Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruby: Add Module#const_get as a code execution #7419

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Ruby: Add Module#const_get as a code execution #7419

wants to merge 1 commit into from

Conversation

@hmac
Copy link
Contributor

@hmac hmac commented Dec 16, 2021

Module#const_get takes a single string argument and interprets it as the
name of a constant. It then looks up the constant and returns its value.

Object.const_get("Math::PI")
# => 3.141592653589793

By itself, this method is not as dangerous as e.g. eval, but if the
value returned is a class that is then instantiated, this can allow an
attacker to instantiate arbitrary Ruby classes.

As a result, I think it's safe to say that any remote input flowing into
this call is a potential vulnerability. A real-world example of this is
GHSA-52p9-v744-mwjj.
@github-actions github-actions bot added the Ruby label Dec 16, 2021
@hmac hmac marked this pull request as ready for review Dec 16, 2021
@hmac hmac requested a review from as a code owner Dec 16, 2021
nickrolfe
nickrolfe reviewed Dec 17, 2021
View changes
ruby/ql/lib/codeql/ruby/frameworks/StandardLibrary.qll
*/
class ModuleConstGetCallCodeExecution extends CodeExecution::Range, DataFlow::CallNode {
ModuleConstGetCallCodeExecution() {
this.asExpr().getExpr().(UnknownMethodCall).getMethodName() = "const_get"
Copy link
Contributor

@nickrolfe nickrolfe Dec 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little unsure about casting to UnknownMethodCall. Is the idea that all bets are off if the project redefines Module#const_get?

Copy link
Contributor Author

@hmac hmac Dec 21, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I know, going via UnknownMethodCall is currently the only way to identify calls to methods inherited from Module, Object, Kernel etc. I think to do better, we'd need to improve API graphs with subclass/inheritance knowledge so that it can determine that something like

module Foo
  const_get "A"
end

is a call to Module#const_get.

So that's the reason I used UnknownMethodCall here. I hadn't thought about the case where the project redefines const_get - I think that should be quite rare, though?

Copy link
Contributor

@nickrolfe nickrolfe Dec 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, that makes sense.

I think that should be quite rare, though?

Yeah, I expect so.

@hmac hmac force-pushed the hmac/const-get branch from e9652ac to a4760f2 Dec 21, 2021
@hmac
Ruby: Add Module#const_get as a code execution
43ddc54 
Module#const_get takes a single string argument and interprets it as the
name of a constant. It then looks up the constant and returns its value.

    Object.const_get("Math::PI")
    # => 3.141592653589793

By itself, this method is not as dangerous as e.g. eval, but if the
value returned is a class that is then instantiated, this can allow an
attacker to instantiate arbitrary Ruby classes.

As a result, I think it's safe to say that any remote input flowing into
this call is a potential vulnerability. A real-world example of this is
GHSA-52p9-v744-mwjj.
@hmac hmac force-pushed the hmac/const-get branch from a4760f2 to 43ddc54 Jan 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickrolfe nickrolfe

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Ruby
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet
2 participants
@hmac @nickrolfe