hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

add code-injection sink for node-pty

Browse Source
This commit is contained in:
erik-krogh
2023-01-30 15:14:25 +01:00
parent e46960e0cf
commit 02da718786
4 changed files with 55 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
View File

@@ -294,6 +294,27 @@ module CodeInjection {
}
}
/**
* Writing to a terminal via the `node-pty` library, seen as a code injection sink.
* Example:
* ```JS
* var pty = require('node-pty');
* var ptyProcess = pty.spawn("bash", [], {...});
* ptyProcess.write('ls\r');
* ```
*/
class NodePTY extends Sink {
NodePTY() {
this =
API::moduleImport("node-pty")
.getMember("spawn")
.getReturn()
.getMember("write")
.getACall()
.getArgument(0)
}
}
/** A sink for code injection via template injection. */
abstract private class TemplateSink extends Sink {
deprecated override string getMessageSuffix() {

10
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
View File

@@ -84,6 +84,11 @@ nodes
| express.js:26:17:26:35 | req.param("wobble") |
| express.js:27:34:27:38 | taint |
| express.js:27:34:27:38 | taint |
| express.js:34:9:34:35 | taint |
| express.js:34:17:34:35 | req.param("wobble") |
| express.js:34:17:34:35 | req.param("wobble") |
| express.js:43:15:43:19 | taint |
| express.js:43:15:43:19 | taint |
| module.js:9:16:9:29 | req.query.code |
| module.js:9:16:9:29 | req.query.code |
| module.js:9:16:9:29 | req.query.code |
@@ -216,6 +221,10 @@ edges
| express.js:26:9:26:35 | taint | express.js:27:34:27:38 | taint |
| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint |
| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint |
| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint |
| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint |
| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code |
| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |
@@ -311,6 +320,7 @@ edges
| express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") | This code execution depends on a $@. | express.js:19:37:19:70 | req.par ... odule") | user-provided value |
| express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | This code execution depends on a $@. | express.js:21:19:21:48 | req.par ... ntext") | user-provided value |
| express.js:27:34:27:38 | taint | express.js:26:17:26:35 | req.param("wobble") | express.js:27:34:27:38 | taint | This code execution depends on a $@. | express.js:26:17:26:35 | req.param("wobble") | user-provided value |
| express.js:43:15:43:19 | taint | express.js:34:17:34:35 | req.param("wobble") | express.js:43:15:43:19 | taint | This code execution depends on a $@. | express.js:34:17:34:35 | req.param("wobble") | user-provided value |
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
| react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |

9
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
View File

@@ -88,6 +88,11 @@ nodes
| express.js:26:17:26:35 | req.param("wobble") |
| express.js:27:34:27:38 | taint |
| express.js:27:34:27:38 | taint |
| express.js:34:9:34:35 | taint |
| express.js:34:17:34:35 | req.param("wobble") |
| express.js:34:17:34:35 | req.param("wobble") |
| express.js:43:15:43:19 | taint |
| express.js:43:15:43:19 | taint |
| module.js:9:16:9:29 | req.query.code |
| module.js:9:16:9:29 | req.query.code |
| module.js:9:16:9:29 | req.query.code |
@@ -224,6 +229,10 @@ edges
| express.js:26:9:26:35 | taint | express.js:27:34:27:38 | taint |
| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint |
| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint |
| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint |
| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint |
| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code |
| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |

15
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js
View File

@@ -28,3 +28,18 @@ app.get('/other/path', function(req, res) {
cp.execFileSync('node', ['-e', `console.log(${JSON.stringify(taint)})`]); // OK
});
const pty = require('node-pty');
app.get('/terminal', function(req, res) {
const taint = req.param("wobble");
const shell = pty.spawn('bash', [], {
name: 'xterm-color',
cols: 80,
rows: 30,
cwd: process.env.HOME,
env: process.env
});
shell.write(taint); // NOT OK
});