RubyGems - tainted_love - Versions diffs - 0.1.5 → 0.4.0 - Mend

tainted_love 0.1.5 → 0.4.0

Files changed (169) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d1fb2f3caa7c9d1c2ad65cd39008d98e7b3d4b90f2fefaa6271651b33a279ba3
-  data.tar.gz: 56a20ce9ecde810993e9d62475097c8187f14143ea9e6f7ab8d7e79ecd4b1f90
+  metadata.gz: ea2bb8edc59c047e25dfca2ee1e8375a008ccf93c4e98e4746854c404cc7d11d
+  data.tar.gz: c23dd71cd581ab0a27e3df8d9e137f91cf203cefabb304b7761bb86f7a44f1b3
 SHA512:
-  metadata.gz: 31b432b1a5745084e7c3bc4efcae14a1d20bfba8ad8ac47ea5412d1895cc6c648717bc00ca3463e2192f53108dadba9feb74701909e09778c33be621046ed938
-  data.tar.gz: f6903f74b1d35abda62cb44879bc45b745c7f3bdae96a02eed6bcda7cbf8d0e39a4402328238f7a984c62393ca6a9bbc121cf661f32c488b5b61659d1947e7e6
+  metadata.gz: b8ae7c54209f62bc4ecf0257b470bdc2733b93b69f35635b40555cd6f42eb479755a69e0a971016a1d164071801db4af7e7ae5f933b44b211140ab3c4ca5f688
+  data.tar.gz: c5e76a2da036357ba6a73c3a01c01d717362077adfd29bbfe0b5b2ed4ce0b95fa6fe13e3c05bad779669c8eaf024ea32184e8b5b79aedbdcc435565e94eee6c0

data/Gemfile.lock CHANGED

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    tainted_love (0.1.5)
+    tainted_love (0.4.0)
 GEM
   remote: https://rubygems.org/

data/README.md CHANGED

@@ -76,6 +76,7 @@ Model.where(tainted_input)
 Model.select(tainted_input)
 Model.find_by_sql(tainted_input)
 Model.count_by_sql(tainted_input)
+Model.order(tainted_input)
 ```
 ## Development
@@ -83,6 +84,7 @@ Model.count_by_sql(tainted_input)
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+To install this gem onto your local machine, run `bundle exec rake install`.
 ## Contributing

data/bin/setup CHANGED

@@ -5,6 +5,6 @@ set -vx
 bundle install
-cd example
-bundle install
+for path in tests/*/Gemfile; do
+    bundle install --gemfile=$path
+done

data/bin/test CHANGED

@@ -3,5 +3,9 @@
 set -e
 bundle exec rake
-cd example
-rails test
+for path in tests/*; do
+    cd $path
+    ./test.sh
+    cd ../..
+done

data/dev.yml CHANGED

@@ -8,7 +8,7 @@ up:
   - ruby: 2.5.3
   - bundler
   - bundler:
-      gemfile: example/Gemfile
+      gemfile: tests/rails/Gemfile
 commands:
   console:

data/lib/tainted_love.rb CHANGED

@@ -11,7 +11,7 @@ module TaintedLove
     # Enables TaintedLove. Use a block to configure the TaintedLove::Configuration
     #
     # @yield [TaintedLove::Configuration]
-    # @returns [TaintedLove::Configuration]
+    # @return [TaintedLove::Configuration]
     def enable!
       configuration = TaintedLove::Configuration.new
@@ -48,7 +48,7 @@ module TaintedLove
       warning.message = message
       should_remove = @configuration.validators.any? do |validator|
-        validator.new.remove?(warning)
+        validator.new.remove?(warning) == true
       end
       @configuration.reporter.add_warning(warning) unless should_remove

data/lib/tainted_love/replacer/base.rb CHANGED

@@ -15,10 +15,14 @@ module TaintedLove
       #
       # @return [Array<Class>]
       def self.replacers
-        TaintedLove::Replacer.constants.map do |const|
+        replacers = TaintedLove::Replacer.constants.map do |const|
           cls = TaintedLove::Replacer.const_get(const)
           cls if cls.method_defined?(:replace!)
         end.compact
+        replacers -= [TaintedLove::Replacer::ReplaceObject]
+        [TaintedLove::Replacer::ReplaceObject] + replacers
       end
     end
   end

data/lib/tainted_love/replacer/replace_action_controller.rb CHANGED

@@ -51,10 +51,6 @@ module TaintedLove
             end
           end
         end
-        TaintedLove.proxy_method('ActionController::Base', :redirect_to) do |_, *args|
-          TaintedLove.report(:ReplaceActionController, args.first, [:open_redirect]) if args.first.tainted?
-        end
       end
     end
   end

data/lib/tainted_love/replacer/replace_active_record.rb CHANGED

@@ -19,11 +19,20 @@ module TaintedLove
           end
         end
+        TaintedLove.proxy_method('ActiveRecord::QueryMethods', :order) do |_, *args|
+          unless args.empty?
+            f = args.first
+            if f.is_a?(String) && f.tainted?
+              TaintedLove.report(:ReplaceActiveRecord, f, [:sqli], 'Model.order using tainted string')
+            end
+          end
+        end
         TaintedLove.proxy_method('ActiveRecord::QueryMethods', :select) do |_, *args|
           unless args.empty?
             f = args.first
             if f.is_a?(String) && f.tainted?
-              TaintedLove.report(:ReplaceActiveRecord, f, [:sqli], 'Model#select using tainted string')
+              TaintedLove.report(:ReplaceActiveRecord, f, [:sqli], 'Model.select using tainted string')
             end
           end
         end
@@ -38,6 +47,17 @@ module TaintedLove
               super(*args)
             end
           end
+          # Removes taint on string have been sanitized, unless the first argument is tainted
+          def sanitize_sql_array(ary)
+            return_value = super(ary)
+            if ary.first.tainted?
+              return_value.taint
+            else
+              return_value.untaint
+            end
+          end
         end
         ActiveRecord::Base.extend(mod)

data/lib/tainted_love/replacer/replace_graphql.rb ADDED

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+module TaintedLove
+  module Replacer
+    class ReplaceGraphQL < Base
+      def should_replace?
+        Gem.loaded_specs.has_key?('graphql') # fixme: very bundler specific
+      end
+      def replace!
+        require 'graphql'
+        GraphQL::Query::Arguments::ArgumentValue.class_eval do
+          def value
+            return @value if default_used?
+            @tainted_value ||= @value.dup.taint
+            TaintedLove.tag(@tainted_value, { source: "GraphQL argument #{key.inspect}", value: @tainted_value })
+            @tainted_value
+          end
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_kernel.rb CHANGED

@@ -10,7 +10,7 @@ module TaintedLove
               :ReplaceKernel,
               args.first,
               [:rce],
-              'Command execution using tainted input'
+              "Kernel##{method} execution using tainted input"
             ) if args.first&.tainted?
           end
         end

data/lib/tainted_love/replacer/replace_object.rb CHANGED

@@ -3,6 +3,8 @@
 module TaintedLove
   module Replacer
     class ReplaceObject < Base
+      TAGS = {}
       def replace!
         mod = Module.new do
           def send(*args, &block)
@@ -18,8 +20,12 @@ module TaintedLove
             super(*args, &block)
           end
-          def tainted_love_tracking
-            @tainted_love_tracking ||= []
+          def tainted_love_tags
+            TAGS[object_id] ||= []
+          end
+          def tainted_love_tags=(tags)
+            TAGS[object_id] = tags
           end
         end

data/lib/tainted_love/replacer/replace_rack_builder.rb ADDED

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+module TaintedLove
+  module Replacer
+    class ReplaceRackBuilder < Base
+      def should_replace?
+        Object.const_defined?('Rack::Builder')
+      end
+      def replace!
+        # Register a middleware that will be the first the receive call and prepare the
+        # env to be correctly tainted. This should be enough for all Rack-based apps
+        TaintedLove.proxy_method('Rack::Builder', :run) do |_, app, builder|
+          builder.use(TaintedLove::Replacer::ReplaceRackBuilder::TaintedLoveRackMiddleware)
+        end
+      end
+      class TaintedLoveRackMiddleware
+        def initialize(app)
+          @app = app
+        end
+        def call(env)
+          @app.call(taint_env(env))
+        end
+        def taint_env(env)
+          uppercase_keys = env.to_h.keys.select { |k| k[/[A-Z]/] }
+          values = {}
+          uppercase_keys.each do |key|
+            new_key = key.dup.taint
+            new_value = env[key].dup.taint
+            TaintedLove.tag(new_key, source: "Key #{key.inspect} Rack env", value: new_key)
+            TaintedLove.tag(new_value, source: "Rack env[#{key.inspect}]", value: new_value)
+            values[new_key] = new_value
+            env.delete(key)
+          end
+          env.merge!(values)
+          env
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_rack_file.rb ADDED

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+module TaintedLove
+  module Replacer
+    class ReplaceRackFile < Base
+      def replace!
+        # Assume that Rack::File is used path that are safe
+        TaintedLove::Utils::Proxy.new('Rack::File', :call) do
+          def before
+            env['PATH_INFO'].untaint
+          end
+          def env
+            arguments.first
+          end
+        end
+        TaintedLove.proxy_method('Rack::File', :initialize) do |_, *args|
+          args.first.untaint
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_rack_query_parser.rb ADDED

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+module TaintedLove
+  module Replacer
+    class ReplaceRackRequest < Base
+      def replace!
+        block = method(:taint_params)
+        TaintedLove.proxy_method('Rack::QueryParser', :parse_nested_query, &block)
+        TaintedLove.proxy_method('Rack::QueryParser', :parse_query, &block)
+      end
+      def taint_params(return_value, *args)
+        # Assume that if tainted input uses this method, it's to parse a query string
+        # It can also be cookies that are being parsed.
+        return unless args.first.tainted?
+        # figure out what is being parsed from the the method that called it
+        name = if Thread.current.backtrace(4).first["`parse_cookies_header'"]
+          'cookies'
+        else
+          'params'
+        end
+        taint = lambda do |params, path|
+          source = name + path.map { |p| "[#{p.inspect}]" }.join
+          if params.is_a?(String)
+            TaintedLove.tag(params.taint, source: source, value: params)
+          end
+          if params.is_a?(Array)
+            params.each.with_index do |value, index|
+              taint.(value, path + [index])
+            end
+          end
+          if params.is_a?(Hash)
+            params.each do |key, value|
+              taint.(value, path + [key])
+            end
+          end
+        end
+        taint.(return_value, [])
+      end
+    end
+  end
+end

data/lib/tainted_love/replacer/replace_rails_user_input.rb CHANGED

@@ -9,50 +9,35 @@ module TaintedLove
       end
       def replace!
-        # taint headers
-        TaintedLove.proxy_method('ActionDispatch::Http::Headers', :[]) do |return_value, *_args|
-          return_value.taint
-        end
         # taint the values loaded from the database
         if Object.const_defined?('ActiveRecord::Base')
           ActiveRecord::Base.after_find do
-            attributes.values.each do |value|
-              value.taint unless value.frozen?
+            attributes.each do |key, value|
+              TaintedLove.tag(value.taint, source: "ActiveRecord attribute #{self.class.to_s}##{key}", value: value)
             end
           end
         end
-        if Object.const_defined?('ActionController::Base')
-          ActionController::Base.class_eval do
-            before_action :taint_params
-            before_action :taint_cookies
-            private
-            def taint_params(value = params)
-              if value.is_a?(ActionController::Parameters) || value.is_a?(ActiveSupport::HashWithIndifferentAccess)
-                value.values.map { |x| x.taint unless x.frozen? }
-                value.values.each { |x| taint_params(x) }
-              else
-                value.taint unless value.frozen?
-              end
-            end
-            def taint_cookies
-              request.cookies.values.each(&:taint)
-            end
-          end
+        TaintedLove.proxy_method('ActionDispatch::Http::Headers', :[]) do |return_value, *args|
+          TaintedLove.tag(return_value.taint, source: "headers[#{args.first.inspect}]", value: return_value)
         end
         # taint params keys
         if Object.const_defined?('ActionController::Parameters')
           ActionController::Parameters.class_eval do
             def keys
-              @parameters.keys.map { |key| key.dup.taint }
+              @parameters.keys.map { |key|
+                TaintedLove.tag(key.dup.taint, source: "Parameter name #{key.inspect}", value: key)
+              }
             end
           end
         end
+        # Transfer tags from String to SafeBuffer
+        TaintedLove.proxy_method('ActiveSupport::SafeBuffer', :initialize) do |return_value, str|
+          return_value.tainted_love_tags = str.tainted_love_tags
+        end
       end
     end
   end

data/lib/tainted_love/replacer/replace_string.rb ADDED

@@ -0,0 +1,69 @@
+module TaintedLove
+  module Replacer
+    class ReplaceString < Base
+      WRAP_METHODS = [
+        :+, :*, :[], :[]= , :sub, :replace, :strip, :strip!, :inspect
+      ]
+      def replace!
+        mod = Module.new do
+          def self.wrap_call(name)
+            define_method(name) do |*args, &block|
+              return super(*args, &block) unless tainted? || args.any?(&:tainted?)
+              result = super(*args, &block)
+              result.tainted_love_tags += tainted_love_tags if tainted?
+              args.select(&:tainted?).each do |arg|
+                result.tainted_love_tags += arg.tainted_love_tags
+              end
+              result
+            end
+          end
+          WRAP_METHODS.each do |sym|
+            wrap_call(sym)
+          end
+          def gsub(*args, &block)
+            # Context for this hack: https://stackoverflow.com/a/52783055/3349159
+            match(args.first)
+            unless block.nil?
+              block.binding.tap do |b|
+                b.local_variable_set(:_tainted_love_tilde_variable, $~)
+                b.eval("$~ = _tainted_love_tilde_variable")
+              end
+            end
+            result = super(*args, &block)
+            result.tainted_love_tags += tainted_love_tags if tainted?
+            args.select(&:tainted?).each do |arg|
+              result.tainted_love_tags += arg.tainted_love_tags
+            end
+            result
+          end
+          def split(*args)
+            result = super(*args)
+            if tainted?
+              result.each do |value|
+                value.taint.tainted_love_tags += tainted_love_tags
+              end
+            end
+            result
+          end
+        end
+        String.prepend(mod)
+      end
+    end
+  end
+end