drive-by: make Base64.decode64(..) into a flowsummary that is shared with all queries

2022-12-07 11:00:28 +01:00 · 2022-12-07 11:00:28 +01:00 · 19d2b49562
--- a/ruby/ql/lib/codeql/ruby/frameworks/Core.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Core.qll
@ -16,6 +16,7 @@ import core.String
 import core.Regexp
 import core.IO
 import core.Digest
+import core.Base64

 /**
 * A system command executed via subshell literal syntax.
--- a/ruby/ql/lib/codeql/ruby/frameworks/core/Base64.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/core/Base64.qll
@ -0,0 +1,25 @@
+/**
+ * Provides modeling for the `Base64` module.
+ */
+
+private import ruby
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.ApiGraphs
+
+private class Base64Decode extends SummarizedCallable {
+  Base64Decode() { this = "Base64.decode64()" }
+
+  override MethodCall getACall() {
+    result =
+      API::getTopLevelMember("Base64")
+          .getAMethodCall(["decode64", "strict_decode64", "urlsafe_decode64"])
+          .asExpr()
+          .getExpr()
+  }
+
+  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+    input = "Argument[0]" and
+    output = "ReturnValue" and
+    preservesValue = false
+  }
+}
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
@ -31,13 +31,6 @@ module UnsafeDeserialization {
   */
  abstract class Sanitizer extends DataFlow::Node { }

-  /**
-   * Additional taint steps for "unsafe deserialization" vulnerabilities.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
-    base64DecodeTaintStep(fromNode, toNode)
-  }
-
  /** A source of remote user input, considered as a flow source for unsafe deserialization. */
  class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource { }

@ -215,18 +208,4 @@ module UnsafeDeserialization {
      )
    }
  }
-
-  /**
-   * `Base64.decode64` propagates taint from its argument to its return value.
-   */
-  predicate base64DecodeTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
-    exists(DataFlow::CallNode callNode |
-      callNode =
-        API::getTopLevelMember("Base64")
-            .getAMethodCall(["decode64", "strict_decode64", "urlsafe_decode64"])
-    |
-      fromNode = callNode.getArgument(0) and
-      toNode = callNode
-    )
-  }
 }
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll
@ -27,8 +27,4 @@ class Configuration extends TaintTracking::Configuration {
    super.isSanitizer(node) or
    node instanceof UnsafeDeserialization::Sanitizer
  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
-    UnsafeDeserialization::isAdditionalTaintStep(fromNode, toNode)
-  }
 }
--- a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected
+++ b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected
@ -1,8 +1,10 @@
 edges
+| UnsafeDeserialization.rb:10:23:10:50 | call to decode64 :  | UnsafeDeserialization.rb:11:27:11:41 | serialized_data |
 | UnsafeDeserialization.rb:10:39:10:44 | call to params :  | UnsafeDeserialization.rb:10:39:10:50 | ...[...] :  |
-| UnsafeDeserialization.rb:10:39:10:50 | ...[...] :  | UnsafeDeserialization.rb:11:27:11:41 | serialized_data |
+| UnsafeDeserialization.rb:10:39:10:50 | ...[...] :  | UnsafeDeserialization.rb:10:23:10:50 | call to decode64 :  |
+| UnsafeDeserialization.rb:16:23:16:50 | call to decode64 :  | UnsafeDeserialization.rb:17:30:17:44 | serialized_data |
 | UnsafeDeserialization.rb:16:39:16:44 | call to params :  | UnsafeDeserialization.rb:16:39:16:50 | ...[...] :  |
-| UnsafeDeserialization.rb:16:39:16:50 | ...[...] :  | UnsafeDeserialization.rb:17:30:17:44 | serialized_data |
+| UnsafeDeserialization.rb:16:39:16:50 | ...[...] :  | UnsafeDeserialization.rb:16:23:16:50 | call to decode64 :  |
 | UnsafeDeserialization.rb:22:17:22:22 | call to params :  | UnsafeDeserialization.rb:22:17:22:28 | ...[...] :  |
 | UnsafeDeserialization.rb:22:17:22:28 | ...[...] :  | UnsafeDeserialization.rb:23:24:23:32 | json_data |
 | UnsafeDeserialization.rb:28:17:28:22 | call to params :  | UnsafeDeserialization.rb:28:17:28:28 | ...[...] :  |
@ -19,9 +21,11 @@ edges
 | UnsafeDeserialization.rb:87:17:87:22 | call to params :  | UnsafeDeserialization.rb:87:17:87:28 | ...[...] :  |
 | UnsafeDeserialization.rb:87:17:87:28 | ...[...] :  | UnsafeDeserialization.rb:88:25:88:33 | yaml_data |
 nodes
+| UnsafeDeserialization.rb:10:23:10:50 | call to decode64 :  | semmle.label | call to decode64 :  |
 | UnsafeDeserialization.rb:10:39:10:44 | call to params :  | semmle.label | call to params :  |
 | UnsafeDeserialization.rb:10:39:10:50 | ...[...] :  | semmle.label | ...[...] :  |
 | UnsafeDeserialization.rb:11:27:11:41 | serialized_data | semmle.label | serialized_data |
+| UnsafeDeserialization.rb:16:23:16:50 | call to decode64 :  | semmle.label | call to decode64 :  |
 | UnsafeDeserialization.rb:16:39:16:44 | call to params :  | semmle.label | call to params :  |
 | UnsafeDeserialization.rb:16:39:16:50 | ...[...] :  | semmle.label | ...[...] :  |
 | UnsafeDeserialization.rb:17:30:17:44 | serialized_data | semmle.label | serialized_data |