New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ruby: Taint does not flow into do-end blocks #3880
Comments
* Check for presence of default routes * Updated avoid-default-routes with message and classification * Added spaces * Implement for avoid-tainted-file-access * Fix annotations for avoid-tainted-file-access * Add avoid link-to * avoid-redirect * Update message for avoid-redirect * avoid-render-dynamic-path * avoid-session-manipulation * Rewrite pattern to be more clear in avoid-tainted-file-access * Fix avoid-redirect test * Switch avoid-tainted-file-access to use taint mode * Add a layer of separation test * Update avoid-session-manipulation * Update avoid-link-to * Updated avoid-render-dynamic-path * Modified avoid-render-dynamic-path test * Updated avoid-redirect * Update message for link-to * Added attempt at message to avoid-session-manipulation * Split out FTP rules from tainted-file-access * Move ftp rule * Move session-manipulation rule * Split out HTTP rules from avoid-tainted-file-access * Move avoid-taitned-http-request * Split out shell calls * Move remaining tainted* rules out from xss * Update CWE for file access * Fix tests * Add new test case to test reason for FN * Make avoid-default-routes respond to tests * Fix classifications and messages * Update avoid-link-to.yaml * Update avoid-session-manipulation.yaml * Use Ttodo comment until semgrep/semgrep#3880 is resolved Co-authored-by: grayson <grayson@returntocorp.com>
Do you need to match both the block and the |
I think this is mainly an issue of the Ruby front-end that encodes: Net::HTTP.start(uri.host, uri.port) do |http|
# ruleid: avoid-tainted-http-request
req = Net::HTTP::Get.new uri
resp = http.request request
end in Generic as
which I don't find very accurate. And that encoding causes that matching the call to |
* Check for presence of default routes * Updated avoid-default-routes with message and classification * Added spaces * Implement for avoid-tainted-file-access * Fix annotations for avoid-tainted-file-access * Add avoid link-to * avoid-redirect * Update message for avoid-redirect * avoid-render-dynamic-path * avoid-session-manipulation * Rewrite pattern to be more clear in avoid-tainted-file-access * Fix avoid-redirect test * Switch avoid-tainted-file-access to use taint mode * Add a layer of separation test * Update avoid-session-manipulation * Update avoid-link-to * Updated avoid-render-dynamic-path * Modified avoid-render-dynamic-path test * Updated avoid-redirect * Update message for link-to * Added attempt at message to avoid-session-manipulation * Split out FTP rules from tainted-file-access * Move ftp rule * Move session-manipulation rule * Split out HTTP rules from avoid-tainted-file-access * Move avoid-taitned-http-request * Split out shell calls * Move remaining tainted* rules out from xss * Update CWE for file access * Fix tests * Add new test case to test reason for FN * Make avoid-default-routes respond to tests * Fix classifications and messages * Update avoid-link-to.yaml * Update avoid-session-manipulation.yaml * Use Ttodo comment until semgrep/semgrep#3880 is resolved Co-authored-by: grayson <grayson@returntocorp.com>
This issue is synced in Linear at https://linear.app/r2c/issue/PA-360/ruby-taint-does-not-flow-into-do-end-blocks. |
Well, I didn't know about Ruby blocks and I thought they had different semantics.. sorry if confused things. So it seems that the Anyways, perhaps we could instead encode: Net::HTTP.start(uri.host, uri.port) do |http|
# ruleid: avoid-tainted-http-request
req = Net::HTTP::Get.new uri
resp = http.request request
end this other way: Net::HTTP.start(uri.host, uri.port)({|http|
req = Net::HTTP::Get.new uri
resp = http.request request}) So that |
This also requires taint analysis to handle nested functions. |
Passing the body of the block as yet another argument had some undesirable (?) side effects. For example, given `f(x) { |n| puts n }`, pattern `f(...)` matched the entire block rather than just `f(x)`, and `f($X)` did not match anything! Helps #3880 test plan: make test # tests included
Passing the body of the block as yet another argument had some undesirable (?) side effects. For example, given `f(x) { |n| puts n }`, pattern `f(...)` matched the entire block rather than just `f(x)`, and `f($X)` did not match anything! Helps #3880 test plan: make test # tests included
Describe the bug
This taint rule does not appear to flow into the do-end block. I want it to match the
# ruleid
inside the block.The block looks like this:
To Reproduce
https://semgrep.dev/s/GwQe
What is the priority of the bug to you?
The text was updated successfully, but these errors were encountered: