Grape - detect params calls inside helper methods

- added unit tests for flow using inline format
- removed grape from Arel tests (temporary)

Author: felickz

ruby/ql/lib/codeql/ruby/frameworks/Grape.qll

@@ -121,11 +121,18 @@ class GrapeParamsSource extends Http::Server::RequestInputAccess::Range {
  */
 private class GrapeParamsCall extends ParamsCallImpl {
   GrapeParamsCall() {
-    // Simplified approach: find params calls that are descendants of Grape API class methods
+    // Params calls within endpoint blocks
     exists(GrapeApiClass api |
       this.getMethodName() = "params" and
       this.getParent+() = api.getADeclaration()
     )
+    or
+    // Params calls within helper methods (defined in helpers blocks)
+    exists(GrapeApiClass api, DataFlow::CallNode helpersCall |
+      helpersCall = api.getAModuleLevelCall("helpers") and
+      this.getMethodName() = "params" and
+      this.getParent+() = helpersCall.getBlock().asExpr().getExpr()
+    )
   }
 }
 
@@ -295,18 +302,31 @@ private class GrapeHelperMethod extends Method {
 
 /**
  * Additional taint step to model dataflow from method arguments to parameters
- * for Grape helper methods defined in `helpers` blocks.
+ * and from return values back to call sites for Grape helper methods defined in `helpers` blocks.
  * This bridges the gap where standard dataflow doesn't recognize the Grape DSL semantics.
  */
 private class GrapeHelperMethodTaintStep extends AdditionalTaintStep {
   override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    // Map arguments to parameters for helper method calls
     exists(GrapeHelperMethod helperMethod, MethodCall call, int i |
-      // Find calls to helper methods from within Grape endpoints
+      // Find calls to helper methods from within Grape endpoints or other helper methods
       call.getMethodName() = helperMethod.getName() and
-      exists(GrapeEndpoint endpoint | call.getParent+() = endpoint.getBody().asExpr().getExpr()) and
+      exists(GrapeApiClass api | call.getParent+() = api.getADeclaration()) and
       // Map argument to parameter
       nodeFrom.asExpr().getExpr() = call.getArgument(i) and
       nodeTo.asParameter() = helperMethod.getParameter(i)
     )
+    or
+    // Model implicit return values: the last expression in a helper method flows to the call site
+    exists(GrapeHelperMethod helperMethod, MethodCall helperCall, Expr lastExpr |
+      // Find calls to helper methods from within Grape endpoints or other helper methods
+      helperCall.getMethodName() = helperMethod.getName() and
+      exists(GrapeApiClass api | helperCall.getParent+() = api.getADeclaration()) and
+      // Get the last expression in the helper method (Ruby's implicit return)
+      lastExpr = helperMethod.getLastStmt() and
+      // Flow from the last expression in the helper method to the call site
+      nodeFrom.asExpr().getExpr() = lastExpr and
+      nodeTo.asExpr().getExpr() = helperCall
+    )
   }
 }

ruby/ql/test/library-tests/frameworks/grape/Flow.expected

@@ -0,0 +1,77 @@
+models
+edges
+| app.rb:103:13:103:18 | call to params | app.rb:103:13:103:70 | call to select | provenance |  |
+| app.rb:103:13:103:70 | call to select | app.rb:149:21:149:31 | call to user_params | provenance | AdditionalTaintStep |
+| app.rb:103:13:103:70 | call to select | app.rb:165:21:165:31 | call to user_params | provenance | AdditionalTaintStep |
+| app.rb:107:13:107:32 | call to source | app.rb:143:18:143:43 | call to vulnerable_helper | provenance | AdditionalTaintStep |
+| app.rb:111:13:111:33 | call to source | app.rb:150:25:150:37 | call to simple_helper | provenance | AdditionalTaintStep |
+| app.rb:126:9:126:15 | user_id | app.rb:133:14:133:20 | user_id | provenance |  |
+| app.rb:126:19:126:24 | call to params | app.rb:126:19:126:34 | ...[...] | provenance |  |
+| app.rb:126:19:126:34 | ...[...] | app.rb:126:9:126:15 | user_id | provenance |  |
+| app.rb:127:9:127:16 | route_id | app.rb:134:14:134:21 | route_id | provenance |  |
+| app.rb:127:20:127:40 | call to route_param | app.rb:127:9:127:16 | route_id | provenance |  |
+| app.rb:128:9:128:12 | auth | app.rb:135:14:135:17 | auth | provenance |  |
+| app.rb:128:16:128:22 | call to headers | app.rb:128:16:128:38 | ...[...] | provenance |  |
+| app.rb:128:16:128:38 | ...[...] | app.rb:128:9:128:12 | auth | provenance |  |
+| app.rb:129:9:129:15 | session | app.rb:136:14:136:20 | session | provenance |  |
+| app.rb:129:19:129:25 | call to cookies | app.rb:129:19:129:38 | ...[...] | provenance |  |
+| app.rb:129:19:129:38 | ...[...] | app.rb:129:9:129:15 | session | provenance |  |
+| app.rb:143:9:143:14 | result | app.rb:144:14:144:19 | result | provenance |  |
+| app.rb:143:18:143:43 | call to vulnerable_helper | app.rb:143:9:143:14 | result | provenance |  |
+| app.rb:149:9:149:17 | user_data | app.rb:151:14:151:22 | user_data | provenance |  |
+| app.rb:149:21:149:31 | call to user_params | app.rb:149:9:149:17 | user_data | provenance |  |
+| app.rb:150:9:150:21 | simple_result | app.rb:152:14:152:26 | simple_result | provenance |  |
+| app.rb:150:25:150:37 | call to simple_helper | app.rb:150:9:150:21 | simple_result | provenance |  |
+| app.rb:159:13:159:19 | user_id | app.rb:160:18:160:24 | user_id | provenance |  |
+| app.rb:159:23:159:28 | call to params | app.rb:159:23:159:33 | ...[...] | provenance |  |
+| app.rb:159:23:159:33 | ...[...] | app.rb:159:13:159:19 | user_id | provenance |  |
+| app.rb:165:9:165:17 | user_data | app.rb:166:14:166:22 | user_data | provenance |  |
+| app.rb:165:21:165:31 | call to user_params | app.rb:165:9:165:17 | user_data | provenance |  |
+nodes
+| app.rb:103:13:103:18 | call to params | semmle.label | call to params |
+| app.rb:103:13:103:70 | call to select | semmle.label | call to select |
+| app.rb:107:13:107:32 | call to source | semmle.label | call to source |
+| app.rb:111:13:111:33 | call to source | semmle.label | call to source |
+| app.rb:126:9:126:15 | user_id | semmle.label | user_id |
+| app.rb:126:19:126:24 | call to params | semmle.label | call to params |
+| app.rb:126:19:126:34 | ...[...] | semmle.label | ...[...] |
+| app.rb:127:9:127:16 | route_id | semmle.label | route_id |
+| app.rb:127:20:127:40 | call to route_param | semmle.label | call to route_param |
+| app.rb:128:9:128:12 | auth | semmle.label | auth |
+| app.rb:128:16:128:22 | call to headers | semmle.label | call to headers |
+| app.rb:128:16:128:38 | ...[...] | semmle.label | ...[...] |
+| app.rb:129:9:129:15 | session | semmle.label | session |
+| app.rb:129:19:129:25 | call to cookies | semmle.label | call to cookies |
+| app.rb:129:19:129:38 | ...[...] | semmle.label | ...[...] |
+| app.rb:133:14:133:20 | user_id | semmle.label | user_id |
+| app.rb:134:14:134:21 | route_id | semmle.label | route_id |
+| app.rb:135:14:135:17 | auth | semmle.label | auth |
+| app.rb:136:14:136:20 | session | semmle.label | session |
+| app.rb:143:9:143:14 | result | semmle.label | result |
+| app.rb:143:18:143:43 | call to vulnerable_helper | semmle.label | call to vulnerable_helper |
+| app.rb:144:14:144:19 | result | semmle.label | result |
+| app.rb:149:9:149:17 | user_data | semmle.label | user_data |
+| app.rb:149:21:149:31 | call to user_params | semmle.label | call to user_params |
+| app.rb:150:9:150:21 | simple_result | semmle.label | simple_result |
+| app.rb:150:25:150:37 | call to simple_helper | semmle.label | call to simple_helper |
+| app.rb:151:14:151:22 | user_data | semmle.label | user_data |
+| app.rb:152:14:152:26 | simple_result | semmle.label | simple_result |
+| app.rb:159:13:159:19 | user_id | semmle.label | user_id |
+| app.rb:159:23:159:28 | call to params | semmle.label | call to params |
+| app.rb:159:23:159:33 | ...[...] | semmle.label | ...[...] |
+| app.rb:160:18:160:24 | user_id | semmle.label | user_id |
+| app.rb:165:9:165:17 | user_data | semmle.label | user_data |
+| app.rb:165:21:165:31 | call to user_params | semmle.label | call to user_params |
+| app.rb:166:14:166:22 | user_data | semmle.label | user_data |
+subpaths
+testFailures
+#select
+| app.rb:133:14:133:20 | user_id | app.rb:126:19:126:24 | call to params | app.rb:133:14:133:20 | user_id | $@ | app.rb:126:19:126:24 | call to params | call to params |
+| app.rb:134:14:134:21 | route_id | app.rb:127:20:127:40 | call to route_param | app.rb:134:14:134:21 | route_id | $@ | app.rb:127:20:127:40 | call to route_param | call to route_param |
+| app.rb:135:14:135:17 | auth | app.rb:128:16:128:22 | call to headers | app.rb:135:14:135:17 | auth | $@ | app.rb:128:16:128:22 | call to headers | call to headers |
+| app.rb:136:14:136:20 | session | app.rb:129:19:129:25 | call to cookies | app.rb:136:14:136:20 | session | $@ | app.rb:129:19:129:25 | call to cookies | call to cookies |
+| app.rb:144:14:144:19 | result | app.rb:107:13:107:32 | call to source | app.rb:144:14:144:19 | result | $@ | app.rb:107:13:107:32 | call to source | call to source |
+| app.rb:151:14:151:22 | user_data | app.rb:103:13:103:18 | call to params | app.rb:151:14:151:22 | user_data | $@ | app.rb:103:13:103:18 | call to params | call to params |
+| app.rb:152:14:152:26 | simple_result | app.rb:111:13:111:33 | call to source | app.rb:152:14:152:26 | simple_result | $@ | app.rb:111:13:111:33 | call to source | call to source |
+| app.rb:160:18:160:24 | user_id | app.rb:159:23:159:28 | call to params | app.rb:160:18:160:24 | user_id | $@ | app.rb:159:23:159:28 | call to params | call to params |
+| app.rb:166:14:166:22 | user_data | app.rb:103:13:103:18 | call to params | app.rb:166:14:166:22 | user_data | $@ | app.rb:103:13:103:18 | call to params | call to params |

ruby/ql/test/library-tests/frameworks/grape/Flow.ql

@@ -0,0 +1,25 @@
+/**
+ * @kind path-problem
+ */
+
+import ruby
+import utils.test.InlineFlowTest
+import PathGraph
+import codeql.ruby.frameworks.Grape
+import codeql.ruby.Concepts
+
+module GrapeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source instanceof Http::Server::RequestInputAccess::Range
+    or
+    DefaultFlowConfig::isSource(source)
+  }
+
+  predicate isSink(DataFlow::Node sink) { DefaultFlowConfig::isSink(sink) }
+}
+
+import FlowTest<DefaultFlowConfig, GrapeConfig>
+
+from PathNode source, PathNode sink
+where flowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()

ruby/ql/test/library-tests/frameworks/grape/Grape.expected

@@ -1,6 +1,7 @@
 grapeApiClasses
 | app.rb:1:1:90:3 | MyAPI |
 | app.rb:92:1:96:3 | AdminAPI |
+| app.rb:98:1:168:3 | UserAPI |
 grapeEndpoints
 | app.rb:1:1:90:3 | MyAPI | app.rb:7:3:11:5 | call to get | GET | /hello/:name |
 | app.rb:1:1:90:3 | MyAPI | app.rb:17:3:20:5 | call to post | POST | /messages |
@@ -13,6 +14,10 @@ grapeEndpoints
 | app.rb:1:1:90:3 | MyAPI | app.rb:78:3:82:5 | call to get | GET | /cookie_test |
 | app.rb:1:1:90:3 | MyAPI | app.rb:85:3:89:5 | call to get | GET | /header_test |
 | app.rb:92:1:96:3 | AdminAPI | app.rb:93:3:95:5 | call to get | GET | /admin |
+| app.rb:98:1:168:3 | UserAPI | app.rb:124:5:138:7 | call to get | GET | /comprehensive_test/:user_id |
+| app.rb:98:1:168:3 | UserAPI | app.rb:140:5:145:7 | call to get | GET | /helper_test/:user_id |
+| app.rb:98:1:168:3 | UserAPI | app.rb:147:5:153:7 | call to post | POST | /users |
+| app.rb:98:1:168:3 | UserAPI | app.rb:164:5:167:7 | call to post | POST | /users |
 grapeParams
 | app.rb:8:12:8:17 | call to params |
 | app.rb:14:3:16:5 | call to params |
@@ -22,19 +27,30 @@ grapeParams
 | app.rb:36:5:36:10 | call to params |
 | app.rb:60:12:60:17 | call to params |
 | app.rb:94:5:94:10 | call to params |
+| app.rb:103:13:103:18 | call to params |
+| app.rb:126:19:126:24 | call to params |
+| app.rb:142:19:142:24 | call to params |
+| app.rb:159:23:159:28 | call to params |
 grapeHeaders
 | app.rb:9:18:9:24 | call to headers |
 | app.rb:46:5:46:11 | call to headers |
 | app.rb:66:3:69:5 | call to headers |
 | app.rb:86:12:86:18 | call to headers |
 | app.rb:87:14:87:20 | call to headers |
+| app.rb:116:5:118:7 | call to headers |
+| app.rb:128:16:128:22 | call to headers |
 grapeRequest
 | app.rb:25:12:25:18 | call to request |
+| app.rb:130:21:130:27 | call to request |
 grapeRouteParam
 | app.rb:51:15:51:35 | call to route_param |
 | app.rb:52:15:52:36 | call to route_param |
 | app.rb:57:3:63:5 | call to route_param |
+| app.rb:127:20:127:40 | call to route_param |
+| app.rb:156:5:162:7 | call to route_param |
 grapeCookies
 | app.rb:72:3:75:5 | call to cookies |
 | app.rb:79:15:79:21 | call to cookies |
 | app.rb:80:16:80:22 | call to cookies |
+| app.rb:120:5:122:7 | call to cookies |
+| app.rb:129:19:129:25 | call to cookies |

ruby/ql/test/library-tests/frameworks/grape/app.rb

@@ -93,4 +93,76 @@ class AdminAPI < Grape::API
   get '/admin' do
     params[:token]
   end
-end
+end
+
+class UserAPI < Grape::API
+    VALID_PARAMS = %w(name email password password_confirmation)
+
+    helpers do
+        def user_params
+            params.select{|key,value| VALID_PARAMS.include?(key.to_s)} # Real helper implementation
+        end
+
+        def vulnerable_helper(user_id)
+            source "paramHelper" # Test parameter passing to helper
+        end
+
+        def simple_helper
+            source "simpleHelper" # Test simple helper return
+        end
+    end
+
+    # Headers and cookies blocks for DSL testing
+    headers do
+        requires :Authorization, type: String
+    end
+
+    cookies do
+        requires :session_id, type: String
+    end
+
+    get '/comprehensive_test/:user_id' do
+        # Test all Grape input sources
+        user_id = params[:user_id]           # params taint source
+        route_id = route_param(:user_id)     # route_param taint source
+        auth = headers[:Authorization]       # headers taint source
+        session = cookies[:session_id]       # cookies taint source
+        body_data = request.body.read        # request taint source
+
+        # Test sinks for all sources
+        sink user_id # $ hasTaintFlow
+        sink route_id # $ hasTaintFlow
+        sink auth # $ hasTaintFlow
+        sink session # $ hasTaintFlow
+        # Note: request.body.read may not be detected by this flow test config
+    end
+
+    get '/helper_test/:user_id' do
+        # Test helper method parameter passing dataflow
+        user_id = params[:user_id]
+        result = vulnerable_helper(user_id)
+        sink result # $ hasTaintFlow=paramHelper
+    end
+
+    post '/users' do
+        # Test helper method return dataflow
+        user_data = user_params
+        simple_result = simple_helper
+        sink user_data # $ hasTaintFlow
+        sink simple_result # $ hasTaintFlow=simpleHelper
+    end
+
+    # Test route_param block pattern
+    route_param :id do
+        get do
+            # params[:id] should be user input from the path
+            user_id = params[:id]
+            sink user_id # $ hasTaintFlow
+        end
+    end
+
+    post '/users' do
+        user_data = user_params
+        sink user_data # $ hasTaintFlow
+    end
+end

ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb

@@ -6,66 +6,4 @@ def unsafe_action
     sql = Arel.sql("SELECT * FROM users WHERE name = #{name}")
     sql = Arel::Nodes::SqlLiteral.new("SELECT * FROM users WHERE name = #{name}")
   end
-end
-
-class PotatoAPI < Grape::API
-  get '/unsafe_endpoint' do
-    name = params[:user_name]
-    # BAD: SQL statement constructed from user input
-    sql = Arel.sql("SELECT * FROM users WHERE name = #{name}")
-    sql = Arel::Nodes::SqlLiteral.new("SELECT * FROM users WHERE name = #{name}")
-  end
-end
-
-class SimpleAPI < Grape::API
-  get '/test' do
-    x = params[:name]
-    Arel.sql("SELECT * FROM users WHERE name = #{x}")
-  end
-end
-
-  # Test helper method pattern in Grape helpers block
-  class TestAPI < Grape::API
-    helpers do
-      def vulnerable_helper(user_id)
-        # BAD: SQL statement constructed from user input passed as parameter
-        Arel.sql("SELECT * FROM users WHERE id = #{user_id}")
-      end
-    end
-
-    # Headers and cookies blocks for DSL testing
-    headers do
-      requires :Authorization, type: String
-    end
-
-    cookies do
-      requires :session_id, type: String
-    end
-
-    get '/comprehensive_test/:user_id' do
-      # BAD: Comprehensive test using all Grape input sources in one SQL query
-      user_id = params[:user_id]           # params taint source
-      route_id = route_param(:user_id)     # route_param taint source
-      auth = headers[:Authorization]       # headers taint source
-      session = cookies[:session_id]       # cookies taint source
-      body_data = request.body.read        # request taint source
-
-      # All sources flow to SQL injection
-      Arel.sql("SELECT * FROM users WHERE id = #{user_id} AND route_id = #{route_id} AND auth = #{auth} AND session = #{session} AND data = #{body_data}")
-    end
-
-    get '/helper_test' do
-      # BAD: Test helper method dataflow
-      user_id = params[:user_id]
-      vulnerable_helper(user_id)
-    end
-
-    # Test route_param block pattern
-    route_param :id do
-      get do
-        # BAD: params[:id] should be user input from the path
-        user_id = params[:id]
-        Arel.sql("SELECT * FROM users WHERE id = #{user_id}")
-      end
-    end
-  end
+end