mirror of
https://github.com/github/codeql.git
synced 2026-04-11 01:54:00 +02:00
570 lines
21 KiB
Plaintext
570 lines
21 KiB
Plaintext
/**
|
|
* Provides abstract classes representing generic concepts such as file system
|
|
* access or system command execution, for which individual framework libraries
|
|
* provide concrete subclasses.
|
|
*/
|
|
|
|
private import codeql.ruby.AST
|
|
private import codeql.ruby.CFG
|
|
private import codeql.ruby.DataFlow
|
|
private import codeql.ruby.Frameworks
|
|
private import codeql.ruby.dataflow.RemoteFlowSources
|
|
private import codeql.ruby.ApiGraphs
|
|
|
|
/**
|
|
* A data-flow node that executes SQL statements.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `SqlExecution::Range` instead.
|
|
*/
|
|
class SqlExecution extends DataFlow::Node instanceof SqlExecution::Range {
|
|
/** Gets the argument that specifies the SQL statements to be executed. */
|
|
DataFlow::Node getSql() { result = super.getSql() }
|
|
}
|
|
|
|
/** Provides a class for modeling new SQL execution APIs. */
|
|
module SqlExecution {
|
|
/**
|
|
* A data-flow node that executes SQL statements.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `SqlExecution` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the argument that specifies the SQL statements to be executed. */
|
|
abstract DataFlow::Node getSql();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data flow node that performs a file system access, including reading and writing data,
|
|
* creating and deleting files and folders, checking and updating permissions, and so on.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `FileSystemAccess::Range` instead.
|
|
*/
|
|
class FileSystemAccess extends DataFlow::Node instanceof FileSystemAccess::Range {
|
|
/** Gets an argument to this file system access that is interpreted as a path. */
|
|
DataFlow::Node getAPathArgument() { result = super.getAPathArgument() }
|
|
}
|
|
|
|
/** Provides a class for modeling new file system access APIs. */
|
|
module FileSystemAccess {
|
|
/**
|
|
* A data-flow node that performs a file system access, including reading and writing data,
|
|
* creating and deleting files and folders, checking and updating permissions, and so on.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `FileSystemAccess` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets an argument to this file system access that is interpreted as a path. */
|
|
abstract DataFlow::Node getAPathArgument();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data flow node that reads data from the file system.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `FileSystemReadAccess::Range` instead.
|
|
*/
|
|
class FileSystemReadAccess extends FileSystemAccess instanceof FileSystemReadAccess::Range {
|
|
/**
|
|
* Gets a node that represents data read from the file system access.
|
|
*/
|
|
DataFlow::Node getADataNode() { result = FileSystemReadAccess::Range.super.getADataNode() }
|
|
}
|
|
|
|
/** Provides a class for modeling new file system reads. */
|
|
module FileSystemReadAccess {
|
|
/**
|
|
* A data flow node that reads data from the file system.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `FileSystemReadAccess` instead.
|
|
*/
|
|
abstract class Range extends FileSystemAccess::Range {
|
|
/**
|
|
* Gets a node that represents data read from the file system.
|
|
*/
|
|
abstract DataFlow::Node getADataNode();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data flow node that sets the permissions for one or more files.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `FileSystemPermissionModification::Range` instead.
|
|
*/
|
|
class FileSystemPermissionModification extends DataFlow::Node instanceof FileSystemPermissionModification::Range {
|
|
/**
|
|
* Gets an argument to this permission modification that is interpreted as a
|
|
* set of permissions.
|
|
*/
|
|
DataFlow::Node getAPermissionNode() { result = super.getAPermissionNode() }
|
|
}
|
|
|
|
/** Provides a class for modeling new file system permission modifications. */
|
|
module FileSystemPermissionModification {
|
|
/**
|
|
* A data-flow node that sets permissions for a one or more files.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `FileSystemPermissionModification` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/**
|
|
* Gets an argument to this permission modification that is interpreted as a
|
|
* set of permissions.
|
|
*/
|
|
abstract DataFlow::Node getAPermissionNode();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data flow node that contains a file name or an array of file names from the local file system.
|
|
*/
|
|
abstract class FileNameSource extends DataFlow::Node { }
|
|
|
|
/**
|
|
* A data-flow node that escapes meta-characters, which could be used to prevent
|
|
* injection attacks.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `Escaping::Range` instead.
|
|
*/
|
|
class Escaping extends DataFlow::Node instanceof Escaping::Range {
|
|
Escaping() {
|
|
// escapes that don't have _both_ input/output defined are not valid
|
|
exists(super.getAnInput()) and
|
|
exists(super.getOutput())
|
|
}
|
|
|
|
/** Gets an input that will be escaped. */
|
|
DataFlow::Node getAnInput() { result = super.getAnInput() }
|
|
|
|
/** Gets the output that contains the escaped data. */
|
|
DataFlow::Node getOutput() { result = super.getOutput() }
|
|
|
|
/**
|
|
* Gets the context that this function escapes for, such as `html`, or `url`.
|
|
*/
|
|
string getKind() { result = super.getKind() }
|
|
}
|
|
|
|
/** Provides a class for modeling new escaping APIs. */
|
|
module Escaping {
|
|
/**
|
|
* A data-flow node that escapes meta-characters, which could be used to prevent
|
|
* injection attacks.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `Escaping` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets an input that will be escaped. */
|
|
abstract DataFlow::Node getAnInput();
|
|
|
|
/** Gets the output that contains the escaped data. */
|
|
abstract DataFlow::Node getOutput();
|
|
|
|
/**
|
|
* Gets the context that this function escapes for.
|
|
*
|
|
* While kinds are represented as strings, this should not be relied upon. Use the
|
|
* predicates in the `Escaping` module, such as `getHtmlKind`.
|
|
*/
|
|
abstract string getKind();
|
|
}
|
|
|
|
/** Gets the escape-kind for escaping a string so it can safely be included in HTML. */
|
|
string getHtmlKind() { result = "html" }
|
|
}
|
|
|
|
/**
|
|
* An escape of a string so it can be safely included in
|
|
* the body of an HTML element, for example, replacing `{}` in
|
|
* `<p>{}</p>`.
|
|
*/
|
|
class HtmlEscaping extends Escaping {
|
|
HtmlEscaping() { super.getKind() = Escaping::getHtmlKind() }
|
|
}
|
|
|
|
/** Provides classes for modeling HTTP-related APIs. */
|
|
module HTTP {
|
|
/** Provides classes for modeling HTTP servers. */
|
|
module Server {
|
|
/**
|
|
* A data-flow node that sets up a route on a server.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `RouteSetup::Range` instead.
|
|
*/
|
|
class RouteSetup extends DataFlow::Node instanceof RouteSetup::Range {
|
|
/** Gets the URL pattern for this route, if it can be statically determined. */
|
|
string getUrlPattern() { result = super.getUrlPattern() }
|
|
|
|
/**
|
|
* Gets a function that will handle incoming requests for this route, if any.
|
|
*
|
|
* NOTE: This will be modified in the near future to have a `RequestHandler` result, instead of a `Method`.
|
|
*/
|
|
Method getARequestHandler() { result = super.getARequestHandler() }
|
|
|
|
/**
|
|
* Gets a parameter that will receive parts of the url when handling incoming
|
|
* requests for this route, if any. These automatically become a `RemoteFlowSource`.
|
|
*/
|
|
Parameter getARoutedParameter() { result = super.getARoutedParameter() }
|
|
|
|
/** Gets a string that identifies the framework used for this route setup. */
|
|
string getFramework() { result = super.getFramework() }
|
|
}
|
|
|
|
/** Provides a class for modeling new HTTP routing APIs. */
|
|
module RouteSetup {
|
|
/**
|
|
* A data-flow node that sets up a route on a server.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `RouteSetup` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the argument used to set the URL pattern. */
|
|
abstract DataFlow::Node getUrlPatternArg();
|
|
|
|
/** Gets the URL pattern for this route, if it can be statically determined. */
|
|
string getUrlPattern() {
|
|
exists(CfgNodes::ExprNodes::StringlikeLiteralCfgNode strNode |
|
|
this.getUrlPatternArg().getALocalSource() = DataFlow::exprNode(strNode) and
|
|
result = strNode.getExpr().getValueText()
|
|
)
|
|
}
|
|
|
|
/**
|
|
* Gets a function that will handle incoming requests for this route, if any.
|
|
*
|
|
* NOTE: This will be modified in the near future to have a `RequestHandler` result, instead of a `Method`.
|
|
*/
|
|
abstract Method getARequestHandler();
|
|
|
|
/**
|
|
* Gets a parameter that will receive parts of the url when handling incoming
|
|
* requests for this route, if any. These automatically become a `RemoteFlowSource`.
|
|
*/
|
|
abstract Parameter getARoutedParameter();
|
|
|
|
/** Gets a string that identifies the framework used for this route setup. */
|
|
abstract string getFramework();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A function that will handle incoming HTTP requests.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `RequestHandler::Range` instead.
|
|
*/
|
|
class RequestHandler extends Method instanceof RequestHandler::Range {
|
|
/**
|
|
* Gets a parameter that could receive parts of the url when handling incoming
|
|
* requests, if any. These automatically become a `RemoteFlowSource`.
|
|
*/
|
|
Parameter getARoutedParameter() { result = super.getARoutedParameter() }
|
|
|
|
/** Gets a string that identifies the framework used for this route setup. */
|
|
string getFramework() { result = super.getFramework() }
|
|
}
|
|
|
|
/** Provides a class for modeling new HTTP request handlers. */
|
|
module RequestHandler {
|
|
/**
|
|
* A function that will handle incoming HTTP requests.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `RequestHandler` instead.
|
|
*
|
|
* Only extend this class if you can't provide a `RouteSetup`, since we handle that case automatically.
|
|
*/
|
|
abstract class Range extends Method {
|
|
/**
|
|
* Gets a parameter that could receive parts of the url when handling incoming
|
|
* requests, if any. These automatically become a `RemoteFlowSource`.
|
|
*/
|
|
abstract Parameter getARoutedParameter();
|
|
|
|
/** Gets a string that identifies the framework used for this request handler. */
|
|
abstract string getFramework();
|
|
}
|
|
}
|
|
|
|
private class RequestHandlerFromRouteSetup extends RequestHandler::Range {
|
|
RouteSetup rs;
|
|
|
|
RequestHandlerFromRouteSetup() { this = rs.getARequestHandler() }
|
|
|
|
override Parameter getARoutedParameter() {
|
|
result = rs.getARoutedParameter() and
|
|
result = this.getAParameter()
|
|
}
|
|
|
|
override string getFramework() { result = rs.getFramework() }
|
|
}
|
|
|
|
/** A parameter that will receive parts of the url when handling an incoming request. */
|
|
private class RoutedParameter extends RemoteFlowSource::Range, DataFlow::ParameterNode {
|
|
RequestHandler handler;
|
|
|
|
RoutedParameter() { this.getParameter() = handler.getARoutedParameter() }
|
|
|
|
override string getSourceType() { result = handler.getFramework() + " RoutedParameter" }
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that creates a HTTP response on a server.
|
|
*
|
|
* Note: we don't require that this response must be sent to a client (a kind of
|
|
* "if a tree falls in a forest and nobody hears it" situation).
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `HttpResponse::Range` instead.
|
|
*/
|
|
class HttpResponse extends DataFlow::Node instanceof HttpResponse::Range {
|
|
/** Gets the data-flow node that specifies the body of this HTTP response. */
|
|
DataFlow::Node getBody() { result = super.getBody() }
|
|
|
|
/** Gets the mimetype of this HTTP response, if it can be statically determined. */
|
|
string getMimetype() { result = super.getMimetype() }
|
|
}
|
|
|
|
/** Provides a class for modeling new HTTP response APIs. */
|
|
module HttpResponse {
|
|
/**
|
|
* A data-flow node that creates a HTTP response on a server.
|
|
*
|
|
* Note: we don't require that this response must be sent to a client (a kind of
|
|
* "if a tree falls in a forest and nobody hears it" situation).
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `HttpResponse` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the data-flow node that specifies the body of this HTTP response. */
|
|
abstract DataFlow::Node getBody();
|
|
|
|
/** Gets the data-flow node that specifies the content-type/mimetype of this HTTP response, if any. */
|
|
abstract DataFlow::Node getMimetypeOrContentTypeArg();
|
|
|
|
/** Gets the default mimetype that should be used if `getMimetypeOrContentTypeArg` has no results. */
|
|
abstract string getMimetypeDefault();
|
|
|
|
/** Gets the mimetype of this HTTP response, if it can be statically determined. */
|
|
string getMimetype() {
|
|
exists(CfgNodes::ExprNodes::StringlikeLiteralCfgNode strNode |
|
|
this.getMimetypeOrContentTypeArg().getALocalSource() = DataFlow::exprNode(strNode) and
|
|
result = strNode.getExpr().getValueText().splitAt(";", 0)
|
|
)
|
|
or
|
|
not exists(this.getMimetypeOrContentTypeArg()) and
|
|
result = this.getMimetypeDefault()
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that creates a HTTP redirect response on a server.
|
|
*
|
|
* Note: we don't require that this redirect must be sent to a client (a kind of
|
|
* "if a tree falls in a forest and nobody hears it" situation).
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `HttpRedirectResponse::Range` instead.
|
|
*/
|
|
class HttpRedirectResponse extends HttpResponse instanceof HttpRedirectResponse::Range {
|
|
/** Gets the data-flow node that specifies the location of this HTTP redirect response. */
|
|
DataFlow::Node getRedirectLocation() { result = super.getRedirectLocation() }
|
|
}
|
|
|
|
/** Provides a class for modeling new HTTP redirect response APIs. */
|
|
module HttpRedirectResponse {
|
|
/**
|
|
* A data-flow node that creates a HTTP redirect response on a server.
|
|
*
|
|
* Note: we don't require that this redirect must be sent to a client (a kind of
|
|
* "if a tree falls in a forest and nobody hears it" situation).
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `HttpResponse` instead.
|
|
*/
|
|
abstract class Range extends HTTP::Server::HttpResponse::Range {
|
|
/** Gets the data-flow node that specifies the location of this HTTP redirect response. */
|
|
abstract DataFlow::Node getRedirectLocation();
|
|
}
|
|
}
|
|
}
|
|
|
|
/** Provides classes for modeling HTTP clients. */
|
|
module Client {
|
|
/**
|
|
* A method call that makes an outgoing HTTP request.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `Request::Range` instead.
|
|
*/
|
|
class Request extends MethodCall instanceof Request::Range {
|
|
/** Gets a node which returns the body of the response */
|
|
DataFlow::Node getResponseBody() { result = super.getResponseBody() }
|
|
|
|
/** Gets a string that identifies the framework used for this request. */
|
|
string getFramework() { result = super.getFramework() }
|
|
}
|
|
|
|
/** Provides a class for modeling new HTTP requests. */
|
|
module Request {
|
|
/**
|
|
* A method call that makes an outgoing HTTP request.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `Request` instead.
|
|
*/
|
|
abstract class Range extends MethodCall {
|
|
/** Gets a node which returns the body of the response */
|
|
abstract DataFlow::Node getResponseBody();
|
|
|
|
/** Gets a string that identifies the framework used for this request. */
|
|
abstract string getFramework();
|
|
}
|
|
}
|
|
|
|
/** The response body from an outgoing HTTP request, considered as a remote flow source */
|
|
private class RequestResponseBody extends RemoteFlowSource::Range, DataFlow::Node {
|
|
Request request;
|
|
|
|
RequestResponseBody() { this = request.getResponseBody() }
|
|
|
|
override string getSourceType() { result = request.getFramework() }
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data flow node that executes an operating system command,
|
|
* for instance by spawning a new process.
|
|
*/
|
|
class SystemCommandExecution extends DataFlow::Node instanceof SystemCommandExecution::Range {
|
|
/** Holds if a shell interprets `arg`. */
|
|
predicate isShellInterpreted(DataFlow::Node arg) { super.isShellInterpreted(arg) }
|
|
|
|
/** Gets an argument to this execution that specifies the command or an argument to it. */
|
|
DataFlow::Node getAnArgument() { result = super.getAnArgument() }
|
|
}
|
|
|
|
/** Provides a class for modeling new operating system command APIs. */
|
|
module SystemCommandExecution {
|
|
/**
|
|
* A data flow node that executes an operating system command, for instance by spawning a new
|
|
* process.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `SystemCommandExecution` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets an argument to this execution that specifies the command or an argument to it. */
|
|
abstract DataFlow::Node getAnArgument();
|
|
|
|
/** Holds if a shell interprets `arg`. */
|
|
predicate isShellInterpreted(DataFlow::Node arg) { none() }
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that dynamically executes Ruby code.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `CodeExecution::Range` instead.
|
|
*/
|
|
class CodeExecution extends DataFlow::Node instanceof CodeExecution::Range {
|
|
/** Gets the argument that specifies the code to be executed. */
|
|
DataFlow::Node getCode() { result = super.getCode() }
|
|
}
|
|
|
|
/** Provides a class for modeling new dynamic code execution APIs. */
|
|
module CodeExecution {
|
|
/**
|
|
* A data-flow node that dynamically executes Ruby code.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `CodeExecution` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the argument that specifies the code to be executed. */
|
|
abstract DataFlow::Node getCode();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that parses XML content.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `XmlParserCall::Range` instead.
|
|
*/
|
|
class XmlParserCall extends DataFlow::Node {
|
|
XmlParserCall::Range range;
|
|
|
|
XmlParserCall() { this = range }
|
|
|
|
/** Gets the argument that specifies the XML content to be parsed. */
|
|
DataFlow::Node getInput() { result = range.getInput() }
|
|
|
|
/** Holds if this XML parser call is configured to process external entities */
|
|
predicate externalEntitiesEnabled() { range.externalEntitiesEnabled() }
|
|
}
|
|
|
|
/** Provides a class for modeling new XML parsing APIs. */
|
|
module XmlParserCall {
|
|
/**
|
|
* A data-flow node that parses XML content.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `class XmlParserCall` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the argument that specifies the XML content to be parsed. */
|
|
abstract DataFlow::Node getInput();
|
|
|
|
/** Holds if this XML parser call is configured to process external entities */
|
|
abstract predicate externalEntitiesEnabled();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that may represent a database object in an ORM system.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `OrmInstantiation::Range` instead.
|
|
*/
|
|
class OrmInstantiation extends DataFlow::Node instanceof OrmInstantiation::Range {
|
|
/** Holds if a call to `methodName` on this instance may return a field of this ORM object. */
|
|
bindingset[methodName]
|
|
predicate methodCallMayAccessField(string methodName) {
|
|
super.methodCallMayAccessField(methodName)
|
|
}
|
|
}
|
|
|
|
/** Provides a class for modeling new ORM object instantiation APIs. */
|
|
module OrmInstantiation {
|
|
/**
|
|
* A data-flow node that may represent a database object in an ORM system.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `OrmInstantiation` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Holds if a call to `methodName` on this instance may return a field of this ORM object. */
|
|
bindingset[methodName]
|
|
abstract predicate methodCallMayAccessField(string methodName);
|
|
}
|
|
}
|