Ruby: configsig rb/code-injection

Author: alexrford

ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll

@@ -1,8 +1,9 @@
 /**
  * Provides a taint-tracking configuration for detecting "Code injection" vulnerabilities.
  *
- * Note, for performance reasons: only import this file if `Configuration` is needed,
- * otherwise `CodeInjectionCustomizations` should be imported instead.
+ * Note, for performance reasons: only import this file if
+ * `CodeInjectionFlow` is needed, otherwise
+ * `CodeInjectionCustomizations` should be imported instead.
  */
 
 import codeql.ruby.DataFlow
@@ -12,8 +13,9 @@ import codeql.ruby.dataflow.BarrierGuards
 
 /**
  * A taint-tracking configuration for detecting "Code injection" vulnerabilities.
+ * DEPRECATED: Use `CodeInjectionFlow` instead
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CodeInjection" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
@@ -40,3 +42,30 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module Config implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowState;
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    state = source.(Source).getAFlowState()
+  }
+
+  predicate isSink(DataFlow::Node sink, FlowState state) { state = sink.(Sink).getAFlowState() }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof Sanitizer and not exists(node.(Sanitizer).getAFlowState())
+    or
+    node instanceof StringConstCompareBarrier
+    or
+    node instanceof StringConstArrayInclusionCallBarrier
+  }
+
+  predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
+    node.(Sanitizer).getAFlowState() = state
+  }
+}
+
+/**
+ * Taint-tracking for detecting "Code injection" vulnerabilities.
+ */
+module CodeInjectionFlow = TaintTracking::GlobalWithState<Config>;

ruby/ql/src/queries/security/cwe-094/CodeInjection.ql

@@ -14,18 +14,19 @@
  *       external/cwe/cwe-116
  */
 
-import codeql.ruby.AST
-import codeql.ruby.security.CodeInjectionQuery
-import DataFlow::PathGraph
+private import codeql.ruby.AST
+private import codeql.ruby.security.CodeInjectionQuery
+private import CodeInjectionFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Source sourceNode
+from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Source sourceNode
 where
-  config.hasFlowPath(source, sink) and
+  CodeInjectionFlow::flowPath(source, sink) and
   sourceNode = source.getNode() and
   // removing duplications of the same path, but different flow-labels.
   sink =
-    min(DataFlow::PathNode otherSink |
-      config.hasFlowPath(any(DataFlow::PathNode s | s.getNode() = sourceNode), otherSink) and
+    min(CodeInjectionFlow::PathNode otherSink |
+      CodeInjectionFlow::flowPath(any(CodeInjectionFlow::PathNode s | s.getNode() = sourceNode),
+        otherSink) and
       otherSink.getNode() = sink.getNode()
     |
       otherSink order by otherSink.getState()