Model ActiveStorage

Author: hmac

ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll

@@ -528,13 +528,17 @@ private module Persistence {
  * end
  * ```
  */
-private class ActiveRecordAssociation extends DataFlow::CallNode {
+class ActiveRecordAssociation extends DataFlow::CallNode {
   private ActiveRecordModelClass modelClass;
 
   ActiveRecordAssociation() {
     not exists(this.asExpr().getExpr().getEnclosingMethod()) and
     this.asExpr().getExpr().getEnclosingModule() = modelClass and
-    this.getMethodName() = ["has_one", "has_many", "belongs_to", "has_and_belongs_to_many"]
+    this.getMethodName() =
+      [
+        "has_one", "has_many", "belongs_to", "has_and_belongs_to_many", "has_one_attached",
+        "has_many_attached"
+      ]
   }
 
   /**
@@ -584,21 +588,32 @@ private class ActiveRecordAssociation extends DataFlow::CallNode {
   }
 
   /** Holds if this association is one-to-one */
-  predicate isSingular() { this.getMethodName() = ["has_one", "belongs_to"] }
+  predicate isSingular() { this.getMethodName() = ["has_one", "belongs_to", "has_one_attached"] }
 
   /** Holds if this association is one-to-many or many-to-many */
-  predicate isCollection() { this.getMethodName() = ["has_many", "has_and_belongs_to_many"] }
+  predicate isCollection() {
+    this.getMethodName() = ["has_many", "has_and_belongs_to_many", "has_many_attached"]
+  }
 }
 
 /**
  * Converts `input` to plural form.
+ *
+ * Examples:
+ *
+ * - photo -> photos
+ * - story -> stories
+ * - photos -> photos
  */
 bindingset[input]
 bindingset[result]
-private string pluralize(string input) {
+string pluralize(string input) {
   exists(string stem | stem + "y" = input | result = stem + "ies")
   or
+  not exists(string stem | stem + "s" = input) and
   result = input + "s"
+  or
+  exists(string stem | stem + "s" = input) and result = input
 }
 
 /**

ruby/ql/lib/codeql/ruby/frameworks/ActiveStorage.qll

@@ -8,23 +8,233 @@ private import codeql.ruby.Concepts
 private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.FlowSummary
 private import codeql.ruby.frameworks.data.ModelsAsData
+private import codeql.ruby.frameworks.ActiveRecord
 
-/** A call to `ActiveStorage::Filename#sanitized`, considered as a path sanitizer. */
-class ActiveStorageFilenameSanitizedCall extends Path::PathSanitization::Range, DataFlow::CallNode {
-  ActiveStorageFilenameSanitizedCall() {
-    this.getReceiver() =
-      API::getTopLevelMember("ActiveStorage").getMember("Filename").getAnInstantiation() and
-    this.getMethodName() = "sanitized"
+module ActiveStorage {
+  /** A call to `ActiveStorage::Filename#sanitized`, considered as a path sanitizer. */
+  private class FilenameSanitizedCall extends Path::PathSanitization::Range, DataFlow::CallNode {
+    FilenameSanitizedCall() {
+      this =
+        API::getTopLevelMember("ActiveStorage")
+            .getMember("Filename")
+            .getInstance()
+            .getAMethodCall("sanitized")
+    }
   }
-}
 
-/** Taint related to `ActiveStorage::Filename`. */
-private class Summaries extends ModelInput::SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "activestorage;;Member[ActiveStorage].Member[Filename].Method[new];Argument[0];ReturnValue;taint",
-        "activestorage;;Member[ActiveStorage].Member[Filename].Instance.Method[sanitized];Argument[self];ReturnValue;taint",
-      ]
+  /** Taint related to `ActiveStorage::Filename`. */
+  private class FilenameSummaries extends ModelInput::SummaryModelCsv {
+    override predicate row(string row) {
+      row =
+        [
+          "activestorage;;Member[ActiveStorage].Member[Filename].Method[new];Argument[0];ReturnValue;taint",
+          "activestorage;;Member[ActiveStorage].Member[Filename].Instance.Method[sanitized];Argument[self];ReturnValue;taint",
+        ]
+    }
+  }
+
+  /**
+   * `Blob` is an instance of `ActiveStorage::Blob`.
+   */
+  private class BlobTypeSummary extends ModelInput::TypeModelCsv {
+    override predicate row(string row) {
+      // package1;type1;package2;type2;path
+      row =
+        [
+          // ActiveStorage::Blob.new : Blob
+          "activestorage;Blob;activestorage;;Member[ActiveStorage].Member[Blob].Instance",
+          // ActiveStorage::Blob.create_and_upload! : Blob
+          "activestorage;Blob;activestorage;;Member[ActiveStorage].Member[Blob].Method[create_and_upload!].ReturnValue",
+          // ActiveStorage::Blob.create_before_direct_upload! : Blob
+          "activestorage;Blob;activestorage;;Member[ActiveStorage].Member[Blob].Method[create_before_direct_upload!].ReturnValue",
+          // ActiveStorage::Blob.compose(blobs : [Blob]) : Blob
+          "activestorage;Blob;activestorage;;Member[ActiveStorage].Member[Blob].Method[compose].ReturnValue",
+          "activestorage;Blob;activestorage;;Member[ActiveStorage].Member[Blob].Method[compose].Argument[0].Element[any]",
+          // ActiveStorage::Blob.find_signed(!) : Blob
+          "activestorage;Blob;activestorage;;Member[ActiveStorage].Member[Blob].Method[find_signed,find_signed!].ReturnValue",
+          // ActiveStorage::Attachment#blob : Blob
+          "activestorage;Blob;activestorage;;Member[ActiveStorage].Member[Attachment].Instance.Method[blob].ReturnValue",
+          // ActiveStorage::Attachment delegates method calls to its associated Blob
+          "activestorage;Blob;activestorage;;Member[ActiveStorage].Member[Attachment].Instance",
+        ]
+    }
+  }
+
+  /**
+   * Method calls on `ActiveStorage::Blob` that send HTTP requests.
+   */
+  private class BlobRequestCall extends HTTP::Client::Request::Range {
+    BlobRequestCall() {
+      this =
+        [
+          // Class methods
+          API::getTopLevelMember("ActiveStorage")
+              .getMember("Blob")
+              .getASubclass*()
+              .getAMethodCall(["create_after_unfurling!", "create_and_upload!"]),
+          // Instance methods
+          ModelOutput::getATypeNode("activestorage", "Blob")
+              .getAMethodCall([
+                  "upload", "upload_without_unfurling", "download", "download_chunk", "delete",
+                  "purge"
+                ])
+        ].asExpr().getExpr()
+    }
+
+    override string getFramework() { result = "activestorage" }
+
+    override DataFlow::Node getResponseBody() { result.asExpr().getExpr() = this }
+
+    override DataFlow::Node getAUrlPart() { none() }
+
+    override predicate disablesCertificateValidation(DataFlow::Node disablingNode) { none() }
+  }
+
+  /**
+   * A call to `has_one_attached` or `has_many_attached`, which declares an
+   * association between an ActiveRecord model and an ActiveStorage attachment.
+   *
+   * ```rb
+   * class User < ActiveRecord::Base
+   *   has_one_attached :avatar
+   * end
+   * ```
+   */
+  private class Association extends ActiveRecordAssociation {
+    Association() { this.getMethodName() = ["has_one_attached", "has_many_attached"] }
+  }
+
+  /**
+   * An ActiveStorage attachment, instantiated via an association with an
+   * ActiveRecord model.
+   *
+   * ```rb
+   * class User < ActiveRecord::Base
+   *   has_one_attached :avatar
+   * end
+   *
+   * user = User.find(id)
+   * user.avatar
+   * ```
+   */
+  private class AttachmentInstance extends DataFlow::CallNode {
+    Association assoc;
+
+    AttachmentInstance() {
+      exists(string model | model = assoc.getTargetModelName() |
+        this.getReceiver().(ActiveRecordInstance).getClass() = assoc.getSourceClass() and
+        (
+          assoc.isSingular() and this.getMethodName() = model
+          or
+          assoc.isCollection() and this.getMethodName() = model
+        )
+      )
+    }
+  }
+
+  /**
+   * A call on an ActiveStorage  object that results in an image transformation.
+   * Arguments to these calls may be executed as system commands.
+   */
+  private class ImageProcessingCall extends DataFlow::CallNode, SystemCommandExecution::Range {
+    ImageProcessingCall() {
+      this =
+        ModelOutput::getATypeNode("activestorage", "Blob")
+            .getAMethodCall(["variant", "preview", "representation"]) or
+      this =
+        API::getTopLevelMember("ActiveStorage")
+            .getMember("Attachment")
+            .getInstance()
+            .getAMethodCall(["variant", "preview", "representation"]) or
+      this =
+        API::getTopLevelMember("ActiveStorage")
+            .getMember("Variation")
+            .getAMethodCall(["new", "wrap", "encode"]) or
+      this =
+        API::getTopLevelMember("ActiveStorage")
+            .getMember("Variation")
+            .getInstance()
+            .getAMethodCall("transformations=") or
+      this =
+        API::getTopLevelMember("ActiveStorage")
+            .getMember("Transformers")
+            .getMember("ImageProcessingTransformer")
+            .getAMethodCall("new") or
+      this =
+        API::getTopLevelMember("ActiveStorage")
+            .getMember(["Preview", "VariantWithRecord"])
+            .getAMethodCall("new") or
+      // `ActiveStorage.paths` is a global hash whose values are passed to
+      // a `system` call.
+      this = API::getTopLevelMember("ActiveStorage").getAMethodCall("paths=") or
+      // `ActiveStorage.video_preview_arguments` is passed to a `system` call.
+      this = API::getTopLevelMember("ActiveStorage").getAMethodCall("video_preview_arguments=")
+    }
+
+    override DataFlow::Node getAnArgument() { result = this.getArgument(0) }
+  }
+
+  /**
+   * `ActiveStorage.variant_processor` is passed to `const_get`.
+   */
+  private class VariantProcessor extends DataFlow::CallNode, CodeExecution::Range {
+    VariantProcessor() {
+      this = API::getTopLevelMember("ActiveStorage").getAMethodCall("variant_processor=")
+    }
+
+    override DataFlow::Node getCode() { result = this.getArgument(0) }
+  }
+
+  /**
+   * Adds ActiveStorage instances to the API graph.
+   * Source code may not mention `ActiveStorage` or `ActiveStorage::Attachment`,
+   * so we add synthetic nodes for them.
+   */
+  private module ApiNodes {
+    class ActiveStorage extends API::EntryPoint {
+      ActiveStorage() { this = "ActiveStorage" }
+
+      override predicate edge(API::Node pred, API::Label::ApiLabel lbl) {
+        pred = API::root() and lbl = API::Label::member("ActiveStorage")
+      }
+    }
+
+    class Attachment extends API::EntryPoint {
+      Attachment() { this = "ActiveStorage::Attachment" }
+
+      override predicate edge(API::Node pred, API::Label::ApiLabel lbl) {
+        pred = API::getTopLevelMember("ActiveStorage") and
+        lbl = API::Label::member("Attachment")
+      }
+    }
+
+    class AttachmentNew extends API::EntryPoint {
+      AttachmentNew() { this = "ActiveStorage::Attachment.new" }
+
+      override predicate edge(API::Node pred, API::Label::ApiLabel lbl) {
+        pred = API::getTopLevelMember("ActiveStorage").getMember("Attachment") and
+        lbl = API::Label::method("new")
+      }
+    }
+
+    /**
+     * An API entry point for instances of `ActiveStorage::Attachment`.
+     * These arise from calls to methods generated by `has_one_attached` and
+     * `has_many_attached` associations.
+     */
+    class AttachmentInstanceNode extends API::EntryPoint {
+      AttachmentInstanceNode() { this = "ActiveStorage::Attachment.new.ReturnValue" }
+
+      override predicate edge(API::Node pred, API::Label::ApiLabel lbl) {
+        pred = API::getTopLevelMember("ActiveStorage").getMember("Attachment").getMethod("new") and
+        lbl = API::Label::return()
+      }
+
+      override DataFlow::LocalSourceNode getAUse() { result = any(AttachmentInstance i) }
+
+      override DataFlow::CallNode getACall() {
+        any(AttachmentInstance i).flowsTo(result.getReceiver())
+      }
+    }
   }
 }

ruby/ql/test/library-tests/frameworks/active_storage/ActiveStorage.expected

@@ -0,0 +1,47 @@
+attachmentInstances
+| active_storage.rb:11:1:11:25 | ... = ... |
+| active_storage.rb:11:1:11:25 | ... = ... |
+| active_storage.rb:11:15:11:25 | call to avatar |
+| active_storage.rb:13:1:13:11 | user_avatar |
+| active_storage.rb:14:1:14:11 | user_avatar |
+| active_storage.rb:15:1:15:11 | user_avatar |
+| active_storage.rb:17:1:17:11 | call to avatar |
+| active_storage.rb:19:1:19:42 | ... = ... |
+| active_storage.rb:19:1:19:42 | ... = ... |
+| active_storage.rb:19:14:19:42 | call to new |
+| active_storage.rb:23:11:23:20 | attachment |
+| active_storage.rb:24:11:24:20 | attachment |
+| active_storage.rb:25:18:25:27 | attachment |
+| active_storage.rb:42:5:42:15 | call to images |
+| active_storage.rb:73:1:73:10 | attachment |
+| active_storage.rb:74:1:74:10 | attachment |
+httpRequests
+| active_storage.rb:50:1:50:74 | call to create_after_unfurling! | activestorage | active_storage.rb:50:1:50:74 | call to create_after_unfurling! |
+| active_storage.rb:51:8:51:76 | call to create_and_upload! | activestorage | active_storage.rb:51:8:51:76 | call to create_and_upload! |
+| active_storage.rb:53:1:53:11 | call to upload | activestorage | active_storage.rb:53:1:53:11 | call to upload |
+| active_storage.rb:54:1:54:29 | call to upload_without_unfurling | activestorage | active_storage.rb:54:1:54:29 | call to upload_without_unfurling |
+| active_storage.rb:55:1:55:13 | call to download | activestorage | active_storage.rb:55:1:55:13 | call to download |
+| active_storage.rb:56:1:56:19 | call to download_chunk | activestorage | active_storage.rb:56:1:56:19 | call to download_chunk |
+| active_storage.rb:57:1:57:11 | call to delete | activestorage | active_storage.rb:57:1:57:11 | call to delete |
+| active_storage.rb:58:1:58:10 | call to purge | activestorage | active_storage.rb:58:1:58:10 | call to purge |
+| active_storage.rb:61:1:61:11 | call to upload | activestorage | active_storage.rb:61:1:61:11 | call to upload |
+| active_storage.rb:65:1:65:11 | call to upload | activestorage | active_storage.rb:65:1:65:11 | call to upload |
+| active_storage.rb:68:1:68:11 | call to upload | activestorage | active_storage.rb:68:1:68:11 | call to upload |
+| active_storage.rb:71:1:71:11 | call to upload | activestorage | active_storage.rb:71:1:71:11 | call to upload |
+| active_storage.rb:73:1:73:22 | call to upload | activestorage | active_storage.rb:73:1:73:22 | call to upload |
+| active_storage.rb:74:1:74:17 | call to upload | activestorage | active_storage.rb:74:1:74:17 | call to upload |
+commandExecutions
+| active_storage.rb:17:1:17:48 | call to variant | active_storage.rb:17:21:17:47 | Pair |
+| active_storage.rb:23:11:23:57 | call to variant | active_storage.rb:23:30:23:56 | Pair |
+| active_storage.rb:24:11:24:44 | call to preview | active_storage.rb:24:30:24:43 | Pair |
+| active_storage.rb:25:18:25:59 | call to representation | active_storage.rb:25:44:25:58 | Pair |
+| active_storage.rb:28:1:28:25 | call to transformations= | active_storage.rb:28:29:28:43 | ... = ... |
+| active_storage.rb:30:15:30:90 | call to new | active_storage.rb:30:75:30:89 | transformations |
+| active_storage.rb:31:11:31:53 | call to new | active_storage.rb:31:38:31:52 | transformations |
+| active_storage.rb:32:11:32:63 | call to new | active_storage.rb:32:48:32:62 | transformations |
+| active_storage.rb:34:1:34:19 | call to paths= | active_storage.rb:34:23:34:60 | ... = ... |
+| active_storage.rb:35:1:35:37 | call to video_preview_arguments= | active_storage.rb:35:41:35:59 | ... = ... |
+codeExecutions
+| active_storage.rb:37:1:37:31 | call to variant_processor= | active_storage.rb:37:35:37:50 | ... = ... |
+pathSanitizations
+| active_storage.rb:48:1:48:18 | call to sanitized |

ruby/ql/test/library-tests/frameworks/active_storage/ActiveStorage.ql

@@ -0,0 +1,24 @@
+import ruby
+import codeql.ruby.ApiGraphs
+import codeql.ruby.DataFlow
+import codeql.ruby.Concepts
+
+query predicate attachmentInstances(DataFlow::Node n) {
+  n =
+    API::getTopLevelMember("ActiveStorage")
+        .getMember("Attachment")
+        .getInstance()
+        .getAValueReachableFromSource()
+}
+
+query predicate httpRequests(HTTP::Client::Request r, string framework, DataFlow::Node responseBody) {
+  r.getFramework() = framework and r.getResponseBody() = responseBody
+}
+
+query predicate commandExecutions(SystemCommandExecution c, DataFlow::Node arg) {
+  arg = c.getAnArgument()
+}
+
+query predicate codeExecutions(CodeExecution e, DataFlow::Node code) { code = e.getCode() }
+
+query predicate pathSanitizations(Path::PathSanitization p) { any() }