Ruby: Decompression Bombs

[am0o0]

This is part of All for one, one for all query submission, I'm going to submit an issue in github/securitylab for this pull request too.
I wrote two versions which V2 is using recursion by use of API graphs to find zip file sinks. I added V1 because I think it maybe have some advantage in your opinion but I prefer V2. the predicates in V2 can used in ZipSlip query too I can work on this too if you agree.( I couldn't write the recursion predicate without the initial help of @asgerf in #13431)
I added the only sanitizer that I think is available which is checking the size of each zip entry.
Also I added some instance of some really popular additional taint steps which I think it is good to be added as global steps.

[smowton]

Anyone not watching the repo in general, note this is part of a family of submissions:

#13553
#13554
#13555
#13556
#13557
#13558

[am0o0]

Anyone not watching the repo in general, note this is part of a family of submissions:

#13553 #13554 #13555 #13556 #13557 #13558

#13560 is added too

[github-actions]

QHelp previews:

ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp

errors/warnings:

A fatal error occurred: Failed to read path ./ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
(eventual cause: NoSuchFileException "./ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql")

[github-advanced-security]

CodeQL found more than 10 potential problems in the proposed changes. Check the Files changed tab for more details.

[am0o0]

Hi, I've completed the work on this query.

[calumgrant]

Hey @amammad, would you be able to submit these to the Security Lab bug bounty program using this template as this will help us prioritise this work, and it would also be really helpful to test the CVEs found as well.

Thank you for your submission!

[am0o0]

@calumgrant I'll submit related issues in GH security lab in this week.

[github-actions]

QHelp previews:

ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp

errors/warnings:

/home/runner/work/codeql/codeql/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp:15:4: element "p" not allowed here; expected the element end-tag or element "example", "fragment", "howToAddress", "hr", "include", "overview", "recommendation", "references", "section" or "semmleNotes"
/home/runner/work/codeql/codeql/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp:16:10: element "example" not allowed here; expected the element end-tag, text or element "a", "b", "code", "em", "i", "img", "strong", "sub", "sup" or "tt"
/home/runner/work/codeql/codeql/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp:21:13: element "references" not allowed here; expected the element end-tag, text or element "a", "b", "code", "em", "i", "img", "strong", "sub", "sup" or "tt"
/home/runner/work/codeql/codeql/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp:32:3: The element type "p" must be terminated by the matching end-tag "</p>".
A fatal error occurred: 1 qhelp files could not be processed.

[am0o0]

Hi, I can't use a predicate with a better performance like the following here:

API::Node rubyZipNode() {
    result = zipFile()
    or
    result = rubyZipNode().getMethod(_)
    or
    result = rubyZipNode().getReturn()
    or
    result = rubyZipNode().getParameter(_)
    or
    result = rubyZipNode().getAnElement()
    or
    result = rubyZipNode().getBlock()
  }

because lines 164 and 165 won't work for this then.

[github-actions]

QHelp previews:

ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp

errors/warnings:

/home/runner/work/codeql/codeql/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp:15:4: element "p" not allowed here; expected the element end-tag or element "example", "fragment", "howToAddress", "hr", "include", "overview", "recommendation", "references", "section" or "semmleNotes"
/home/runner/work/codeql/codeql/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp:16:10: element "example" not allowed here; expected the element end-tag, text or element "a", "b", "code", "em", "i", "img", "strong", "sub", "sup" or "tt"
/home/runner/work/codeql/codeql/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp:21:13: element "references" not allowed here; expected the element end-tag, text or element "a", "b", "code", "em", "i", "img", "strong", "sub", "sup" or "tt"
/home/runner/work/codeql/codeql/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp:32:3: The element type "p" must be terminated by the matching end-tag "</p>".
A fatal error occurred: 1 qhelp files could not be processed.

[alexrford]

Hi, I've run an initial review of this. Some of the feedback here may overlap with comments on the versions of this query for other languages.

[alexrford]

We should probably be using DataFlow::OperationNode and/or Ast::RelationalOperation to detect other inequality tests (e.g. >, <, <=, >=) here.

I'm also not sure that restricting this to just cases where entry.size is the greater operand is desirable. e.g. the following both function as sanitizers:

if entry.size > limit
  raise "exceeds limit"
else
  entry.extract
end

if entry.size < limit
  entry.extract
else
  raise "exceeds limit"
end

[am0o0]

Hi @alexrford
Is it possible for you to review this PR before 25/3?
I have two weeks of forced vacation from 25/03 so I can focus on finishing this and other codeql PRs.

[alexrford]

Sorry for the delay, approved.

[github-actions]

QHelp previews:

ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qhelp

User-controlled file decompression

Extracting Compressed files with any compression algorithm like gzip can cause to denial of service attacks.

Attackers can compress a huge file which created by repeated similiar byte and convert it to a small compressed file.

Recommendation

When you want to decompress a user-provided compressed file you must be careful about the decompression ratio or read these files within a loop byte by byte to be able to manage the decompressed size in each cycle of the loop.

Please read official RubyZip Documentation here

Example

Rubyzip: According to official Documentation

MAX_FILE_SIZE = 10 * 1024**2 # 10MiB
MAX_FILES = 100
Zip::File.open('foo.zip') do |zip_file|
  num_files = 0
  zip_file.each do |entry|
    num_files += 1 if entry.file?
    raise 'Too many extracted files' if num_files > MAX_FILES
    raise 'File too large when extracted' if entry.size > MAX_FILE_SIZE
    entry.extract
  end
end

# "Note that if you use the lower level Zip::InputStream interface, rubyzip does not check the entry sizes"
zip_stream = Zip::InputStream.new(File.open('file.zip'))
while entry = zip_stream.get_next_entry
  # All required operations on `entry` go here.
end

References

• CVE-2023-22898 Gitlab issue
• A great research to gain more impact by this kind of attack
• Common Weakness Enumeration: CWE-409.

[alexrford]

Just a couple of suggestions to make CI pass.

[alexrford]

Suggested change

	</recommendation>
	<p>Please read official RubyZip Documentation <a href="https://github.com/rubyzip/rubyzip/#size-validation">here</a></p>
	<p>Please read official RubyZip Documentation <a href="https://github.com/rubyzip/rubyzip/#size-validation">here</a></p>
	</recommendation>

This should fix the qhelp check error.

[alexrford]

Suggested change

	* @id rb/user-controlled-file-decompression
	* @id rb/user-controlled-data-decompression

For consistency with JS and to address the duplicate query ID check.

[alexrford]

This .expected file looks like it needs to be regenerated to account for a change in the edges relation format.

[am0o0]

Sorry for the delay, approved.

Thank you a lot for approving this PR and developing and improving the CodeQL every day :)