Ruby: use hostname sanitizers for rb/server-side-request-forgery

github · Sep 15, 2023 · 32ad3fd · 32ad3fd
1 parent bf55f29
commit 32ad3fd
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryCustomizations.qll
@@ -10,6 +10,7 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.Concepts
 private import codeql.ruby.dataflow.Sanitizers
+private import codeql.ruby.security.UrlConcatenation
 
 /**
  * Provides default sources, sinks and sanitizers for reasoning about
@@ -31,6 +32,16 @@ module ServerSideRequestForgery {
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
+  /**
+   * An in-sanitizer for server side request forgery vulnerabilities.
+   */
+  abstract class SanitizerIn extends DataFlow::Node { }
+
+  /**
+   * A out-sanitizer for server side request forgery vulnerabilities.
+   */
+  abstract class SanitizerOut extends DataFlow::Node { }
+
   /**
    * DEPRECATED: Use `Sanitizer` instead.
    *
@@ -48,4 +59,25 @@ module ServerSideRequestForgery {
 
   /** A string interpolation with a fixed prefix, considered as a flow sanitizer. */
   class StringInterpolationAsSanitizer extends PrefixedStringInterpolation, Sanitizer { }
+
+  /**
+   * A sanitizer for the hostname of a URL.
+   */
+  class HostnameSanitizer extends Sanitizer {
+    HostnameSanitizer() { this = DataFlow::BarrierGuard<hostnameGuard/3>::getABarrierNode() }
+  }
+
+  /**
+   * An in-sanitizer for the hostname of a URL.
+   */
+  class HostnameSanitizerIn extends SanitizerIn {
+    HostnameSanitizerIn() { hostnameSanitizingPrefixEdge(_, this) }
+  }
+
+  /**
+   * An out-sanitizer for the hostname of a URL.
+   */
+  class HostnameSanitizerOut extends SanitizerOut {
+    HostnameSanitizerOut() { hostnameSanitizingPrefixEdge(this, _) }
+  }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll
@@ -30,6 +30,10 @@ deprecated class Configuration extends TaintTracking::Configuration {
     node instanceof StringConstArrayInclusionCallBarrier
   }
 
+  override predicate isSanitizerIn(DataFlow::Node node) { node instanceof SanitizerIn }
+
+  override predicate isSanitizerOut(DataFlow::Node node) { node instanceof SanitizerOut }
+
   deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
     guard instanceof SanitizerGuard
   }
@@ -45,6 +49,10 @@ private module ServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
     node instanceof StringConstCompareBarrier or
     node instanceof StringConstArrayInclusionCallBarrier
   }
+
+  predicate isBarrierIn(DataFlow::Node node) { node instanceof SanitizerIn }
+
+  predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerOut }
 }
 
 /**