Rb: more taint-steps for shell-command-construction

[erik-krogh]

Adds some taint steps for CVE-2022-33127

Evaluations (rails-projects, nightly) seems OK, there are a few new results that look acceptable to me.
The rails result is adding an extra source to a sink that was already flagged.
The database result looks good. It's possible to configure which executeable is used, and that is interpreted as a shell-string.

[hvitved]

Couldn't we instead simply define a taint-summary for join?

input = "Argument[self].Element[any]" and
output = "ReturnValue" and
preservesValue = false

Such a summary should also work when we consider an array it self tainted (as opposed to an element of that array).

[erik-krogh]

Couldn't we instead simply define a taint-summary for join?

Yes, that works for .join() 👍

[hvitved]

I think the better way to do this is to allow implicit array reads at sinks. We could either do this for the two relevant queries, using Configuration::allowImplicitRead, or for all taint tracking configurations, using defaultImplicitTaintRead, like e.g. in Java.

[erik-krogh]

That does give me some of the desired behavior, but not all.

This test case is flagged with my "taint-step"-approach, but not with your "implicit-read"-approach.

def join_indirect(x, y) 
  arr = Array("foo = ", x)
  eval(arr.join(" ")) # NOT OK

  arr2 = [Array("foo = ", y).join(" ")]
  eval(arr2.join("\n")) # NOT OK
end

I'll do the allowImplicitRead approach for now as it gives me most of the desired behavior (I'm just adding it on the two relevant queries), and then I'll return to the CVE later.

[hvitved]

Isn't this because the kernel method Array does not work like you intend in your examples? But I also don't think we currently have flow summaries for that method; I guess it should be something like

// already an array
input = "Argument[0].WithElement[0..]" and
output = "ReturnValue"
or
// not already an array
input = "Argument[0].WithoutElement[0..]" and
output = "ReturnValue.Element[0]"

[erik-krogh]

You're completely right. I was looking at how it was used in the CVE, and probably just assumed that it was similar to the JS Array() call.
I've added a summary for Array() based on your suggestion.

[hvitved]

Thanks for addressing my comments. This looks good now, except for two redundant imports.

Also, we should have a final DCA run.

[hvitved]

Can be removed now.

[hvitved]

Same

[erik-krogh]

Also, we should have a final DCA run.

It blew up.
I'll investigate, but I don't think I'll have time for that this week.
I'm putting this in draft, and will undraft again when I've figured out what's happening.

[hvitved]

Consider using something like getAStaticArrayCall here instead, in order to be able to go back to getASimpleCall (which means that the summary will also be used during type tracking).

[erik-krogh]

New evaluations (nightly, rails-projects) show OK performance and some new results.

Triaging the new results they are mostly from new steps through .join("..").
And for most of the results we already flagged the sink from another source, but the extra completeness is nice.