Merge pull request #11022 from hmac/try-code-injection

Ruby: try/try! as code execution

Author: hmac

ruby/ql/lib/change-notes/2022-10-28-try-code-execution.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `ActiveSupport` extensions `Object#try` and `Object#try!` are now recognised as code executions.

ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll

@@ -81,6 +81,29 @@ module ActiveSupport {
           preservesValue = true
         }
       }
+
+      /**
+       * A call to `Object#try`, which may execute its first argument as a Ruby
+       * method call.
+       * ```rb
+       * x = "abc"
+       * x.try(:upcase) # => "ABC"
+       * y = nil
+       * y.try(:upcase) # => nil
+       * ```
+       * `Object#try!` behaves similarly but raises `NoMethodError` if the
+       * receiver is not `nil` and does not respond to the method.
+       */
+      class TryCallCodeExecution extends CodeExecution::Range, DataFlow::CallNode {
+        TryCallCodeExecution() {
+          this.asExpr().getExpr() instanceof UnknownMethodCall and
+          this.getMethodName() = ["try", "try!"]
+        }
+
+        override DataFlow::Node getCode() { result = this.getArgument(0) }
+
+        override predicate runsArbitraryCode() { none() }
+      }
     }
 
     /**

ruby/ql/test/library-tests/frameworks/active_support/ActiveSupport.expected

@@ -5,3 +5,12 @@ constantizeCalls
 loggerInstantiations
 | active_support.rb:6:1:6:33 | call to new |
 | active_support.rb:7:1:7:40 | call to new |
+codeExecutions
+| active_support.rb:1:1:1:22 | call to constantize |
+| active_support.rb:3:1:3:13 | call to constantize |
+| active_support.rb:4:1:4:18 | call to safe_constantize |
+| active_support.rb:296:5:296:18 | call to try |
+| active_support.rb:297:5:297:17 | call to try |
+| active_support.rb:298:5:298:19 | call to try! |
+| active_support.rb:298:5:298:35 | call to try! |
+| active_support.rb:299:5:299:18 | call to try! |

ruby/ql/test/library-tests/frameworks/active_support/ActiveSupport.ql

@@ -1,9 +1,12 @@
 import codeql.ruby.frameworks.ActiveSupport
 import codeql.ruby.DataFlow
 import codeql.ruby.frameworks.stdlib.Logger
+import codeql.ruby.Concepts
 
 query DataFlow::Node constantizeCalls(ActiveSupport::CoreExtensions::String::Constantize c) {
   result = c.getCode()
 }
 
 query predicate loggerInstantiations(Logger::LoggerInstantiation l) { any() }
+
+query predicate codeExecutions(CodeExecution c) { any() }

ruby/ql/test/library-tests/frameworks/active_support/active_support.rb

@@ -290,3 +290,11 @@ def m_deep_dup
   x = source "a"
   sink x.deep_dup # $hasValueFlow=a
 end
+
+def m_try(method)
+    x = "abc"
+    x.try(:upcase)
+    x.try(method)
+    x.try!(:upcase).try!(:downcase)
+    x.try!(method)
+end