feat: ruby rule for CWE-94 eval using user input (#587)

Bearer · Feb 16, 2023 · 3214c9a · 3214c9a
1 parent 782ff6e
commit 3214c9a
Show file tree

Hide file tree

Showing 10 changed files with 371 additions and 0 deletions.
diff --git a/integration/rules/ruby_test.go b/integration/rules/ruby_test.go
@@ -13,6 +13,12 @@ func TestRubyLangDeserializationOfUserInputSummary(t *testing.T) {
 	t.Parallel()
 	runRulesTest("ruby/lang/deserialization_of_user_input", "summary", "ruby_lang_deserialization_of_user_input", t)
 }
+
+func TestRubyLangEvalUsingUserInput(t *testing.T) {
+	t.Parallel()
+	runRulesTest("ruby/lang/eval_using_user_input", "summary", "ruby_lang_eval_using_user_input", t)
+}
+
 func TestRubyLangFileGenerationSummary(t *testing.T) {
 	t.Parallel()
 	runRulesTest("ruby/lang/file_generation", "summary", "ruby_lang_file_generation", t)

diff --git a/pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input.yml b/pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input.yml
@@ -0,0 +1,57 @@
+patterns:
+  - pattern: |
+      RubyVM::InstructionSequence.compile($<USER_INPUT>$<...>)
+    filters:
+      - variable: USER_INPUT
+        detection: ruby_lang_eval_using_user_input_user_input
+  - pattern: |
+      $<_>.$<METHOD>($<USER_INPUT>$<...>)
+    filters:
+      - variable: METHOD
+        values:
+          - eval
+          - instance_eval
+          - class_eval
+          - module_eval
+      - variable: USER_INPUT
+        detection: ruby_lang_eval_using_user_input_user_input
+  - pattern: |
+      $<METHOD>($<USER_INPUT>$<...>)
+    filters:
+      - variable: METHOD
+        values:
+          - eval
+          - instance_eval
+          - class_eval
+          - module_eval
+      - variable: USER_INPUT
+        detection: ruby_lang_eval_using_user_input_user_input
+auxiliary:
+  - id: ruby_lang_eval_using_user_input_user_input
+    patterns:
+      - params
+      - request
+      - cookies
+      - | # AWS lambda
+        def $<_>($<!>event:, context:)
+        end
+languages:
+  - ruby
+trigger: presence
+severity:
+  default: high # FIXME
+metadata:
+  description: "Do not generate code using user input."
+  remediation_message: |
+    ## Description
+
+    TODO
+
+    ## Remediations
+    TODO
+    <!--
+    ## Resources
+    Coming soon.
+    -->
+  dsr_id: DSR-? # FIXME
+  id: ruby_lang_eval_using_user_input
diff --git a/...s/TestRubyLangEvalUsingUserInput-summary_ruby_lang_eval_using_user_input_ok_not_unsafe.rb b/...s/TestRubyLangEvalUsingUserInput-summary_ruby_lang_eval_using_user_input_ok_not_unsafe.rb
@@ -0,0 +1,5 @@
+{}
+
+
+--
+
diff --git a/...ts/TestRubyLangEvalUsingUserInput-summary_ruby_lang_eval_using_user_input_unsafe_event.rb b/...ts/TestRubyLangEvalUsingUserInput-summary_ruby_lang_eval_using_user_input_unsafe_event.rb
@@ -0,0 +1,77 @@
+high:
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 2
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_event.rb
+      parent_line_number: 2
+      parent_content: RubyVM::InstructionSequence.compile(event["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 4
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_event.rb
+      parent_line_number: 4
+      parent_content: a.eval(event["oops"], "test")
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 6
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_event.rb
+      parent_line_number: 6
+      parent_content: a.instance_eval(event["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 8
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_event.rb
+      parent_line_number: 8
+      parent_content: a.class_eval(event["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 10
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_event.rb
+      parent_line_number: 10
+      parent_content: a.module_eval(event["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 12
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_event.rb
+      parent_line_number: 12
+      parent_content: eval(event["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 14
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_event.rb
+      parent_line_number: 14
+      parent_content: instance_eval(event["oops"], "test")
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 16
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_event.rb
+      parent_line_number: 16
+      parent_content: class_eval(event["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 18
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_event.rb
+      parent_line_number: 18
+      parent_content: module_eval(event["oops"])
+
+
+--
+
diff --git a/...s/TestRubyLangEvalUsingUserInput-summary_ruby_lang_eval_using_user_input_unsafe_params.rb b/...s/TestRubyLangEvalUsingUserInput-summary_ruby_lang_eval_using_user_input_unsafe_params.rb
@@ -0,0 +1,77 @@
+high:
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 1
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_params.rb
+      parent_line_number: 1
+      parent_content: RubyVM::InstructionSequence.compile(params["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 3
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_params.rb
+      parent_line_number: 3
+      parent_content: a.eval(params["oops"], "test")
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 5
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_params.rb
+      parent_line_number: 5
+      parent_content: a.instance_eval(params["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 7
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_params.rb
+      parent_line_number: 7
+      parent_content: a.class_eval(params["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 9
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_params.rb
+      parent_line_number: 9
+      parent_content: a.module_eval(params["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 11
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_params.rb
+      parent_line_number: 11
+      parent_content: eval(params["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 13
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_params.rb
+      parent_line_number: 13
+      parent_content: instance_eval(params["oops"], "test")
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 15
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_params.rb
+      parent_line_number: 15
+      parent_content: class_eval(params["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 17
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_params.rb
+      parent_line_number: 17
+      parent_content: module_eval(params["oops"])
+
+
+--
+
diff --git a/.../TestRubyLangEvalUsingUserInput-summary_ruby_lang_eval_using_user_input_unsafe_request.rb b/.../TestRubyLangEvalUsingUserInput-summary_ruby_lang_eval_using_user_input_unsafe_request.rb
@@ -0,0 +1,77 @@
+high:
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 1
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_request.rb
+      parent_line_number: 1
+      parent_content: RubyVM::InstructionSequence.compile(request.env["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 3
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_request.rb
+      parent_line_number: 3
+      parent_content: a.eval(request.env["oops"], "test")
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 5
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_request.rb
+      parent_line_number: 5
+      parent_content: a.instance_eval(request.env["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 7
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_request.rb
+      parent_line_number: 7
+      parent_content: a.class_eval(request.env["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 9
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_request.rb
+      parent_line_number: 9
+      parent_content: a.module_eval(request.env["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 11
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_request.rb
+      parent_line_number: 11
+      parent_content: eval(request.env["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 13
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_request.rb
+      parent_line_number: 13
+      parent_content: instance_eval(request.env["oops"], "test")
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 15
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_request.rb
+      parent_line_number: 15
+      parent_content: class_eval(request.env["oops"])
+    - rule_dsrid: DSR-?
+      rule_display_id: ruby_lang_eval_using_user_input
+      rule_description: Do not generate code using user input.
+      rule_documentation_url: https://curio.sh/reference/rules/ruby_lang_eval_using_user_input
+      line_number: 17
+      filename: pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_request.rb
+      parent_line_number: 17
+      parent_content: module_eval(request.env["oops"])
+
+
+--
+
diff --git a/...commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/ok_not_unsafe.rb b/...commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/ok_not_unsafe.rb
@@ -0,0 +1,19 @@
+event = not_from_handler
+
+RubyVM::InstructionSequence.compile(event["ok"])
+
+a.eval(x, "test")
+
+a.instance_eval("something")
+
+a.class_eval(x)
+
+a.module_eval(x)
+
+eval("foo")
+
+instance_eval(x)
+
+class_eval(x)
+
+module_eval(x)
diff --git a/pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_event.rb b/pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_event.rb
@@ -0,0 +1,19 @@
+def handler(event:, context:)
+  RubyVM::InstructionSequence.compile(event["oops"])
+
+  a.eval(event["oops"], "test")
+
+  a.instance_eval(event["oops"])
+
+  a.class_eval(event["oops"])
+
+  a.module_eval(event["oops"])
+
+  eval(event["oops"])
+
+  instance_eval(event["oops"], "test")
+
+  class_eval(event["oops"])
+
+  module_eval(event["oops"])
+end
diff --git a/...commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_params.rb b/...commands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_params.rb
@@ -0,0 +1,17 @@
+RubyVM::InstructionSequence.compile(params["oops"])
+
+a.eval(params["oops"], "test")
+
+a.instance_eval(params["oops"])
+
+a.class_eval(params["oops"])
+
+a.module_eval(params["oops"])
+
+eval(params["oops"])
+
+instance_eval(params["oops"], "test")
+
+class_eval(params["oops"])
+
+module_eval(params["oops"])
diff --git a/...ommands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_request.rb b/...ommands/process/settings/rules/ruby/lang/eval_using_user_input/testdata/unsafe_request.rb
@@ -0,0 +1,17 @@
+RubyVM::InstructionSequence.compile(request.env["oops"])
+
+a.eval(request.env["oops"], "test")
+
+a.instance_eval(request.env["oops"])
+
+a.class_eval(request.env["oops"])
+
+a.module_eval(request.env["oops"])
+
+eval(request.env["oops"])
+
+instance_eval(request.env["oops"], "test")
+
+class_eval(request.env["oops"])
+
+module_eval(request.env["oops"])