Skip to content

Commit 019b85b

Browse files
Sim4n6Sim4n6
committed
Add Unicode Bypass Validation query, test and help file
1 parent 2e5a048 commit 019b85b

10 files changed

Lines changed: 242 additions & 0 deletions

ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationCustomizations.qll

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
/**
2+
* Provides default sources, sinks and sanitizers for detecting
3+
* "Unicode transformation"
4+
* vulnerabilities, as well as extension points for adding your own.
5+
*/
6+
7+
private import ruby
8+
9+
/**
10+
* Provides default sources, sinks and sanitizers for detecting
11+
* "Unicode transformation"
12+
* vulnerabilities, as well as extension points for adding your own.
13+
*/
14+
module UnicodeBypassValidation {
15+
/**
16+
* A data flow source for "Unicode transformation" vulnerabilities.
17+
*/
18+
abstract class Source extends DataFlow::Node { }
19+
20+
/**
21+
* A data flow sink for "Unicode transformation" vulnerabilities.
22+
*/
23+
abstract class Sink extends DataFlow::Node { }
24+
25+
/**
26+
* A sanitizer for "Unicode transformation" vulnerabilities.
27+
*/
28+
abstract class Sanitizer extends DataFlow::Node { }
29+
}

ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
/**
2+
* Provides a taint-tracking configuration for detecting "Unicode transformation mishandling" vulnerabilities.
3+
*/
4+
5+
private import ruby
6+
private import codeql.ruby.ApiGraphs
7+
private import codeql.ruby.AST
8+
private import codeql.ruby.Concepts
9+
private import codeql.ruby.DataFlow
10+
private import codeql.ruby.dataflow.RemoteFlowSources
11+
private import codeql.ruby.TaintTracking
12+
import UnicodeBypassValidationCustomizations::UnicodeBypassValidation
13+
14+
/** A state signifying that a logical validation has not been performed. */
15+
class PreValidation extends DataFlow::FlowState {
16+
PreValidation() { this = "PreValidation" }
17+
}
18+
19+
/** A state signifying that a logical validation has been performed. */
20+
class PostValidation extends DataFlow::FlowState {
21+
PostValidation() { this = "PostValidation" }
22+
}
23+
24+
/**
25+
* A taint-tracking configuration for detecting "Unicode transformation mishandling" vulnerabilities.
26+
*
27+
* This configuration uses two flow states, `PreValidation` and `PostValidation`,
28+
* to track the requirement that a logical validation has been performed before the Unicode Transformation.
29+
*/
30+
class Configuration extends TaintTracking::Configuration {
31+
Configuration() { this = "UnicodeBypassValidation" }
32+
33+
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
34+
source instanceof RemoteFlowSource and state instanceof PreValidation
35+
}
36+
37+
override predicate isAdditionalTaintStep(
38+
DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
39+
DataFlow::FlowState stateTo
40+
) {
41+
(
42+
exists(Escaping escaping | nodeFrom = escaping.getAnInput() and nodeTo = escaping.getOutput())
43+
or
44+
exists(RegexExecution re | nodeFrom = re.getString() and nodeTo = re)
45+
// or
46+
// stringManipulation(nodeFrom, nodeTo)
47+
) and
48+
stateFrom instanceof PreValidation and
49+
stateTo instanceof PostValidation
50+
}
51+
52+
/* A Unicode Tranformation (Unicode tranformation) is considered a sink when the algorithm used is either NFC or NFKC. */
53+
override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
54+
exists(DataFlow::CallNode cn |
55+
cn.getMethodName() = "unicode_normalize" and
56+
cn.getArgument(0).toString() = [":nfkc", ":nfc"] and
57+
sink = cn.getReceiver()
58+
) and
59+
state instanceof PostValidation
60+
}
61+
}

ruby/ql/src/change-notes/2013-05-02-post-unicode-normalization-query.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: newQuery
3+
---
4+
* Added a new query, `ruby/post-unicode-normalization`, to detect a misuse of a post-unicode normalization.

ruby/ql/src/experimental/cwe-176/UnicodeBypassValidation.qhelp

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
2+
<qhelp>
3+
<overview>
4+
<p>Security checks bypass due to a Unicode transformation</p>
5+
<p>
6+
If ever a unicode tranformation is performed after some security checks or logical
7+
validation, the
8+
latter could be bypassed due to a potential Unicode characters collision.
9+
The validation of concern are any character escaping, any regex validation or any string
10+
verification.
11+
</p>
12+
<img src="./vulnerability-flow.png" alt="Security checks bypassed" />
13+
</overview>
14+
<recommendation>
15+
<p> Perform a Unicode normalization before the logical validation. </p>
16+
</recommendation>
17+
<example>
18+
19+
<p> The following example showcases the bypass of all checks performed by <code>
20+
flask.escape()</code> due to a post-unicode normalization.</p>
21+
<p>For instance: the character U+FE64 (<code>﹤</code>) is not filtered-out by the flask
22+
escape function. But due to the Unicode normalization, the character is transformed and
23+
would become U+003C (<code> &lt; </code> ).</p>
24+
25+
<sample src="./examples/unicode_normalization.rb" />
26+
27+
</example>
28+
<references>
29+
<li> Research study: <a
30+
href="https://gosecure.github.io/presentations/2021-02-unicode-owasp-toronto/philippe_arteau_owasp_unicode_v4.pdf">
31+
Unicode vulnerabilities that could bYte you
32+
</a> and <a
33+
href="https://gosecure.github.io/unicode-pentester-cheatsheet/">Unicode pentest
34+
cheatsheet</a>. </li>
35+
</references>
36+
</qhelp>

ruby/ql/src/experimental/cwe-176/UnicodeBypassValidation.ql

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
/**
2+
* @name Bypass Logical Validation Using Unicode Characters
3+
* @description A Unicode transformation is using a remote user-controlled data. The transformation is a Unicode normalization using the algorithms "NFC" or "NFKC". In all cases, the security measures implemented or the logical validation performed to escape any injection characters, to validate using regex patterns or to perform string-based checks, before the Unicode transformation are **bypassable** by special Unicode characters.
4+
* @kind path-problem
5+
* @id rb/unicode-bypass-validation
6+
* @precision high
7+
* @problem.severity error
8+
* @tags security
9+
* experimental
10+
* external/cwe/cwe-176
11+
*/
12+
13+
import ruby
14+
import codeql.ruby.experimental.UnicodeBypassValidationQuery
15+
import DataFlow::PathGraph
16+
17+
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
18+
where config.hasFlowPath(source, sink)
19+
select sink.getNode(), source, sink,
20+
"This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters.",
21+
sink.getNode(), "Unicode transformation (Unicode normalization)", source.getNode(),
22+
"remote user-controlled data"

ruby/ql/src/experimental/cwe-176/examples/unicode_normalization.rb

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
class UnicodeNormalizationHtMLSafeController < ActionController::Base
2+
def unicodeNormalize
3+
unicode_input = params[:unicode_input]
4+
unicode_html_safe = unicode_input.html_safe
5+
normalized_nfkc = unicode_html_safe.unicode_normalize(:nfkc) # $result=BAD
6+
normalized_nfc = unicode_html_safe.unicode_normalize(:nfc) # $result=BAD
7+
end
8+
end

ruby/ql/src/experimental/cwe-176/vulnerability-flow.png

36.8 KB
Loading

ruby/ql/test/query-tests/experimental/cwe-176/UnicodeBypassValidation.expected

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
edges
2+
| unicode_normalization.rb:3:5:3:17 | unicode_input : | unicode_normalization.rb:4:23:4:35 | unicode_input |
3+
| unicode_normalization.rb:3:5:3:17 | unicode_input : | unicode_normalization.rb:5:22:5:34 | unicode_input |
4+
| unicode_normalization.rb:3:21:3:26 | call to params : | unicode_normalization.rb:3:21:3:42 | ...[...] : |
5+
| unicode_normalization.rb:3:21:3:42 | ...[...] : | unicode_normalization.rb:3:5:3:17 | unicode_input : |
6+
| unicode_normalization.rb:11:5:11:17 | unicode_input : | unicode_normalization.rb:12:27:12:39 | unicode_input : |
7+
| unicode_normalization.rb:11:5:11:17 | unicode_input : | unicode_normalization.rb:12:27:12:39 | unicode_input : |
8+
| unicode_normalization.rb:11:21:11:26 | call to params : | unicode_normalization.rb:11:21:11:42 | ...[...] : |
9+
| unicode_normalization.rb:11:21:11:26 | call to params : | unicode_normalization.rb:11:21:11:42 | ...[...] : |
10+
| unicode_normalization.rb:11:21:11:42 | ...[...] : | unicode_normalization.rb:11:5:11:17 | unicode_input : |
11+
| unicode_normalization.rb:11:21:11:42 | ...[...] : | unicode_normalization.rb:11:5:11:17 | unicode_input : |
12+
| unicode_normalization.rb:12:5:12:23 | unicode_input_manip : | unicode_normalization.rb:13:23:13:41 | unicode_input_manip |
13+
| unicode_normalization.rb:12:5:12:23 | unicode_input_manip : | unicode_normalization.rb:14:22:14:40 | unicode_input_manip |
14+
| unicode_normalization.rb:12:27:12:39 | unicode_input : | unicode_normalization.rb:12:27:12:59 | call to sub : |
15+
| unicode_normalization.rb:12:27:12:39 | unicode_input : | unicode_normalization.rb:12:27:12:59 | call to sub : |
16+
| unicode_normalization.rb:12:27:12:59 | call to sub : | unicode_normalization.rb:12:5:12:23 | unicode_input_manip : |
17+
| unicode_normalization.rb:20:5:20:17 | unicode_input : | unicode_normalization.rb:21:25:21:37 | unicode_input : |
18+
| unicode_normalization.rb:20:21:20:26 | call to params : | unicode_normalization.rb:20:21:20:42 | ...[...] : |
19+
| unicode_normalization.rb:20:21:20:42 | ...[...] : | unicode_normalization.rb:20:5:20:17 | unicode_input : |
20+
| unicode_normalization.rb:21:5:21:21 | unicode_html_safe : | unicode_normalization.rb:22:23:22:39 | unicode_html_safe |
21+
| unicode_normalization.rb:21:5:21:21 | unicode_html_safe : | unicode_normalization.rb:23:22:23:38 | unicode_html_safe |
22+
| unicode_normalization.rb:21:25:21:37 | unicode_input : | unicode_normalization.rb:21:25:21:47 | call to html_safe : |
23+
| unicode_normalization.rb:21:25:21:47 | call to html_safe : | unicode_normalization.rb:21:5:21:21 | unicode_html_safe : |
24+
nodes
25+
| unicode_normalization.rb:3:5:3:17 | unicode_input : | semmle.label | unicode_input : |
26+
| unicode_normalization.rb:3:21:3:26 | call to params : | semmle.label | call to params : |
27+
| unicode_normalization.rb:3:21:3:42 | ...[...] : | semmle.label | ...[...] : |
28+
| unicode_normalization.rb:4:23:4:35 | unicode_input | semmle.label | unicode_input |
29+
| unicode_normalization.rb:5:22:5:34 | unicode_input | semmle.label | unicode_input |
30+
| unicode_normalization.rb:11:5:11:17 | unicode_input : | semmle.label | unicode_input : |
31+
| unicode_normalization.rb:11:5:11:17 | unicode_input : | semmle.label | unicode_input : |
32+
| unicode_normalization.rb:11:21:11:26 | call to params : | semmle.label | call to params : |
33+
| unicode_normalization.rb:11:21:11:42 | ...[...] : | semmle.label | ...[...] : |
34+
| unicode_normalization.rb:11:21:11:42 | ...[...] : | semmle.label | ...[...] : |
35+
| unicode_normalization.rb:12:5:12:23 | unicode_input_manip : | semmle.label | unicode_input_manip : |
36+
| unicode_normalization.rb:12:27:12:39 | unicode_input : | semmle.label | unicode_input : |
37+
| unicode_normalization.rb:12:27:12:39 | unicode_input : | semmle.label | unicode_input : |
38+
| unicode_normalization.rb:12:27:12:59 | call to sub : | semmle.label | call to sub : |
39+
| unicode_normalization.rb:13:23:13:41 | unicode_input_manip | semmle.label | unicode_input_manip |
40+
| unicode_normalization.rb:14:22:14:40 | unicode_input_manip | semmle.label | unicode_input_manip |
41+
| unicode_normalization.rb:20:5:20:17 | unicode_input : | semmle.label | unicode_input : |
42+
| unicode_normalization.rb:20:21:20:26 | call to params : | semmle.label | call to params : |
43+
| unicode_normalization.rb:20:21:20:42 | ...[...] : | semmle.label | ...[...] : |
44+
| unicode_normalization.rb:21:5:21:21 | unicode_html_safe : | semmle.label | unicode_html_safe : |
45+
| unicode_normalization.rb:21:25:21:37 | unicode_input : | semmle.label | unicode_input : |
46+
| unicode_normalization.rb:21:25:21:47 | call to html_safe : | semmle.label | call to html_safe : |
47+
| unicode_normalization.rb:22:23:22:39 | unicode_html_safe | semmle.label | unicode_html_safe |
48+
| unicode_normalization.rb:23:22:23:38 | unicode_html_safe | semmle.label | unicode_html_safe |
49+
subpaths
50+
#select
51+
| unicode_normalization.rb:4:23:4:35 | unicode_input | unicode_normalization.rb:3:21:3:26 | call to params : | unicode_normalization.rb:4:23:4:35 | unicode_input | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:4:23:4:35 | unicode_input | Unicode transformation (Unicode normalization) | unicode_normalization.rb:3:21:3:26 | call to params | remote user-controlled data |
52+
| unicode_normalization.rb:5:22:5:34 | unicode_input | unicode_normalization.rb:3:21:3:26 | call to params : | unicode_normalization.rb:5:22:5:34 | unicode_input | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:5:22:5:34 | unicode_input | Unicode transformation (Unicode normalization) | unicode_normalization.rb:3:21:3:26 | call to params | remote user-controlled data |
53+
| unicode_normalization.rb:13:23:13:41 | unicode_input_manip | unicode_normalization.rb:11:21:11:26 | call to params : | unicode_normalization.rb:13:23:13:41 | unicode_input_manip | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:13:23:13:41 | unicode_input_manip | Unicode transformation (Unicode normalization) | unicode_normalization.rb:11:21:11:26 | call to params | remote user-controlled data |
54+
| unicode_normalization.rb:14:22:14:40 | unicode_input_manip | unicode_normalization.rb:11:21:11:26 | call to params : | unicode_normalization.rb:14:22:14:40 | unicode_input_manip | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:14:22:14:40 | unicode_input_manip | Unicode transformation (Unicode normalization) | unicode_normalization.rb:11:21:11:26 | call to params | remote user-controlled data |
55+
| unicode_normalization.rb:22:23:22:39 | unicode_html_safe | unicode_normalization.rb:20:21:20:26 | call to params : | unicode_normalization.rb:22:23:22:39 | unicode_html_safe | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:22:23:22:39 | unicode_html_safe | Unicode transformation (Unicode normalization) | unicode_normalization.rb:20:21:20:26 | call to params | remote user-controlled data |
56+
| unicode_normalization.rb:23:22:23:38 | unicode_html_safe | unicode_normalization.rb:20:21:20:26 | call to params : | unicode_normalization.rb:23:22:23:38 | unicode_html_safe | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:23:22:23:38 | unicode_html_safe | Unicode transformation (Unicode normalization) | unicode_normalization.rb:20:21:20:26 | call to params | remote user-controlled data |

ruby/ql/test/query-tests/experimental/cwe-176/UnicodeBypassValidation.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
experimental/cwe-176/UnicodeBypassValidation.ql

ruby/ql/test/query-tests/experimental/cwe-176/unicode_normalization.rb

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
class UnicodeNormalizationOKController < ActionController::Base
2+
def unicodeNormalize
3+
unicode_input = params[:unicode_input]
4+
normalized_nfkc = unicode_input.unicode_normalize(:nfkc) # $MISSING:result=OK
5+
normalized_nfc = unicode_input.unicode_normalize(:nfc) # $MISSING:result=OK
6+
end
7+
end
8+
9+
class UnicodeNormalizationStrManipulationController < ActionController::Base
10+
def unicodeNormalize
11+
unicode_input = params[:unicode_input]
12+
unicode_input_manip = unicode_input.sub(/[aeiou]/, "*")
13+
normalized_nfkc = unicode_input_manip.unicode_normalize(:nfkc) # $result=BAD
14+
normalized_nfc = unicode_input_manip.unicode_normalize(:nfc) # $result=BAD
15+
end
16+
end
17+
18+
class UnicodeNormalizationHtMLSafeController < ActionController::Base
19+
def unicodeNormalize
20+
unicode_input = params[:unicode_input]
21+
unicode_html_safe = unicode_input.html_safe
22+
normalized_nfkc = unicode_html_safe.unicode_normalize(:nfkc) # $result=BAD
23+
normalized_nfc = unicode_html_safe.unicode_normalize(:nfc) # $result=BAD
24+
end
25+
end

0 commit comments

Comments
 (0)