Ruby: Add additional sinks to the rb/kernel-open query
#11366
+94
−6
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
QHelp previews: |
p-
changed the title
rb/kernel-open queryrb/kernel-open query
erik-krogh
approved these changes
Nov 22, 2022
I had my doubt abouts URI.open, but yes that's also vulnerable
irb(main):001:0> require "open-uri"
=> true
irb(main):002:0> URI
=> URI
irb(main):003:0> URI.open "https://google.com"
=> #<File:/var/folders/qp/rmn5qy357vb70d2sgqv1tt_c0000gn/T/open-uri20221122-8505-omzyyf>
irb(main):004:0> URI.open "| touch pwned"
=> #<IO:fd 11>LGTM
erik-krogh
requested changes
Nov 24, 2022
I'm sorry, I'm going to need changes.
Can you see the evaluation?
There are bunch of results in opal/opal where the alert is on a safe call to e.g. File.write, but according to the alert message the call is to IO.write, so you'll have to do something about that.
You can see in KernelOpenQuery.qll that I've already done that for IO.read.
I think that happens due to some aliasing
(You can ask the more senior CodeQL Ruby devs on Slack about that).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Hi!
This PR adds following sinks to the
rb/kernel-openquery:IO.writeIO.binreadIO.binwriteIO.foreachIO.readlinesURI.openThese sinks all belong to the same family as the already implemented
Kernel.openandIO.read. (Command injection with a starting pipe (|).In addition to that I added a sanitizer I encountered in the wild:
File.joinsanitizes an untrusted user input if the tainted data is not passed in as the first argument (command execution is only possible if the first sign character passed to those sinks is a pipe (|).