Skip to content

Rb: add Kernel methods as sinks to path-injection#11575

Merged
erik-krogh merged 15 commits into
github:mainfrom
erik-krogh:kernelLoad
Dec 19, 2022
Merged

Rb: add Kernel methods as sinks to path-injection#11575
erik-krogh merged 15 commits into
github:mainfrom
erik-krogh:kernelLoad

Conversation

@erik-krogh
Copy link
Copy Markdown
Contributor

@erik-krogh erik-krogh commented Dec 5, 2022
edited
Loading

Adds methods like Kernel.load as sinks to path-injection.
Kernel.load loads and executes the code referred to by the path.

Copilot gave me the list of method names, and I confirmed the list to be correct.

Additionally adds support for super(..) calls that actually call methods on Kernel.

Inspired by CVE-2018-3760

Evaluations (nightly, rails) were uneventful.

@github-actions github-actions Bot added the Ruby label Dec 5, 2022
@erik-krogh erik-krogh marked this pull request as ready for review December 7, 2022 09:36
@erik-krogh erik-krogh requested a review from a team as a code owner December 7, 2022 09:36
@erik-krogh erik-krogh mentioned this pull request Dec 7, 2022
Merged
asgerf
asgerf reviewed Dec 7, 2022
View reviewed changes
Comment thread ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll Outdated
methodName = super.getMethodName()
or
this.asExpr().getExpr() instanceof SuperCall and
methodName = this.asExpr().getExpr().getEnclosingCallable().(MethodBase).getName()
Copy link
Copy Markdown
Contributor

@asgerf asgerf Dec 7, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would make sense if super() calls always report the name of its enclosing method as its name. Library models shouldn't have to bother with the kind of code we see here - we should take it as an opportunity to improve the API.

Copy link
Copy Markdown
Contributor Author

@erik-krogh erik-krogh Dec 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds like a good idea, I'll try it and see what happens.

Copy link
Copy Markdown
Contributor Author

@erik-krogh erik-krogh Dec 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't really have to change the QLDoc for getMethodName() as it already said: Gets the name of the method being called..
And the method being called is not super, so one could say that this new implementation actually fixes a bug.

Copy link
Copy Markdown
Contributor

@hvitved hvitved Dec 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds like a good idea to me.

github-advanced-security[bot]
github-advanced-security AI found potential problems Dec 7, 2022
View reviewed changes
Comment thread ruby/ql/lib/codeql/ruby/ast/internal/Call.qll Fixed
@erik-krogh
Copy link
Copy Markdown
Contributor Author

erik-krogh commented Dec 8, 2022

A new evaluation is still uneventful.

@asgerf
Copy link
Copy Markdown
Contributor

asgerf commented Dec 9, 2022

Thanks! The code LGTM, but could you run an evaluation with meta queries so we can see which sinks get added in practice?

@erik-krogh
Copy link
Copy Markdown
Contributor Author

erik-krogh commented Dec 13, 2022
edited
Loading

Thanks! The code LGTM, but could you run an evaluation with meta queries so we can see which sinks get added in practice?

Evaluation on meta queries: https://github.com/github/codeql-dca-main/blob/data/erik-krogh/pr-11575-e0045d__nightly__code-scanning/reports/alert-meta-comparison.md

It keeps crashing, even after I've removed string-constants in rb/meta/taint-sinks, but the partial results show the expected picture (lots of require calls and similar recognized as sinks).

@calumgrant calumgrant requested a review from aibaars December 19, 2022 09:47
aibaars
aibaars previously approved these changes Dec 19, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@aibaars aibaars left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, one suggestion.

Comment thread ruby/ql/lib/codeql/ruby/ast/Call.qll Outdated

override string toString() { result = "call to " + this.getMethodName() }
override string toString() {
if this instanceof SuperCall
Copy link
Copy Markdown
Contributor

@aibaars aibaars Dec 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be better to add a toString method to the SuperCall class instead?

@erik-krogh erik-krogh requested a review from aibaars December 19, 2022 13:28
@erik-krogh erik-krogh merged commit f136651 into github:main Dec 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asgerf asgerf asgerf left review comments

@hvitved hvitved hvitved left review comments

+1 more reviewer

@aibaars aibaars aibaars approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation Ruby

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@erik-krogh @asgerf @hvitved @aibaars @github-advanced-security