Ruby: configsig rb/hardcoded-data-interpreted-as-code

Author: alexrford

ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll

@@ -3,7 +3,7 @@
  * being interpreted as code.
  *
  * Note, for performance reasons: only import this file if
- * `HardcodedDataInterpretedAsCode::Configuration` is needed, otherwise
+ * `HardcodedDataInterpretedAsCodeFlow` is needed, otherwise
  * `HardcodedDataInterpretedAsCodeCustomizations` should be imported instead.
  */
 
@@ -16,11 +16,9 @@ import HardcodedDataInterpretedAsCodeCustomizations::HardcodedDataInterpretedAsC
  * A taint-tracking configuration for reasoning about hard-coded data
  * being interpreted as code.
  *
- * We extend `DataFlow::Configuration` rather than
- * `TaintTracking::Configuration`, so that we can set the flow state to
- * `"taint"` on a taint step.
+ * DEPRECATED: Use `HardcodedDataInterpretedAsCodeFlow` instead
  */
-class Configuration extends DataFlow::Configuration {
+deprecated class Configuration extends DataFlow::Configuration {
   Configuration() { this = "HardcodedDataInterpretedAsCode" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowState label) {
@@ -46,3 +44,34 @@ class Configuration extends DataFlow::Configuration {
     stateTo = FlowState::taint()
   }
 }
+
+/*
+ * We implement `DataFlow::ConfigSig` rather than
+ * `TaintTracking::ConfigSig`, so that we can set the flow state to
+ * `"taint"` on a taint step.
+ */
+
+private module Config implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowState;
+
+  predicate isSource(DataFlow::Node source, FlowState label) { source.(Source).getLabel() = label }
+
+  predicate isSink(DataFlow::Node sink, FlowState label) { sink.(Sink).getLabel() = label }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
+    DataFlow::FlowState stateTo
+  ) {
+    defaultAdditionalTaintStep(nodeFrom, nodeTo) and
+    // This is a taint step, so the flow state becomes `taint`.
+    stateFrom = [FlowState::data(), FlowState::taint()] and
+    stateTo = FlowState::taint()
+  }
+}
+
+/**
+ * Taint-tracking for reasoning about hard-coded data being interpreted as code.
+ */
+module HardcodedDataInterpretedAsCodeFlow = DataFlow::GlobalWithState<Config>;

ruby/ql/src/queries/security/cwe-506/HardcodedDataInterpretedAsCode.ql

@@ -12,12 +12,13 @@
  *       external/cwe/cwe-506
  */
 
-import codeql.ruby.security.HardcodedDataInterpretedAsCodeQuery
-import codeql.ruby.DataFlow
-import DataFlow::PathGraph
+private import codeql.ruby.security.HardcodedDataInterpretedAsCodeQuery
+private import HardcodedDataInterpretedAsCodeFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from
+  HardcodedDataInterpretedAsCodeFlow::PathNode source,
+  HardcodedDataInterpretedAsCodeFlow::PathNode sink
+where HardcodedDataInterpretedAsCodeFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "$@ is interpreted as " + sink.getNode().(Sink).getKind() + ".", source.getNode(),
   "Hard-coded data"