Add a query for URL redirect vulnerabilities

This query finds instances of CWE-601: Redirection to Untrusted Site.

The structure is copied from a query of the same name in the Python
library. We add customisations specific to `ActionController`.

Author: hmac

ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -154,6 +154,25 @@ class RedirectToCall extends ActionControllerContextCall {
   }
 }
 
+/**
+ * A call to the `redirect_to` method, as an `HttpRedirectResponse`.
+ */
+class ActionControllerRedirectResponse extends HTTP::Server::HttpRedirectResponse::Range {
+  RedirectToCall redirectToCall;
+
+  ActionControllerRedirectResponse() { this.asExpr().getExpr() = redirectToCall }
+
+  override DataFlow::Node getBody() { none() }
+
+  override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
+
+  override string getMimetypeDefault() { none() }
+
+  override DataFlow::Node getRedirectLocation() {
+    result.asExpr().getExpr() = redirectToCall.getRedirectUrl()
+  }
+}
+
 /**
  * A method in an `ActionController` class that is accessible from within a
  * Rails view as a helper method. For instance, in:

ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll

@@ -0,0 +1,126 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting "URL
+ * redirection" vulnerabilities, as well as extension points for adding your
+ * own.
+ */
+
+private import ruby
+private import codeql.ruby.DataFlow
+private import codeql.ruby.Concepts
+private import codeql.ruby.dataflow.RemoteFlowSources
+private import codeql.ruby.dataflow.BarrierGuards
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "URL redirection" vulnerabilities, as well as extension points for
+ * adding your own.
+ */
+module UrlRedirect {
+  /**
+   * A data flow source for "URL redirection" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "URL redirection" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "URL redirection" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for "URL redirection" vulnerabilities.
+   */
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * Additional taint steps for "URL redirection" vulnerabilities.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    taintStepViaMethodCallReturnValue(node1, node2)
+  }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A HTTP redirect response, considered as a flow sink.
+   */
+  class RedirectLocationAsSink extends Sink {
+    RedirectLocationAsSink() {
+      exists(HTTP::Server::HttpRedirectResponse e |
+        this = e.getRedirectLocation() and
+        // As a rough heuristic, assume that methods with these names are handlers for POST/PUT/PATCH/DELETE requests,
+        // which are not as vulnerable to URL redirection because browsers will not initiate them from clicking a link.
+        not this.getEnclosingCallable()
+            .(Method)
+            .getName()
+            .regexpMatch(".*(create|update|destroy).*")
+      )
+    }
+  }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+
+  /**
+   * Some methods will propagate taint to their return values.
+   * Here we cover a few common ones related to `ActionController::Parameters`.
+   * TODO: use ApiGraphs or something to restrict these method calls to the correct receiver, rather
+   * than matching on method name alone.
+   */
+  predicate taintStepViaMethodCallReturnValue(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(MethodCall m | m = node2.asExpr().getExpr() |
+      m.getReceiver() = node1.asExpr().getExpr() and
+      (actionControllerTaintedMethod(m) or hashTaintedMethod(m))
+    )
+  }
+
+  /**
+   * String interpolation is considered safe, provided the string is prefixed by a non-tainted value.
+   * In most cases this will prevent the tainted value from controlling e.g. the host of the URL.
+   *
+   * For example:
+   *
+   * ```ruby
+   * redirect_to "/users/#{params[:key]}" # safe
+   * redirect_to "#{params[:key]}/users"  # unsafe
+   * ```
+   *
+   * There are prefixed interpolations that are not safe, e.g.
+   *
+   * ```ruby
+   * redirect_to "foo#{params[:key]}/users" # => "foo-malicious-site.com/users"
+   * ```
+   *
+   * We currently don't catch these cases.
+   */
+  class StringInterpolationAsSanitizer extends Sanitizer {
+    StringInterpolationAsSanitizer() {
+      exists(StringlikeLiteral str, int n | str.getComponent(n) = this.asExpr().getExpr() and n > 0)
+    }
+  }
+
+  /**
+   * These methods return a new `ActionController::Parameters` or a `Hash` containing a subset of
+   * the original values. This may still contain user input, so the results are tainted.
+   * TODO: flesh this out to cover the whole API.
+   */
+  predicate actionControllerTaintedMethod(MethodCall m) {
+    m.getMethodName() in ["to_unsafe_hash", "to_unsafe_h", "permit", "require"]
+  }
+
+  /**
+   * These `Hash` methods preserve taint because they return a new hash which may still contain keys
+   * with user input.
+   * TODO: flesh this out to cover the whole API.
+   */
+  predicate hashTaintedMethod(MethodCall m) { m.getMethodName() in ["merge", "fetch"] }
+}

ql/lib/codeql/ruby/security/UrlRedirectQuery.qll

@@ -0,0 +1,34 @@
+/**
+ * Provides a taint-tracking configuration for detecting "URL redirection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if `Configuration` is needed,
+ * otherwise `UrlRedirectCustomizations` should be imported instead.
+ */
+
+private import ruby
+import codeql.ruby.DataFlow::DataFlow::PathGraph
+import codeql.ruby.DataFlow
+import codeql.ruby.TaintTracking
+import UrlRedirectCustomizations
+import UrlRedirectCustomizations::UrlRedirect
+
+/**
+ * A taint-tracking configuration for detecting "URL redirection" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "UrlRedirect" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    UrlRedirect::isAdditionalTaintStep(node1, node2)
+  }
+}

ql/src/queries/security/cwe-601/UrlRedirect.qhelp

@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Directly incorporating user input into a URL redirect request without validating the input
+can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a
+malicious site that looks very similar to the real site they intend to visit, but which is
+controlled by the attacker.
+</p>
+</overview>
+
+<recommendation>
+<p>
+To guard against untrusted URL redirection, it is advisable to avoid putting user input
+directly into a redirect URL. Instead, maintain a list of authorized
+redirects on the server; then choose from that list based on the user input provided.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows an HTTP request parameter being used directly in a URL redirect
+without validating the input, which facilitates phishing attacks:
+</p>
+
+<sample src="examples/redirect_bad.rb"/>
+
+<p>
+One way to remedy the problem is to validate the user input against a known fixed string
+before doing the redirection:
+</p>
+
+<sample src="examples/redirect_good.rb"/>
+</example>
+
+<references>
+<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html">
+  XSS Unvalidated Redirects and Forwards Cheat Sheet</a>.</li>
+<li>Rails Guides: <a href="https://guides.rubyonrails.org/security.html#redirection-and-files">
+  Redirection and Files</a>.</li>
+</references>
+
+</qhelp>

ql/src/queries/security/cwe-601/UrlRedirect.ql

@@ -0,0 +1,22 @@
+/**
+ * @name URL redirection from remote source
+ * @description URL redirection based on unvalidated user input
+ *              may cause redirection to malicious web sites.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 6.1
+ * @sub-severity low
+ * @id rb/url-redirection
+ * @tags security
+ *       external/cwe/cwe-601
+ * @precision high
+ */
+
+import ruby
+import codeql.ruby.security.UrlRedirectQuery
+import codeql.ruby.DataFlow::DataFlow::PathGraph
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source.getNode(),
+  "a user-provided value"

ql/src/queries/security/cwe-601/examples/redirect_bad.rb

@@ -0,0 +1,5 @@
+class HelloController < ActionController::Base
+  def hello
+    redirect_to params[:url]
+  end
+end

ql/src/queries/security/cwe-601/examples/redirect_good.rb

@@ -0,0 +1,11 @@
+class HelloController < ActionController::Base
+  VALID_REDIRECT = "http://cwe.mitre.org/data/definitions/601.html"
+
+  def hello
+    if params[:url] == VALID_REDIRECT
+      redirect_to params[:url]
+    else
+      # error
+    end
+  end
+end

ql/test/query-tests/security/cwe-601/UrlRedirect.expected

@@ -0,0 +1,25 @@
+edges
+| UrlRedirect.rb:9:17:9:22 | call to params :  | UrlRedirect.rb:9:17:9:28 | ...[...] |
+| UrlRedirect.rb:14:17:14:22 | call to params :  | UrlRedirect.rb:14:17:14:43 | call to fetch |
+| UrlRedirect.rb:19:17:19:22 | call to params :  | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash |
+| UrlRedirect.rb:24:31:24:36 | call to params :  | UrlRedirect.rb:24:17:24:37 | call to filter_params |
+| UrlRedirect.rb:34:20:34:25 | call to params :  | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" |
+nodes
+| UrlRedirect.rb:4:17:4:22 | call to params | semmle.label | call to params |
+| UrlRedirect.rb:9:17:9:22 | call to params :  | semmle.label | call to params :  |
+| UrlRedirect.rb:9:17:9:28 | ...[...] | semmle.label | ...[...] |
+| UrlRedirect.rb:14:17:14:22 | call to params :  | semmle.label | call to params :  |
+| UrlRedirect.rb:14:17:14:43 | call to fetch | semmle.label | call to fetch |
+| UrlRedirect.rb:19:17:19:22 | call to params :  | semmle.label | call to params :  |
+| UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | semmle.label | call to to_unsafe_hash |
+| UrlRedirect.rb:24:17:24:37 | call to filter_params | semmle.label | call to filter_params |
+| UrlRedirect.rb:24:31:24:36 | call to params :  | semmle.label | call to params :  |
+| UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | semmle.label | "#{...}/foo" |
+| UrlRedirect.rb:34:20:34:25 | call to params :  | semmle.label | call to params :  |
+#select
+| UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | Untrusted URL redirection due to $@. | UrlRedirect.rb:4:17:4:22 | call to params | a user-provided value |
+| UrlRedirect.rb:9:17:9:28 | ...[...] | UrlRedirect.rb:9:17:9:22 | call to params :  | UrlRedirect.rb:9:17:9:28 | ...[...] | Untrusted URL redirection due to $@. | UrlRedirect.rb:9:17:9:22 | call to params | a user-provided value |
+| UrlRedirect.rb:14:17:14:43 | call to fetch | UrlRedirect.rb:14:17:14:22 | call to params :  | UrlRedirect.rb:14:17:14:43 | call to fetch | Untrusted URL redirection due to $@. | UrlRedirect.rb:14:17:14:22 | call to params | a user-provided value |
+| UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | UrlRedirect.rb:19:17:19:22 | call to params :  | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | Untrusted URL redirection due to $@. | UrlRedirect.rb:19:17:19:22 | call to params | a user-provided value |
+| UrlRedirect.rb:24:17:24:37 | call to filter_params | UrlRedirect.rb:24:31:24:36 | call to params :  | UrlRedirect.rb:24:17:24:37 | call to filter_params | Untrusted URL redirection due to $@. | UrlRedirect.rb:24:31:24:36 | call to params | a user-provided value |
+| UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | UrlRedirect.rb:34:20:34:25 | call to params :  | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | Untrusted URL redirection due to $@. | UrlRedirect.rb:34:20:34:25 | call to params | a user-provided value |

ql/test/query-tests/security/cwe-601/UrlRedirect.qlref

@@ -0,0 +1 @@
+queries/security/cwe-601/UrlRedirect.ql

ql/test/query-tests/security/cwe-601/UrlRedirect.rb

@@ -0,0 +1,59 @@
+class UsersController < ActionController::Base
+  # BAD
+  def route1
+    redirect_to params
+  end
+
+  # BAD
+  def route2
+    redirect_to params[:key]
+  end
+
+  # BAD
+  def route3
+    redirect_to params.fetch(:specific_arg)
+  end
+
+  # BAD
+  def route4
+    redirect_to params.to_unsafe_hash
+  end
+
+  # BAD
+  def route5
+    redirect_to filter_params(params)
+  end
+
+  # GOOD
+  def route6
+    redirect_to "/foo/#{params[:key]}"
+  end
+
+  # BAD
+  def route7
+    redirect_to "#{params[:key]}/foo"
+  end
+
+  # GOOD
+  def route8
+    key = params[:key]
+    if key == "foo"
+      redirect_to key
+    else
+      redirect_to "/default"
+    end
+  end
+
+  # GOOD
+  # Technically vulnerable, but we assume this is a handler for a POST request,
+  # so can't be triggered by following a link.
+  def create
+    redirect_to params[:key]
+  end
+
+  private
+
+  def filter_params(input_params)
+    input_params.permit(:key)
+  end
+end