Skip to content

Ruby: add regex injection query #6978

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Nov 23, 2021
Merged

Ruby: add regex injection query #6978

merged 11 commits into from
Nov 23, 2021

Conversation

nickrolfe
Copy link
Contributor

No description provided.

@nickrolfe nickrolfe added the Ruby label Oct 27, 2021
@github-actions
Copy link
Contributor

QHelp previews:

ruby/ql/src/queries/security/cwe-1333/RegExpInjection.qhelp

intrigus-lgtm
intrigus-lgtm reviewed Oct 27, 2021
View reviewed changes
@github-actions
Copy link
Contributor

QHelp previews:

ruby/ql/src/queries/security/cwe-1333/RegExpInjection.qhelp

Regular expression injection

Constructing a regular expression with unsanitized user input is dangerous, since a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.

Recommendation

Before embedding user input into a regular expression, use a sanitization function such as Regexp.escape to escape meta-characters that have special meaning.

Example

The following examples construct regular expressions from an HTTP request parameter without sanitizing it first:

class UsersController < ActionController::Base
  def first_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = /#{ params[:key] }/
  end

  def second_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = Regexp.new(params[:key])
  end
end

Instead, the request parameter should be sanitized first. This ensures that the user cannot insert characters that have special meanings in regular expressions.

class UsersController < ActionController::Base
  def example
    # GOOD: User input is sanitized before constructing the regular expression
    regex = Regexp.new(Regex.escape(params[:key]))
  end
end

References

@nickrolfe nickrolfe marked this pull request as ready for review October 29, 2021 10:17
@nickrolfe nickrolfe requested a review from a team as a code owner October 29, 2021 10:17
@nickrolfe
Copy link
Contributor Author

I still need to get a successful DCA run to check performance, but otherwise I think this ready for review.

@github-actions
Copy link
Contributor

QHelp previews:

ruby/ql/src/queries/security/cwe-1333/RegExpInjection.qhelp

Regular expression injection

Constructing a regular expression with unsanitized user input is dangerous, since a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.

Recommendation

Before embedding user input into a regular expression, use a sanitization function such as Regexp.escape to escape meta-characters that have special meaning.

Example

The following examples construct regular expressions from an HTTP request parameter without sanitizing it first:

class UsersController < ActionController::Base
  def first_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = /#{ params[:key] }/
  end

  def second_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = Regexp.new(params[:key])
  end
end

Instead, the request parameter should be sanitized first. This ensures that the user cannot insert characters that have special meanings in regular expressions.

class UsersController < ActionController::Base
  def example
    # GOOD: User input is sanitized before constructing the regular expression
    regex = Regexp.new(Regex.escape(params[:key]))
  end
end

References

@github-actions
Copy link
Contributor

github-actions bot commented Nov 3, 2021

QHelp previews:

ruby/ql/src/queries/security/cwe-1333/RegExpInjection.qhelp

Regular expression injection

Constructing a regular expression with unsanitized user input is dangerous, since a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.

Recommendation

Before embedding user input into a regular expression, use a sanitization function such as Regexp.escape to escape meta-characters that have special meaning.

Example

The following examples construct regular expressions from an HTTP request parameter without sanitizing it first:

class UsersController < ActionController::Base
  def first_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = /#{ params[:key] }/
  end

  def second_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = Regexp.new(params[:key])
  end
end

Instead, the request parameter should be sanitized first. This ensures that the user cannot insert characters that have special meanings in regular expressions.

class UsersController < ActionController::Base
  def example
    # GOOD: User input is sanitized before constructing the regular expression
    regex = Regexp.new(Regex.escape(params[:key]))
  end
end

References

@nickrolfe
Copy link
Contributor Author

I still need to add a missing QLDoc comment.

More worryingly, the DCA runs show that this query causes significant slowdowns. I'll have to investigate when I have time.

@github-actions
Copy link
Contributor

QHelp previews:

ruby/ql/src/queries/security/cwe-1333/RegExpInjection.qhelp

Regular expression injection

Constructing a regular expression with unsanitized user input is dangerous, since a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.

Recommendation

Before embedding user input into a regular expression, use a sanitization function such as Regexp.escape to escape meta-characters that have special meaning.

Example

The following examples construct regular expressions from an HTTP request parameter without sanitizing it first:

class UsersController < ActionController::Base
  def first_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = /#{ params[:key] }/
  end

  def second_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = Regexp.new(params[:key])
  end
end

Instead, the request parameter should be sanitized first. This ensures that the user cannot insert characters that have special meanings in regular expressions.

class UsersController < ActionController::Base
  def example
    # GOOD: User input is sanitized before constructing the regular expression
    regex = Regexp.new(Regex.escape(params[:key]))
  end
end

References

@nickrolfe
Copy link
Contributor Author

As far as I can tell from DCA, the new query takes about the same amount of time as any other dataflow query.

hmac
hmac reviewed Nov 22, 2021
View reviewed changes
ruby/ql/lib/codeql/ruby/frameworks/StandardLibrary.qll Outdated
@@ -335,3 +336,18 @@ class ModuleEvalCallCodeExecution extends CodeExecution::Range, DataFlow::CallNo

override DataFlow::Node getCode() { result = this.getArgument(0) }
}

/** Flow summary for `Regexp.escape`. */
Copy link
Contributor

@hmac hmac Nov 22, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not one for this PR, but I wonder if we ought to split out StandardLibrary.qll soon? Maybe something like (following the structure of https://ruby-doc.com/):

ql/lib/codeql/ruby/frameworks
├── core
│   ├── Kernel.qll
│   └── Object.qll
│   └── Regexp.qll
└── std-lib
    ├── Date.qll
    └── Open3.qll

hmac
hmac reviewed Nov 22, 2021
View reviewed changes
ruby/ql/lib/codeql/ruby/frameworks/StandardLibrary.qll Outdated
RegexpEscapeSummary() { this = "Regexp.escape" }

override MethodCall getACall() {
result = API::getTopLevelMember("Regexp").getAMethodCall("escape").asExpr().getExpr()
Copy link
Contributor

@hmac hmac Nov 22, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regexp.quote is an alias for Regexp.escape, so we could add that here too (and in RegExpInjectionCustomizations).

hmac
hmac reviewed Nov 22, 2021
View reviewed changes
ruby/ql/lib/codeql/ruby/regexp/RegExpInjectionCustomizations.qll Outdated
class ConstructedRegExpAsSink extends Sink {
ConstructedRegExpAsSink() {
this =
API::getTopLevelMember("Regexp").getAnInstantiation().(DataFlow::CallNode).getArgument(0)
Copy link
Contributor

@hmac hmac Nov 22, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a few other ways I've found for creating regexes:

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah but Regexp.union escapes its arguments, so we don't have to bother with that.

hmac
hmac previously approved these changes Nov 22, 2021
View reviewed changes
Copy link
Contributor

@hmac hmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great to me! I only have a couple of small suggestions for additional sinks/sanitizers.

@github-actions
Copy link
Contributor

QHelp previews:

ruby/ql/src/queries/security/cwe-1333/RegExpInjection.qhelp

Regular expression injection

Constructing a regular expression with unsanitized user input is dangerous, since a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.

Recommendation

Before embedding user input into a regular expression, use a sanitization function such as Regexp.escape to escape meta-characters that have special meaning.

Example

The following examples construct regular expressions from an HTTP request parameter without sanitizing it first:

class UsersController < ActionController::Base
  def first_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = /#{ params[:key] }/
  end

  def second_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = Regexp.new(params[:key])
  end
end

Instead, the request parameter should be sanitized first. This ensures that the user cannot insert characters that have special meanings in regular expressions.

class UsersController < ActionController::Base
  def example
    # GOOD: User input is sanitized before constructing the regular expression
    regex = Regexp.new(Regex.escape(params[:key]))
  end
end

References

@github-actions
Copy link
Contributor

QHelp previews:

ruby/ql/src/queries/security/cwe-1333/RegExpInjection.qhelp

Regular expression injection

Constructing a regular expression with unsanitized user input is dangerous, since a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.

Recommendation

Before embedding user input into a regular expression, use a sanitization function such as Regexp.escape to escape meta-characters that have special meaning.

Example

The following examples construct regular expressions from an HTTP request parameter without sanitizing it first:

class UsersController < ActionController::Base
  def first_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = /#{ params[:key] }/
  end

  def second_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = Regexp.new(params[:key])
  end
end

Instead, the request parameter should be sanitized first. This ensures that the user cannot insert characters that have special meanings in regular expressions.

class UsersController < ActionController::Base
  def example
    # GOOD: User input is sanitized before constructing the regular expression
    regex = Regexp.new(Regex.escape(params[:key]))
  end
end

References

@hmac
Copy link
Contributor

hmac commented Nov 23, 2021

@nickrolfe it looks like some consistency tests are failing now, which I assume is unrelated to this change. Not sure what we can do to fix them, but ping me if you get this green and I'll 👍 it.

@github-actions
Copy link
Contributor

QHelp previews:

ruby/ql/src/queries/security/cwe-1333/RegExpInjection.qhelp

Regular expression injection

Constructing a regular expression with unsanitized user input is dangerous, since a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.

Recommendation

Before embedding user input into a regular expression, use a sanitization function such as Regexp.escape to escape meta-characters that have special meaning.

Example

The following examples construct regular expressions from an HTTP request parameter without sanitizing it first:

class UsersController < ActionController::Base
  def first_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = /#{ params[:key] }/
  end

  def second_example
    # BAD: Unsanitized user input is used to construct a regular expression
    regex = Regexp.new(params[:key])
  end
end

Instead, the request parameter should be sanitized first. This ensures that the user cannot insert characters that have special meanings in regular expressions.

class UsersController < ActionController::Base
  def example
    # GOOD: User input is sanitized before constructing the regular expression
    regex = Regexp.new(Regex.escape(params[:key]))
  end
end

References

@nickrolfe
Copy link
Contributor Author

@hmac it's all green now!

@nickrolfe nickrolfe merged commit bb38c4d into main Nov 23, 2021
@nickrolfe nickrolfe deleted the nickrolfe/regex_injection branch November 23, 2021 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
2 more reviewers

@intrigus-lgtm intrigus-lgtm intrigus-lgtm left review comments

@hmac hmac hmac approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
documentation Ruby
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nickrolfe @hmac @intrigus-lgtm