Finding the Command Injection flow in Railsgoat #15642
Replies: 2 comments
-
Hi, I agree with your assessment that the issue is likely a lack of taint flow from A potential solution would be to add a flow summary stating that, in a call to private import codeql.ruby.dataflow.FlowSummary
private class OriginalFilenameSummary extends SimpleSummarizedCallable {
OriginalFilenameSummary() { this = "original_filename" }
override predicate propagatesFlow(string input, string output, boolean preservesValue) {
input = "Argument[self]" and
output = "ReturnValue" and
preservesValue = false
}
} This summary fills in the gap by giving the dataflow analysis additional information about the functionality of |
Beta Was this translation helpful? Give feedback.
-
Thank you for your explanation! I just got there in the end by adding this to my dataflow config: predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
exists(Ast::MethodCall c |
c.getReceiver() = fromNode.asExpr().getExpr() and
toNode.asExpr().getExpr() = c)
} ... But your solution seems to be a lot more precise than this. |
Beta Was this translation helpful? Give feedback.
-
Railsgoat is a delibarately vulnerable Ruby on Rails application and has a Command Injection vulnerability: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection
The built-in
CommandInjectionQuery.ql
didn't return any results so I set out to write my own query:which unsurprisingly didn't turn up any results either, so I tried debugging my dataflow query using partial flow:
which finds the flow to
file
in the constructed string argument tosystem
with a distance of 3. It feels like this is similar to: #14092 Is it that thefile
variable is tainted, but the access tofile.original_filename
is not? I allowed implicit reads at the sink to my dataflow config like this:But that didn't find the flow either. How can I debug my query further?
Beta Was this translation helpful? Give feedback.
All reactions