Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruby: add library input as a source for rb/polynomial-redos #10782

Merged
merged 5 commits into from
Feb 13, 2023
Merged

Ruby: add library input as a source for rb/polynomial-redos #10782

merged 5 commits into from
Feb 13, 2023

Conversation

erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Oct 11, 2022
edited
Loading

CVE-2022-24836: TP/TN
CVE-2021-22880: TP/TN
CVE-2021-4250: TP/TN
CVE-2023-22796: TP/TN
CVE-2022-4891: TP
CVE-2023-22799: TP (source is protected method. TP with #11879).

Evaluation looks as expected.
No performance regression, and a bunch of results.
The results are a bit noisy, but there are a lot of CVEs from this kind of issue, so people care about it.

Another larger evaluation.

@github github deleted a comment from github-actions bot Oct 11, 2022
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 11, 2022
View reviewed changes
ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql Outdated
Comment on lines 21 to 30
from
PolynomialReDoS::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
PolynomialReDoS::Sink sinkNode, PolynomialBackTrackingTerm regexp
where
config.hasFlowPath(source, sink) and
sinkNode = sink.getNode() and
regexp = sinkNode.getRegExp()
select sinkNode.getHighlight(), source, sink,
"This $@ that depends on a $@ may run slow on strings " + regexp.getPrefixMessage() +
"with many repetitions of '" + regexp.getPumpString() + "'.", regexp, "regular expression",
source.getNode(), "user-provided value"
source.getNode(), source.getNode().(PolynomialReDoS::Source).describe()

Check warning

Code scanning / CodeQL

Consistent alert message

The rb/polynomial-redos query does not have the same alert message as js.
@erik-krogh erik-krogh mentioned this pull request Oct 12, 2022
Merged
@erik-krogh erik-krogh marked this pull request as ready for review November 9, 2022 11:47
@erik-krogh erik-krogh requested a review from a team as a code owner November 9, 2022 11:47
@erik-krogh erik-krogh mentioned this pull request Nov 21, 2022
Merged
@erik-krogh
Copy link
Contributor Author

Rebased to include #11358 in a clean way.

@hmac
Copy link
Contributor

hmac commented Nov 29, 2022
edited
Loading

I've looked through a bunch of the results in the LGTM run and ~90% of them look quite legitimate, so I don't feel so concerned about the noise potential of this change. I think we should consider changing the precision for this query and take some care when deploying this change, but overall I think it is probably fine 👍.

I've not looked at the code change itself (yet).

hmac
hmac reviewed Jan 9, 2023
View reviewed changes
ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSCustomizations.qll Outdated
@@ -53,6 +59,15 @@ module PolynomialReDoS {
*/
class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }

import codeql.ruby.frameworks.core.Gem::Gem as Gem
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this not equivalent to import codeql.ruby.frameworks.core.Gem? Also, should this be a private import?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes that would be equivalent, and yes that should be private.

I want to keep the more verbose version though. I just like that style sometimes.

hmac
hmac reviewed Jan 9, 2023
View reviewed changes
ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/poly-redos.gemspec
s.name = 'poly-redos'
s.require_path = "lib"
end

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(nit)

Something is a bit off with the formatting here. end should align with Gem and ideally there should be a newline at the end of the file, rather than whatever whitespace I guess is on L5.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that happens when I copy-paste the .gemspec from one test to the other.
So this formatting error will probably also appear in other PRs.

But yeah, I'm not going to fix it.

hmac
hmac previously approved these changes Jan 9, 2023
View reviewed changes
Copy link
Contributor

@hmac hmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry this took so long! 👍 with the caveat that I'm not 100% sure a precision of high is still accurate, but I'll leave that to your judgement.

@erik-krogh erik-krogh requested a review from hmac January 24, 2023 20:00
hmac
hmac previously approved these changes Jan 25, 2023
View reviewed changes
@erik-krogh erik-krogh requested a review from hmac February 13, 2023 09:46
@erik-krogh
Copy link
Contributor Author

Merge with main to fix merge-conflict in .expected file.
Can I get a final review?

@erik-krogh erik-krogh merged commit 2f404df into github:main Feb 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hmac hmac hmac approved these changes

@aibaars aibaars Awaiting requested review from aibaars

Assignees
No one assigned
Labels
documentation Ruby
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@erik-krogh @hmac