The TaintFlow blocks in an .ERB file

[Sim4n6]

I have a ruby situation where the remote untrusted data is in the controller where :

@q=params[:ssss]

in a view file with the ext .html.erb, there is a call to a render function as follows

              <%= render partial: 'app1', locals: { query: @q } %>

This is breaking the taint flow from reaching further locations, it looks like query is not reachable by params[:ssss] .

Could you please help me with this one? I mean do I have to add an additionalTaintStep ?

[MathiasVP]

Hi @Sim4n6,

Thanks for reporting this!

Are you able to share a complete example that I can bring to the Ruby team? Ideally, it would be fantastic if you could share a Ruby file and a simple QL query that demonstrates the missing flow.

[Sim4n6]

It's a repo on github but the code hits a vulnerable part (low severity). Let me report that and get back to you, please.

[Sim4n6]

I have just identified the main issue, please:

app/controllers/searches_controller.rb

class SearchesController < ApplicationController
  before_action :disable_feedback

  def show
    @q = params[:q] /// SOURCE 
  end
end

app/views/searches/show.html.erb

<%= render partial: 'app', locals: { query: @q } %>

app/views/searches/_app.html.erb

<%=  f(query) %> // this is our SINK

Now, I modelized the query as follows:

• SOURCE: remote untrusted data.
• SINK: function call.

The problem remains in the additional taint step required.
How do you suggest that I proceed in this case to implement in QL the additional taint step?
Don't give me the whole fish 𓆟 just point me on the right direction, please.

[Sim4n6]

The first part would be query and @q:

exists(MethodCall mc, Pair p |
        mc.getMethodName() = "render" and
        p = mc.getArgument(1).(Pair).getValue().(HashLiteral).getAnElement() and
        p.getValue() = nodeFrom.asExpr().getExpr() and
        p.getKey() = nodeTo.asExpr().getExpr()
      )

[alexrford]

Hi @Sim4n6, we handle a similar case in the XSS queries but haven't yet expanded to be a general case flow step. You can check out the isFlowFromControllerInstanceVariable predicate in XSS.qll to see how we implement this.

I'll warn that the implementation is a bit messy - in general terms we're interested in matching up with the correct template file, then matching up an appropriate InstanceVariableWriteAccessCfgNode in the controller with a corresponding VariableReadAccess in the template file. We use the Cfg layer for the write to check that the variable isn't then overwritten before the render call.