Add initial query for Ruby SSTI

ruby/ql/src/queries/security/cwe-094/TemplateInjection.qhelp

@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Template Injection occurs when user input is embedded in a template's code in an unsafe manner.
+An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side.
+This permits the attacker to run arbitrary code in the server's context.
+</p>
+</overview>
+
+<recommendation>
+<p>
+To fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this,
+use a sandboxed environment where access to unsafe attributes and methods is prohibited.
+</p>
+</recommendation>
+
+<example>
+<p>
+        <p>Consider the example given below, an untrusted HTTP parameter `name` is used to generate a template string. This can lead to remote code execution. </p>
+        <sample src="examples/SSTIBad.rb" />
+        
+        <p>Here we have fixed the problem by including ERB/Slim syntax in the string, then the user input will be rendered but no evaluated.</p>
+        <sample src="examples/SSTIGood.rb" />
+</example>
+
+<references>
+<li>
+Wikipedia: <a href="https://en.wikipedia.org/wiki/Code_injection#Server_Side_Template_Injection">Server Side Template Injection</a>.
+</li>
+<li>
+Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)
+</li>
+</references>
+</qhelp>

ruby/ql/src/queries/security/cwe-094/TemplateInjection.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Server-side template injection
+ * @description Building a server-side template from user-controlled sources is vulnerable to
+ *              insertion of malicious code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id rb/ssti
+ * @tags security
+ *       external/cwe/cwe-94
+ */
+
+import codeql.ruby.DataFlow
+import codeql.ruby.security.TemplateInjectionQuery
+import DataFlow::PathGraph
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This template depends on a $@.", source.getNode(),
+  "user-provided value"

ruby/ql/src/queries/security/cwe-094/examples/SSTIBad.rb

@@ -0,0 +1,24 @@
+require 'erb'
+require 'slim'
+
+class BadERBController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    html_text = "
+      <!DOCTYPE html><html><body>
+      <h2>Hello %s </h2></body></html>
+      " % name
+    template = ERB.new(html_text).result(binding) 
+  end
+end
+
+class BadSlimController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    html_text = "
+      <!DOCTYPE html><html><body>
+      <h2>Hello %s </h2></body></html>
+      " % name
+    Slim::Template.new{ html_text }.render 
+  end
+end

ruby/ql/src/queries/security/cwe-094/examples/SSTIGood.rb

@@ -0,0 +1,26 @@
+require 'erb'
+require 'slim'
+
+class GoodController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    html_text = "
+      <!DOCTYPE html><html><body>
+      <h2>Hello <%= name %> </h2></body></html>
+      "
+    template = ERB.new(html_text).result(binding) 
+  end
+end
+
+class GoodController < ActionController::Base
+  def some_request_handler
+    name = params["name"]
+    html_text = "
+    <!DOCTYPE html>
+      html
+        body
+          h2  == name;
+    "
+    Slim::Template.new{ html_text }.render(Object.new, name: name)
+  end
+end