v3 add global taint steps for to_ruby of YAML/Psych

2026-04-29 10:45:15 +02:00 · 2023-03-01 10:45:45 +01:00
parent ad7e107ff5
commit e76ed9454a
3 changed files with 31 additions and 21 deletions
--- a/ruby/ql/lib/codeql/ruby/Frameworks.qll
+++ b/ruby/ql/lib/codeql/ruby/Frameworks.qll
@@ -33,3 +33,4 @@ private import codeql.ruby.frameworks.Sinatra
 private import codeql.ruby.frameworks.Twirp
 private import codeql.ruby.frameworks.Sqlite3
 private import codeql.ruby.frameworks.Pg
+private import codeql.ruby.frameworks.Yaml
--- a/ruby/ql/lib/codeql/ruby/frameworks/Yaml.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Yaml.qll
@@ -0,0 +1,30 @@
+/**
+ * add additional steps for to_ruby method of YAML/Psych library
+ */
+
+private import codeql.ruby.dataflow.FlowSteps
+private import codeql.ruby.DataFlow
+private import codeql.ruby.ApiGraphs
+
+private class YamlParseStep extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode yaml_parser_methods |
+      yaml_parser_methods =
+        API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall(["parse", "parse_stream"]) and
+      (
+        pred = yaml_parser_methods.getArgument(0) or
+        pred = yaml_parser_methods.getKeywordArgument("yaml")
+      ) and
+      succ = yaml_parser_methods.getAMethodCall("to_ruby")
+    )
+    or
+    exists(DataFlow::CallNode yaml_parser_methods |
+      yaml_parser_methods = API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall("parse_file") and
+      (
+        pred = yaml_parser_methods.getArgument(0) or
+        pred = yaml_parser_methods.getKeywordArgument("filename")
+      ) and
+      succ = yaml_parser_methods.getAMethodCall("to_ruby")
+    )
+  }
+}
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll
@@ -24,27 +24,6 @@ class Configuration extends TaintTracking::Configuration {

  override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserialization::Sink }

-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    exists(DataFlow::CallNode yaml_parser_methods |
-      yaml_parser_methods =
-        API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall(["parse", "parse_stream"]) and
-      (
-        nodeFrom = yaml_parser_methods.getArgument(0) or
-        nodeFrom = yaml_parser_methods.getKeywordArgument("yaml")
-      ) and
-      nodeTo = yaml_parser_methods.getAMethodCall("to_ruby")
-    )
-    or
-    exists(DataFlow::CallNode yaml_parser_methods |
-      yaml_parser_methods = API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall("parse_file") and
-      (
-        nodeFrom = yaml_parser_methods.getArgument(0) or
-        nodeFrom = yaml_parser_methods.getKeywordArgument("filename")
-      ) and
-      nodeTo = yaml_parser_methods.getAMethodCall("to_ruby")
-    )
-  }
-
  override predicate isSanitizer(DataFlow::Node node) {
    super.isSanitizer(node) or
    node instanceof UnsafeDeserialization::Sanitizer