revert YAML.qll and yaml sinks to previous PR, make a separate experimental query only for yaml

Author: am0o0

ruby/ql/lib/codeql/ruby/frameworks/Yaml.qll

@@ -10,68 +10,26 @@ private import codeql.ruby.ApiGraphs
  * A taint step related to the result of `YAML.parse` calls, or similar.
  * In the following example, this step will propagate taint from
  * `source` to `sink`:
- * this contains two seperate steps:
+ *
  * ```rb
  * x = source
- * sink = YAML.parse(x)
- * ```
- * By second step
- * source is a Successor of `YAML.parse(x)`
- * which ends with `to_ruby` or an Element of `to_ruby`
- * ```ruby
- * sink source.to_ruby # Unsafe call
+ * result = YAML.parse(x)
+ * sink result.to_ruby # Unsafe call
  * ```
  */
 private class YamlParseStep extends AdditionalTaintStep {
   override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(API::Node yamlParserMethod |
-      succ = yamlParserMethod.getReturn().asSource() and
+    exists(DataFlow::CallNode yamlParserMethod |
+      succ = yamlParserMethod.getAMethodCall("to_ruby") and
       (
-        yamlParserMethod = yamlLibrary().getMethod(["parse", "parse_stream"]) and
-        pred =
-          [yamlParserMethod.getParameter(0), yamlParserMethod.getKeywordParameter("yaml")].asSink()
+        yamlParserMethod = yamlNode().getAMethodCall(["parse", "parse_stream"]) and
+        pred = [yamlParserMethod.getArgument(0), yamlParserMethod.getKeywordArgument("yaml")]
         or
-        yamlParserMethod = yamlLibrary().getMethod("parse_file") and
-        pred =
-          [yamlParserMethod.getParameter(0), yamlParserMethod.getKeywordParameter("filename")]
-              .asSink()
+        yamlParserMethod = yamlNode().getAMethodCall("parse_file") and
+        pred = [yamlParserMethod.getArgument(0), yamlParserMethod.getKeywordArgument("filename")]
       )
     )
-    or
-    exists(API::Node parseSuccessors | parseSuccessors = yamlNode() |
-      succ =
-        [
-          parseSuccessors.getMethod(["to_ruby", "transform"]).getReturn().asSource(),
-          parseSuccessors.getMethod(["to_ruby", "transform"]).getReturn().getAnElement().asSource()
-        ] and
-      pred = parseSuccessors.asSource()
-    )
-    or
-    exists(API::Node parseSuccessors | parseSuccessors = yamlNode() |
-      succ =
-        [
-          parseSuccessors.getMethod(_).getBlock().getParameter(_).asSource(),
-          parseSuccessors.getMethod(_).getReturn().asSource()
-        ] and
-      pred = parseSuccessors.asSource()
-    )
   }
 }
 
-/**
- * Gets A Node ends with YAML parse, parse_stream, parse_file methods
- */
-API::Node yamlNode() {
-  result = yamlLibrary().getMethod(["parse", "parse_stream", "parse_file"]).getReturn()
-  or
-  result = yamlNode().getMethod(_).getReturn()
-  or
-  result = yamlNode().getMethod(_).getBlock().getParameter(_)
-  or
-  result = yamlNode().getAnElement()
-}
-
-/**
- * Gets A YAML module instance
- */
-API::Node yamlLibrary() { result = API::getTopLevelMember(["YAML", "Psych"]) }
+private API::Node yamlNode() { result = API::getTopLevelMember(["YAML", "Psych"]) }

ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll

@@ -11,7 +11,6 @@ private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.frameworks.ActiveJob
 private import codeql.ruby.frameworks.core.Module
 private import codeql.ruby.frameworks.core.Kernel
-private import codeql.ruby.frameworks.Yaml
 
 module UnsafeDeserialization {
   /**
@@ -83,30 +82,27 @@ module UnsafeDeserialization {
   class YamlLoadArgument extends Sink {
     YamlLoadArgument() {
       // Note: this is safe in psych/yaml >= 4.0.0.
-      this = yamlLibrary().getAMethodCall("load").getArgument(0)
+      this = yamlNode().getAMethodCall("load").getArgument(0)
       or
       this =
-        yamlLibrary()
-            .getAMethodCall(["unsafe_load_file", "unsafe_load", "load_stream"])
-            .getArgument(0)
+        yamlNode().getAMethodCall(["unsafe_load_file", "unsafe_load", "load_stream"]).getArgument(0)
       or
-      this = yamlLibrary().getAMethodCall(["unsafe_load", "load_stream"]).getKeywordArgument("yaml")
+      this = yamlNode().getAMethodCall(["unsafe_load", "load_stream"]).getKeywordArgument("yaml")
       or
-      this = yamlLibrary().getAMethodCall("unsafe_load_file").getKeywordArgument("filename")
+      this = yamlNode().getAMethodCall("unsafe_load_file").getKeywordArgument("filename")
     }
   }
 
+  private API::Node yamlNode() { result = API::getTopLevelMember(["YAML", "Psych"]) }
+
   /**
    * An argument in a call to `YAML.parse*`, considered a sink for unsafe deserialization
-   * if there is a call to `to_ruby` on the returned value of any Successor.
+   * if there is a call to `to_ruby` on the returned value.
    */
   class YamlParseArgument extends Sink {
     YamlParseArgument() {
-      exists(API::Node toRubyReceiver |
-        toRubyReceiver = yamlNode() and this = toRubyReceiver.asSource()
-      |
-        exists(toRubyReceiver.getMethod(["to_ruby", "transform"]))
-      )
+      this =
+        yamlNode().getAMethodCall(["parse", "parse_stream", "parse_file"]).getAMethodCall("to_ruby")
     }
   }
 

ruby/ql/src/experimental/cwe-502/UnsafeYamlDeserialization.qhelp

@@ -0,0 +1,62 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Deserializing untrusted data using any method that allows the construction of
+arbitrary objects is easily exploitable and, in many cases, allows an attacker
+to execute arbitrary code.
+</p>
+</overview>
+
+<recommendation>
+
+<p>
+If deserializing an untrusted YAML document using the <code>psych</code> gem,
+prefer the <code>safe_load</code> and <code>safe_load_file</code> methods over
+<code>load</code> and <code>load_file</code>, as the former will safely
+handle untrusted data. Avoid passing untrusted data to the <code>load_stream</code>
+method. In <code>psych</code> version 4.0.0 and above, the <code>load</code> method can
+safely be used.
+</p>
+
+</recommendation>
+
+<example>
+<p>
+The following example calls the <code>Marshal.load</code>,
+<code>JSON.load</code>, <code>YAML.load</code>, and <code>Oj.load</code> methods
+on data from an HTTP request. Since these methods are capable of deserializing
+to arbitrary objects, this is inherently unsafe.
+</p>
+<sample src="examples/UnsafeDeserializationBad.rb"/>
+
+<p>
+Using <code>JSON.parse</code> and <code>YAML.safe_load</code> instead, as in the
+following example, removes the vulnerability. Similarly, calling
+<code>Oj.load</code> with any mode other than <code>:object</code> is safe, as
+is calling <code>Oj.safe_load</code>. Note that there is no safe way to deserialize
+untrusted data using <code>Marshal</code>.
+</p>
+<sample src="examples/UnsafeDeserializationGood.rb"/>
+</example>
+
+<references>
+
+<li>
+OWASP vulnerability description:
+<a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">deserialization of untrusted data</a>.
+</li>
+<li>
+Ruby documentation: <a href="https://docs.ruby-lang.org/en/3.0.0/doc/security_rdoc.html">guidance on deserializing objects safely</a>.
+</li>
+<li>
+Ruby documentation: <a href="https://ruby-doc.org/stdlib-3.0.2/libdoc/yaml/rdoc/YAML.html#module-YAML-label-Security">security guidance on the YAML library</a>.
+</li>
+<li>
+You can read that how unsafe yaml load methods can lead to code executions:
+<a href="https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html">Universal Deserialisation Gadget for Ruby 2.x-3.x </a>.
+</li>
+</references>
+
+</qhelp>

ruby/ql/src/experimental/cwe-502/UnsafeYamlDeserialization.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Deserialization of user-controlled yaml data
+ * @description Deserializing user-controlled yaml data may allow attackers to
+ *              execute arbitrary code.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 9.8
+ * @precision high
+ * @id rb/unsafe-unsafeyamldeserialization
+ * @tags security
+ *       external/cwe/cwe-502
+ */
+
+import ruby
+import codeql.ruby.security.UnsafeDeserializationQuery
+import UnsafeCodeConstructionFlow::PathGraph
+
+from UnsafeCodeConstructionFlow::PathNode source, UnsafeCodeConstructionFlow::PathNode sink
+where UnsafeCodeConstructionFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
+  source.getNode().(UnsafeDeserialization::Source).describe()

ruby/ql/src/experimental/cwe-502/UnsafeYamlDeserialization.qll

@@ -0,0 +1,83 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about unsafe deserialization.
+ *
+ * Note, for performance reasons: only import this file if
+ * `UnsafeYamlDeserializationFlow` is needed, otherwise
+ * `UnsafeYamlDeserializationCustomizations` should be imported instead.
+ */
+
+private import codeql.ruby.AST
+private import codeql.ruby.DataFlow
+private import codeql.ruby.TaintTracking
+private import codeql.ruby.ApiGraphs
+import UnsafeYamlDeserializationCustomizations::UnsafeYamlDeserialization
+import Yaml
+
+private module UnsafeYamlDeserializationConfig implements DataFlow::StateConfigSig {
+  class FlowState = FlowState::State;
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source instanceof Source and
+    (state instanceof FlowState::Parse or state instanceof FlowState::Load)
+  }
+
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    sink instanceof Sink and
+    (state instanceof FlowState::Parse or state instanceof FlowState::Load)
+  }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  /**
+   * A taint step related to the result of `YAML.parse` calls, or similar.
+   * In the following example, this step will propagate taint from
+   * `source` to `sink`:
+   * this contains two seperate steps:
+   * ```rb
+   * x = source
+   * sink = YAML.parse(x)
+   * ```
+   * By second step
+   * source is a Successor of `YAML.parse(x)`
+   * which ends with `to_ruby` or an Element of `to_ruby`
+   * ```ruby
+   * sink source.to_ruby # Unsafe call
+   * ```
+   */
+  predicate isAdditionalFlowStep(
+    DataFlow::Node pred, FlowState stateFrom, DataFlow::Node succ, FlowState stateTo
+  ) {
+    (
+      exists(API::Node parseSuccessors, API::Node parseMethod |
+        parseMethod = yamlLibrary().getMethod(["parse", "parse_stream", "parse_file"]) and
+        parseSuccessors = yamlParseNode(parseMethod)
+      |
+        succ = parseSuccessors.getMethod("to_ruby").getReturn().asSource() and
+        pred = parseMethod.getArgument(0).asSink()
+      )
+      or
+      exists(API::Node parseMethod |
+        parseMethod = yamlLibrary().getMethod(["parse", "parse_stream", "parse_file"])
+      |
+        succ = parseMethod.getReturn().asSource() and
+        pred = parseMethod.getArgument(0).asSink()
+      )
+    ) and
+    stateFrom instanceof FlowState::Parse and
+    stateTo instanceof FlowState::Parse
+  }
+}
+
+predicate isAdditionalFlowStepTest(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(API::Node parseMethod |
+    parseMethod = yamlLibrary().getMethod(["parse", "parse_stream", "parse_file"])
+  |
+    succ = parseMethod.getReturn().asSource() and
+    pred = parseMethod.getArgument(0).asSink()
+  )
+}
+
+/**
+ * Taint-tracking for reasoning about unsafe deserialization.
+ */
+module UnsafeCodeConstructionFlow = TaintTracking::GlobalWithState<UnsafeYamlDeserializationConfig>;