Merge pull request #12083 from pwntester/ruby_twirp_support

[Ruby] Add support for Twirp framework

Author: alexrford

ruby/ql/lib/change-notes/2023-02-03-twirp.md

@@ -0,0 +1,4 @@
+---
+ category: minorAnalysis
+---
+* Support for [Twirp framework](https://twitchtv.github.io/twirp/docs/intro.html).

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -27,3 +27,4 @@ private import codeql.ruby.frameworks.ActionDispatch
 private import codeql.ruby.frameworks.PosixSpawn
 private import codeql.ruby.frameworks.StringFormatters
 private import codeql.ruby.frameworks.Json
+private import codeql.ruby.frameworks.Twirp

ruby/ql/lib/codeql/ruby/frameworks/Twirp.qll

@@ -0,0 +1,85 @@
+/**
+ * Provides classes for modeling the `Twirp` framework.
+ */
+
+private import codeql.ruby.DataFlow
+private import codeql.ruby.CFG
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.AST as Ast
+private import codeql.ruby.security.ServerSideRequestForgeryCustomizations
+private import codeql.ruby.Concepts
+
+/**
+ * Provides classes for modeling the `Twirp` framework.
+ */
+module Twirp {
+  /**
+   * A Twirp service instantiation
+   */
+  class ServiceInstantiation extends DataFlow::CallNode {
+    ServiceInstantiation() {
+      this =
+        API::getTopLevelMember("Twirp").getMember("Service").getASubclass().getAnInstantiation()
+    }
+
+    /**
+     * Gets a local source node for the Service instantiation argument (the service handler).
+     */
+    private DataFlow::LocalSourceNode getHandlerSource() {
+      result = this.getArgument(0).getALocalSource()
+    }
+
+    /**
+     * Gets the API::Node for the service handler's class.
+     */
+    private API::Node getAHandlerClassApiNode() {
+      result.getAnInstantiation() = this.getHandlerSource()
+    }
+
+    /**
+     * Gets the AST module for the service handler's class.
+     */
+    private Ast::Module getAHandlerClassAstNode() {
+      result =
+        this.getAHandlerClassApiNode()
+            .asSource()
+            .asExpr()
+            .(CfgNodes::ExprNodes::ConstantReadAccessCfgNode)
+            .getExpr()
+            .getModule()
+    }
+
+    /**
+     * Gets a handler's method.
+     */
+    Ast::Method getAHandlerMethod() {
+      result = this.getAHandlerClassAstNode().getAnInstanceMethod()
+    }
+  }
+
+  /**
+   * A Twirp client
+   */
+  class ClientInstantiation extends DataFlow::CallNode {
+    ClientInstantiation() {
+      this = API::getTopLevelMember("Twirp").getMember("Client").getASubclass().getAnInstantiation()
+    }
+  }
+
+  /** The URL of a Twirp service, considered as a sink. */
+  class ServiceUrlAsSsrfSink extends ServerSideRequestForgery::Sink {
+    ServiceUrlAsSsrfSink() { exists(ClientInstantiation c | c.getArgument(0) = this) }
+  }
+
+  /** A parameter that will receive parts of the url when handling an incoming request. */
+  class UnmarshaledParameter extends Http::Server::RequestInputAccess::Range,
+    DataFlow::ParameterNode {
+    UnmarshaledParameter() {
+      exists(ServiceInstantiation i | i.getAHandlerMethod().getParameter(0) = this.asParameter())
+    }
+
+    override string getSourceType() { result = "Twirp Unmarhaled Parameter" }
+
+    override Http::Server::RequestInputKind getKind() { result = Http::Server::bodyInputKind() }
+  }
+}

ruby/ql/test/library-tests/frameworks/Twirp/Gemfile

@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+gem "rack"
+gem "webrick"
+gem "twirp"

ruby/ql/test/library-tests/frameworks/Twirp/Twirp.expected

@@ -0,0 +1,6 @@
+sourceTest
+| hello_world_server.rb:8:13:8:15 | req |
+ssrfSinkTest
+| hello_world_client.rb:6:47:6:75 | "http://localhost:8080/twirp" |
+serviceInstantiationTest
+| hello_world_server.rb:24:11:24:61 | call to new |

ruby/ql/test/library-tests/frameworks/Twirp/Twirp.ql

@@ -0,0 +1,8 @@
+private import codeql.ruby.frameworks.Twirp
+private import codeql.ruby.DataFlow
+
+query predicate sourceTest(Twirp::UnmarshaledParameter source) { any() }
+
+query predicate ssrfSinkTest(Twirp::ServiceUrlAsSsrfSink sink) { any() }
+
+query predicate serviceInstantiationTest(Twirp::ServiceInstantiation si) { any() }

ruby/ql/test/library-tests/frameworks/Twirp/hello_world/service.proto

@@ -0,0 +1,15 @@
+syntax = "proto3";
+package example.hello_world;
+
+
+service HelloWorld {
+    rpc Hello(HelloRequest) returns (HelloResponse);
+}
+
+message HelloRequest {
+    string name = 1;
+}
+
+message HelloResponse {
+    string message = 1;
+}

ruby/ql/test/library-tests/frameworks/Twirp/hello_world/service_pb.rb

@@ -0,0 +1,17 @@
+# Code generated by protoc-gen-twirp_ruby 1.10.0, DO NOT EDIT.
+require 'twirp'
+require_relative 'service_pb.rb'
+
+module Example
+  module HelloWorld
+    class HelloWorldService < ::Twirp::Service
+      package 'example.hello_world'
+      service 'HelloWorld'
+      rpc :Hello, HelloRequest, HelloResponse, :ruby_method => :hello
+    end
+
+    class HelloWorldClient < ::Twirp::Client
+      client_for HelloWorldService
+    end
+  end
+end

ruby/ql/test/library-tests/frameworks/Twirp/hello_world/service_twirp.rb

@@ -0,0 +1,13 @@
+require 'rack'
+
+require_relative 'hello_world/service_twirp.rb'
+
+# test: ssrfSink
+c = Example::HelloWorld::HelloWorldClient.new("http://localhost:8080/twirp") 
+
+resp = c.hello(name: "World")
+if resp.error
+  puts resp.error
+else
+  puts resp.data.message
+end