+<%= raw @display_text %>
+
+<%# BAD: A local rendered raw as a local variable %>
+<%= raw display_text %>
+
+<%# BAD: A local rendered raw via the locals hash %>
+<%= raw locals[:display_text] %>
+
+<% key = :display_text %>
+<%# BAD: A local rendered raw via the locals hash %>
+<%= raw locals[key] %>
+
+<ul>
+<% for key in [:display_text, :safe_text] do %>
+  <%# BAD: A local rendered raw via the locals hash %>
+  <%# TODO: we miss that `key` can take `:display_text` as a value here %>
+  <li><%= raw locals[key] %></li>
+<% end %>
+</ul>
+
+<%# GOOD: A local rendered with default escaping via the locals hash %>
+<%= @display_text %>
+
+<%# GOOD: default escaping of rendered text %>
+<%=
+  full_text = prefix + locals[:display_text]
+  full_text
+%>
+
+<%# BAD: html_safe marks string as not requiring HTML escaping %>
+<%=
+  @display_text.html_safe
+%>
+
+<%# BAD: html_safe marks string as not requiring HTML escaping %>
+<%# TODO: we miss that `@display_text` is marked here %>
+<%=
+  @display_text.html_safe
+  @display_text
+%>
+
+<%= render partial: 'foo/bars/widget', locals: { display_text: "widget_" + display_text } %>
+
+<%# BAD: user_name is a helper method that returns unsanitized user-input %>
+<%= user_name.html_safe %>
+
+<%# BAD: user_name_memo is a helper method that returns unsanitized user-input %>
+<%# TODO: we miss this because the return value from user_name_memo is not properly linked to this call %>
+<%= user_name_memo.html_safe %>
+
+<%# BAD: unsanitized user-input should not be passed to link_to as the URL %>
+<%= link_to "user website", params[:website] %>