progress, that can flag CVE-2021-43809-vul

erik-krogh · erik-krogh · commit 2c95a726f360 · 2023-01-04T09:57:41.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/Concepts.qll b/ruby/ql/lib/codeql/ruby/Concepts.qll
@@ -713,6 +713,14 @@ class SystemCommandExecution extends DataFlow::Node instanceof SystemCommandExec
   /** Holds if a shell interprets `arg`. */
   predicate isShellInterpreted(DataFlow::Node arg) { super.isShellInterpreted(arg) }
 
+  /**
+   * Gets an argument to this command execution that specifies the argument list
+   * to the command.
+   * TODO: Can also invlide the command.
+   * TODO: Look through all the `SystemCommandExecution` models. 
+   */
+  DataFlow::Node getArgumentList() { result = super.getArgumentList() }
+
   /** Gets an argument to this execution that specifies the command or an argument to it. */
   DataFlow::Node getAnArgument() { result = super.getAnArgument() }
 }
@@ -733,6 +741,12 @@ module SystemCommandExecution {
     /** Holds if a shell interprets `arg`. */
     predicate isShellInterpreted(DataFlow::Node arg) { none() }
 
+    /**
+     * Gets an argument to this command execution that specifies the argument list
+     * to the command.
+     */
+    DataFlow::Node getArgumentList() { none() }
+
     /** Gets an argument to this execution that specifies the command. */
     DataFlow::Node getACommandArgument() { none() }
   }
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -263,6 +263,10 @@ private class Argument extends CfgNodes::ExprCfgNode {
     this = call.getArgument(0) and
     this.getExpr() instanceof SplatExpr and
     arg.isSplatAll()
+    or
+    this = call.getArgument(0) and
+    this.getExpr() instanceof SplatExpr and
+    arg.isSplatAll()
   }
 
   /** Holds if this expression is the `i`th argument of `c`. */
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Open3.qll b/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Open3.qll
@@ -20,7 +20,9 @@ module Open3 {
     Open3Call() {
       this =
         API::getTopLevelMember("Open3")
-            .getAMethodCall(["popen3", "popen2", "popen2e", "capture3", "capture2", "capture2e"])
+            .getAMethodCall(["popen3", "popen2", "popen2e", "capture3", "capture2", "capture2e"]) and
+      super.getMethodName() = "capture3" and // TODO: Debugging.
+      this.getLocation().getStartLine() = 236 // TODO: Debugging.
     }
 
     override DataFlow::Node getAnArgument() { result = super.getArgument(_) }
@@ -34,6 +36,15 @@ module Open3 {
     override DataFlow::Node getACommandArgument() {
       result = Kernel::getACommandArgumentFromShellCall(this)
     }
+
+    override DataFlow::Node getArgumentList() {
+      // TODO: This is incomplete
+      exists(Cfg::CfgNodes::ExprNodes::UnaryOperationCfgNode un|
+        un = super.getArgument(_).asExpr() and // TODO: Specific arg?
+        un.getOperator()= "*" and
+        result.asExpr() = un.getOperand()
+      )
+    }
   }
 
   /**
diff --git a/ruby/ql/lib/codeql/ruby/security/SecondOrderCommandInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/SecondOrderCommandInjectionCustomizations.qll
@@ -0,0 +1,183 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * second order command injection, as well as
+ * extension points for adding your own.
+ */
+
+private import ruby
+private import codeql.ruby.frameworks.core.Gem::Gem as Gem
+private import codeql.ruby.dataflow.RemoteFlowSources
+private import codeql.ruby.Concepts as Concepts
+
+/** Classes and predicates for reasoning about second order command injection. */
+module SecondOrderCommandInjection {
+  /** A shell command that allows for second order command injection. */
+  private class VulnerableCommand extends string {
+    VulnerableCommand() { this = ["git", "hg"] }
+
+    /**
+     * Gets a vulnerable subcommand of this command.
+     * E.g. `git` has `clone` and `pull` as vulnerable subcommands.
+     * And every command of `hg` is vulnerable due to `--config=alias.<alias>=<command>`.
+     */
+    bindingset[result]
+    string getAVulnerableSubCommand() {
+      this = "git" and result = ["clone", "ls-remote", "fetch", "pull"]
+      or
+      this = "hg" and exists(result)
+    }
+
+    /** Gets an example argument that can cause this command to execute arbitrary code. */
+    string getVulnerableArgumentExample() {
+      this = "git" and result = "--upload-pack"
+      or
+      this = "hg" and result = "--config=alias.<alias>=<command>"
+    }
+  }
+
+  /** A source for second order command injection vulnerabilities. */
+  abstract class Source extends DataFlow::Node {
+    /** Gets a string that describes the source. For use in the alert message. */
+    abstract string describe();
+  }
+
+  /** A parameter of an exported function, seen as a source for second order command injection. */
+  class ExternalInputSource extends Source {
+    ExternalInputSource() { this = Gem::getALibraryInput() }
+
+    override string describe() { result = "library input" }
+  }
+
+  /** A source of remote flow, seen as a source for second order command injection. */
+  class RemoteFlowAsSource extends Source instanceof RemoteFlowSource {
+    override string describe() { result = "a user-provided value" }
+  }
+
+  /** A sink for second order command injection vulnerabilities. */
+  abstract class Sink extends DataFlow::Node {
+    /** Gets the command getting invoked. I.e. `git` or `hg`. */
+    abstract string getCommand();
+
+    /**
+     * Gets an example argument for the comand that allows for second order command injection.
+     * E.g. `--upload-pack` for `git`.
+     */
+    abstract string getVulnerableArgumentExample();
+  }
+
+  /**
+   * A sink that invokes a command described by the `VulnerableCommand` class.
+   */
+  abstract class VulnerableCommandSink extends Sink {
+    VulnerableCommand cmd;
+
+    override string getCommand() { result = cmd }
+
+    override string getVulnerableArgumentExample() { result = cmd.getVulnerableArgumentExample() }
+  }
+
+  private import codeql.ruby.typetracking.TypeTracker
+
+  /** A sanitizer for second order command injection vulnerabilities. */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  import codeql.ruby.typetracking.TypeTracker
+
+  private DataFlow::LocalSourceNode usedAsArgList(
+    TypeBackTracker t, Concepts::SystemCommandExecution exec
+  ) {
+    t.start() and
+    result = exec.getArgumentList().getALocalSource()
+    or
+    exists(TypeBackTracker t2 |
+      result = usedAsArgList(t2, exec).backtrack(t2, t)
+      or
+      // step through splat expressions
+      t2 = t.continue() and
+      result.asExpr().getExpr() =
+        // TODO: flows-to.
+        usedAsArgList(t2, exec).asExpr().getExpr().(Ast::SplatExpr).getOperand()
+    )
+  }
+
+  /** Gets a dataflow node that ends up being used as an argument list to an invocation of `git` or `hg`. */
+  private DataFlow::LocalSourceNode usedAsVersionControlArgs(
+    TypeBackTracker t, DataFlow::Node argList, VulnerableCommand cmd
+  ) {
+    t.start() and
+    // TODO: untested.
+    exists(Concepts::SystemCommandExecution exec |
+      exec.getACommandArgument().getConstantValue().getStringlikeValue() = cmd
+    |
+      exec.getArgumentList() = argList and
+      result = argList.getALocalSource()
+    )
+    or
+    t.start() and
+    exists(
+      Concepts::SystemCommandExecution exec, Cfg::CfgNodes::ExprNodes::ArrayLiteralCfgNode arr
+    |
+      argList = usedAsArgList(TypeBackTracker::end(), exec) and
+      arr = argList.asExpr() and
+      arr.getArgument(0).getConstantValue().getStringlikeValue() = cmd
+    |
+      result = argList.getALocalSource()
+      or
+      result
+          .flowsTo(any(DataFlow::Node n |
+              n.asExpr().getExpr() = arr.getArgument(_).getExpr().(Ast::SplatExpr).getOperand()
+            ))
+    )
+    or
+    exists(TypeBackTracker t2 |
+      result = usedAsVersionControlArgs(t2, argList, cmd).backtrack(t2, t)
+      or
+      // step through splat expressions
+      t2 = t.continue() and
+      result
+          .flowsTo(any(DataFlow::Node n |
+              n.asExpr().getExpr() =
+                usedAsVersionControlArgs(t2, argList, cmd)
+                    .asExpr()
+                    .getExpr()
+                    .(Ast::SplatExpr)
+                    .getOperand()
+            ))
+    )
+  }
+
+  private import codeql.ruby.dataflow.internal.DataFlowDispatch as Dispatch
+
+  private class IndirectVcsCall extends DataFlow::CallNode {
+    VulnerableCommand cmd;
+
+    IndirectVcsCall() {
+      exists(Dispatch::DataFlowCallable calleeDis, Ast::Callable callee, DataFlow::Node list |
+        calleeDis =
+          Dispatch::viableCallable(any(Dispatch::DataFlowCall c | c.asCall() = this.asExpr())) and
+        calleeDis.asCallable() = callee and
+        list.asExpr().getExpr() = callee.getParameter(0).(Ast::SplatParameter).getDefiningAccess() and
+        // TODO: multiple nodes in the same position, i need to figure that out if this makes production.
+        usedAsVersionControlArgs(TypeBackTracker::end(), _, cmd).getLocation() = list.getLocation()
+      )
+    }
+
+    VulnerableCommand getCommand() { result = cmd }
+  }
+
+  class IndirectCallSink extends Sink {
+    VulnerableCommand cmd;
+
+    IndirectCallSink() {
+      exists(IndirectVcsCall call, int i |
+        call.getCommand() = cmd and
+        call.getArgument(i).getConstantValue().getStringlikeValue() = cmd.getAVulnerableSubCommand() and
+        this = call.getArgument(any(int j | j > i))
+      )
+    }
+
+    override string getCommand() { result = cmd }
+
+    override string getVulnerableArgumentExample() { result = cmd.getVulnerableArgumentExample() }
+  }
+}
diff --git a/ruby/ql/lib/codeql/ruby/security/SecondOrderCommandInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/SecondOrderCommandInjectionQuery.qll
@@ -0,0 +1,25 @@
+/**
+ * Provides a taint tracking configuration for reasoning about
+ * second order command-injection vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `SecondOrderCommandInjection::Configuration` is needed, otherwise
+ * `SecondOrderCommandInjectionCustomizations` should be imported instead.
+ */
+
+import ruby
+import SecondOrderCommandInjectionCustomizations::SecondOrderCommandInjection
+import codeql.ruby.TaintTracking
+
+/**
+ * A taint-tracking configuration for reasoning about second order command-injection vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "SecondOrderCommandInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+}
diff --git a/ruby/ql/src/queries/security/cwe-078/SecondOrderCommandInjection.qhelp b/ruby/ql/src/queries/security/cwe-078/SecondOrderCommandInjection.qhelp
@@ -0,0 +1,46 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Some shell commands, like <code>git ls-remote</code>, can execute 
+arbitrary commands if a user provides a malicious URL that starts with 
+<code>--upload-pack</code>. This can be used to execute arbitrary code on
+the server.
+</p>
+
+</overview>
+
+<recommendation>
+
+<p>
+Sanitize user input before passing it to the shell command. For example,
+ensure that URLs are valid and do not contain malicious commands.
+</p>
+
+</recommendation>
+<example>
+
+<p>
+The following example shows code that executes <code>git ls-remote</code> on a
+URL that can be controlled by a malicious user.
+</p>
+
+<sample src="examples/second-order-command-injection.js" />
+
+<p>
+The problem has been fixed in the snippet below, where the URL is validated before
+being passed to the shell command.
+</p>
+
+<sample src="examples/second-order-command-injection-fixed.js" />
+
+</example>
+<references>
+<li>Max Justicz: <a href="https://justi.cz/security/2021/04/20/cocoapods-rce.html">Hacking 3,000,000 apps at once through CocoaPods</a>.</li>
+<li>Git: <a href="https://git-scm.com/docs/git-ls-remote/2.22.0#Documentation/git-ls-remote.txt---upload-packltexecgt">Git - git-ls-remote Documentation</a>.</li>
+<li>OWASP: <a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.</li>
+
+</references>
+</qhelp>
diff --git a/ruby/ql/src/queries/security/cwe-078/SecondOrderCommandInjection.ql b/ruby/ql/src/queries/security/cwe-078/SecondOrderCommandInjection.ql
@@ -0,0 +1,25 @@
+/**
+ * @name Second order command injection
+ * @description Using user-controlled data as arguments to some commands, such as git clone,
+ *              can allow arbitrary commands to be executed.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.0
+ * @precision high
+ * @id rb/second-order-command-line-injection
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-078
+ *       external/cwe/cwe-088
+ */
+
+import ruby
+import DataFlow::PathGraph
+import codeql.ruby.security.SecondOrderCommandInjectionQuery
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
+where cfg.hasFlowPath(source, sink) and sinkNode = sink.getNode()
+select sink.getNode(), source, sink,
+  "Command line argument that depends on $@ can execute an arbitrary command if " +
+    sinkNode.getVulnerableArgumentExample() + " is used with " + sinkNode.getCommand() + ".",
+  source.getNode(), source.getNode().(Source).describe()
diff --git a/ruby/ql/src/queries/security/cwe-078/examples/second-order-command-injection-fixed.js b/ruby/ql/src/queries/security/cwe-078/examples/second-order-command-injection-fixed.js
@@ -0,0 +1,12 @@
+const express = require("express");
+const app = express();
+
+const cp = require("child_process");
+
+app.get("/ls-remote", (req, res) => {
+  const remote = req.query.remote;
+  if (!(remote.startsWith("git@") || remote.startsWith("https://"))) {
+    throw new Error("Invalid remote: " + remote);
+  }
+  cp.execFile("git", ["ls-remote", remote]); // OK
+});
diff --git a/ruby/ql/src/queries/security/cwe-078/examples/second-order-command-injection.js b/ruby/ql/src/queries/security/cwe-078/examples/second-order-command-injection.js
@@ -0,0 +1,9 @@
+const express = require("express");
+const app = express();
+
+const cp = require("child_process");
+
+app.get("/ls-remote", (req, res) => {
+  const remote = req.query.remote;
+  cp.execFile("git", ["ls-remote", remote]); // NOT OK
+});
