Merge pull request #13130 from maikypedia/maikypedia/xpath-injection

Ruby :  XPath Injection Query (CWE-643)

ruby/ql/test/query-tests/experimental/XPathInjection/LibxmlInjection.rb

@@ -0,0 +1,59 @@
+require 'libxml'
+
+class FooController < ActionController::Base
+  def libxml_handler(event:, context:)
+    name = params[:user_name]
+
+    xml = <<-XML
+      <root>
+        <foo>bar</foo>
+        <password>THIS IS SECRET</password>
+      </root>
+    XML
+
+    # Parse the XML
+    doc = LibXML::XML::Document.string(xml)
+
+    # GOOD: XPath query is not constructed from user input
+    results1 = doc.find_first('//foo')
+
+    # BAD: XPath query is constructed from user input
+    results2 = doc.find_first("//#{name}")
+
+    # GOOD: XPath query is not constructed from user input
+    results3 = doc.find('//foo')
+
+    # BAD: XPath query is constructed from user input
+    results4 = doc.find("//#{name}")
+  end
+end
+
+class BarController < ActionController::Base
+  def libxml_safe_handler(event:, context:)
+    safe_name = params[:user_name]
+
+    xml = <<-XML
+      <root>
+        <foo>bar</foo>
+        <password>THIS IS SECRET</password>
+      </root>
+    XML
+
+    # Parse the XML
+    doc = REXML::Document.new(xml)
+
+    # GOOD: barrier guard prevents taint flow
+    safe_name = if ["foo", "foo2"].include? safe_name
+      safe_name
+    else 
+      safe_name = "foo"
+    end
+
+    # GOOD: XPath query is not constructed from unsanitized user input
+    results5 = doc.find_first("//#{safe_name}")
+
+    # GOOD: XPath query is not constructed from unsanitized user input
+    results6 = doc.find("//#{safe_name}")
+
+  end
+end

ruby/ql/test/query-tests/experimental/XPathInjection/NokogiriInjection.rb

@@ -0,0 +1,88 @@
+require 'nokogiri'
+
+class FooController < ActionController::Base
+  def nokogiri_handler(event:, context:)
+    name = params[:user_name]
+
+    xml = <<-XML
+      <root>
+        <foo>bar</foo>
+        <password>THIS IS SECRET</password>
+      </root>
+    XML
+
+    # Parse the XML
+    doc = Nokogiri::XML.parse(xml)
+
+    # GOOD: XPath query is not constructed from user input
+    results1 = doc.at('//foo')
+
+    # BAD: XPath query is constructed from user input
+    results2 = doc.at("//#{name}")
+
+    # GOOD: XPath query is not constructed from user input
+    results3 = doc.xpath('//foo')
+
+    # BAD: XPath query is constructed from user input
+    results4 = doc.xpath("//#{name}")
+
+    # GOOD: XPath query is not constructed from user input
+    results5 = doc.at_xpath('//foo')
+
+    # BAD: XPath query is constructed from user input
+    results6 = doc.at_xpath("//#{name}")
+
+    # GOOD: XPath query is not constructed from user input
+    doc.xpath('//foo').each do |element|
+        puts element.text
+    end
+
+    # BAD: XPath query constructed from user input
+    doc.xpath("//#{name}").each do |element|
+        puts element.text
+    end
+
+    # GOOD: XPath query is not constructed from user input
+    doc.search('//foo').each do |element|
+        puts element.text
+    end
+
+    # BAD: XPath query constructed from user input
+    doc.search("//#{name}").each do |element|
+        puts element.text
+    end
+  end
+end
+
+class BarController < ActionController::Base
+  def nokogiri_safe_handler(event:, context:)
+    safe_name = params[:user_name]
+
+    xml = <<-XML
+      <root>
+        <foo>bar</foo>
+        <password>THIS IS SECRET</password>
+      </root>
+    XML
+
+    # Parse the XML
+    doc = Nokogiri::XML.parse(xml)
+
+    # GOOD: barrier guard prevents taint flow
+    safe_name = if ["foo", "foo2"].include? safe_name
+      safe_name
+    else 
+      safe_name = "foo"
+    end
+
+    # GOOD: XPath query is not constructed from unsanitized user input
+    results7 = doc.at("//#{safe_name}")
+
+    # GOOD: XPath query is not constructed from unsanitized user input
+    results8 = doc.xpath("//#{safe_name}")
+
+    # GOOD: XPath query is not constructed from unsanitized user input
+    results9 = doc.at_xpath("//#{safe_name}")
+
+  end
+end

ruby/ql/test/query-tests/experimental/XPathInjection/RexmlInjection.rb

@@ -0,0 +1,69 @@
+require 'rexml'
+
+class FooController < ActionController::Base
+  def rexml_handler(event:, context:)
+    name = params[:user_name]
+
+    xml = <<-XML
+        <root>
+            <foo>bar</foo>
+            <password>THIS IS SECRET</password>
+        </root>
+    XML
+
+    # Parse the XML
+    doc = REXML::Document.new(xml)
+
+    # GOOD: XPath query is not constructed from user input
+    results1 = REXML::XPath.first(doc, "//foo")
+
+    # BAD: XPath query is constructed from user input
+    results2 = REXML::XPath.first(doc, "//#{name}")
+
+    # GOOD: XPath query is not constructed from user input
+    results3 = REXML::XPath.match(doc, "//foo", nil)
+
+    # BAD: XPath query is constructed from user input
+    results4 = REXML::XPath.match(doc, "//#{name}", nil)
+
+    # GOOD: XPath query is not constructed from user input
+    REXML::XPath.each(doc, "//foo") do |element|
+        puts element.text
+    end
+
+    # BAD: XPath query constructed from user input
+    REXML::XPath.each(doc, "//#{name}") do |element|
+        puts element.text
+    end
+  end
+end
+
+class BarController < ActionController::Base
+  def rexml_safe_handler(event:, context:)
+    safe_name = params[:user_name]
+
+    xml = <<-XML
+      <root>
+        <foo>bar</foo>
+        <password>THIS IS SECRET</password>
+      </root>
+    XML
+
+    # Parse the XML
+    doc = REXML::Document.new(xml)
+
+    # GOOD: barrier guard prevents taint flow
+    safe_name = if ["foo", "foo2"].include? safe_name
+      safe_name
+    else 
+      safe_name = "foo"
+    end
+
+    # GOOD: XPath query is not constructed from unsanitized user input
+    results5 = REXML::XPath.first(doc, "//#{safe_name}")
+
+    # GOOD: XPath query is not constructed from unsanitized user input
+    results6 = REXML::XPath.match(doc, "//#{safe_name}", nil)
+
+  end
+end

ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.expected

@@ -0,0 +1,49 @@
+edges
+| LibxmlInjection.rb:5:5:5:8 | name | LibxmlInjection.rb:21:31:21:41 | "//#{...}" |
+| LibxmlInjection.rb:5:5:5:8 | name | LibxmlInjection.rb:27:25:27:35 | "//#{...}" |
+| LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:5:12:5:29 | ...[...] |
+| LibxmlInjection.rb:5:12:5:29 | ...[...] | LibxmlInjection.rb:5:5:5:8 | name |
+| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:21:23:21:33 | "//#{...}" |
+| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:27:26:27:36 | "//#{...}" |
+| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:33:29:33:39 | "//#{...}" |
+| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:41:15:41:25 | "//#{...}" |
+| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:51:16:51:26 | "//#{...}" |
+| NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:5:12:5:29 | ...[...] |
+| NokogiriInjection.rb:5:12:5:29 | ...[...] | NokogiriInjection.rb:5:5:5:8 | name |
+| RexmlInjection.rb:5:5:5:8 | name | RexmlInjection.rb:21:40:21:50 | "//#{...}" |
+| RexmlInjection.rb:5:5:5:8 | name | RexmlInjection.rb:27:40:27:50 | "//#{...}" |
+| RexmlInjection.rb:5:5:5:8 | name | RexmlInjection.rb:35:28:35:38 | "//#{...}" |
+| RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:5:12:5:29 | ...[...] |
+| RexmlInjection.rb:5:12:5:29 | ...[...] | RexmlInjection.rb:5:5:5:8 | name |
+nodes
+| LibxmlInjection.rb:5:5:5:8 | name | semmle.label | name |
+| LibxmlInjection.rb:5:12:5:17 | call to params | semmle.label | call to params |
+| LibxmlInjection.rb:5:12:5:29 | ...[...] | semmle.label | ...[...] |
+| LibxmlInjection.rb:21:31:21:41 | "//#{...}" | semmle.label | "//#{...}" |
+| LibxmlInjection.rb:27:25:27:35 | "//#{...}" | semmle.label | "//#{...}" |
+| NokogiriInjection.rb:5:5:5:8 | name | semmle.label | name |
+| NokogiriInjection.rb:5:12:5:17 | call to params | semmle.label | call to params |
+| NokogiriInjection.rb:5:12:5:29 | ...[...] | semmle.label | ...[...] |
+| NokogiriInjection.rb:21:23:21:33 | "//#{...}" | semmle.label | "//#{...}" |
+| NokogiriInjection.rb:27:26:27:36 | "//#{...}" | semmle.label | "//#{...}" |
+| NokogiriInjection.rb:33:29:33:39 | "//#{...}" | semmle.label | "//#{...}" |
+| NokogiriInjection.rb:41:15:41:25 | "//#{...}" | semmle.label | "//#{...}" |
+| NokogiriInjection.rb:51:16:51:26 | "//#{...}" | semmle.label | "//#{...}" |
+| RexmlInjection.rb:5:5:5:8 | name | semmle.label | name |
+| RexmlInjection.rb:5:12:5:17 | call to params | semmle.label | call to params |
+| RexmlInjection.rb:5:12:5:29 | ...[...] | semmle.label | ...[...] |
+| RexmlInjection.rb:21:40:21:50 | "//#{...}" | semmle.label | "//#{...}" |
+| RexmlInjection.rb:27:40:27:50 | "//#{...}" | semmle.label | "//#{...}" |
+| RexmlInjection.rb:35:28:35:38 | "//#{...}" | semmle.label | "//#{...}" |
+subpaths
+#select
+| LibxmlInjection.rb:21:31:21:41 | "//#{...}" | LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:21:31:21:41 | "//#{...}" | XPath expression depends on a $@. | LibxmlInjection.rb:5:12:5:17 | call to params | user-provided value |
+| LibxmlInjection.rb:27:25:27:35 | "//#{...}" | LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:27:25:27:35 | "//#{...}" | XPath expression depends on a $@. | LibxmlInjection.rb:5:12:5:17 | call to params | user-provided value |
+| NokogiriInjection.rb:21:23:21:33 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:21:23:21:33 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value |
+| NokogiriInjection.rb:27:26:27:36 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:27:26:27:36 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value |
+| NokogiriInjection.rb:33:29:33:39 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:33:29:33:39 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value |
+| NokogiriInjection.rb:41:15:41:25 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:41:15:41:25 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value |
+| NokogiriInjection.rb:51:16:51:26 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:51:16:51:26 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value |
+| RexmlInjection.rb:21:40:21:50 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:21:40:21:50 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value |
+| RexmlInjection.rb:27:40:27:50 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:27:40:27:50 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value |
+| RexmlInjection.rb:35:28:35:38 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:35:28:35:38 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value |

ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.qlref

@@ -0,0 +1 @@
+experimental/xpath-injection/XpathInjection.ql