hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-04 14:46:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Minor fixes for code review

Browse Source
This commit is contained in:
Ed Minnix
2023-12-11 11:40:19 -05:00
parent 4b9b27c395
commit 1544330f3f
1 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll
View File

@@ -2,10 +2,16 @@
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.Maps
private import semmle.code.java.JDK
private class MapPutOrRemove extends MethodCall {
MapPutOrRemove() {
this.getMethod() instanceof MapMutator and
this.getMethod().getName().matches(["put%", "remove"])
}
}
private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(MethodCall mc | mc = source.asExpr() |
@@ -13,22 +19,29 @@ private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {
)
}
predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(MapMutation mm).getQualifier() }
predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(MapPutOrRemove mm).getQualifier() }
}
private module ProcessBuilderEnvironmentFlow = DataFlow::Global<ProcessBuilderEnvironmentConfig>;
/**
* A node that acts as a sanitizer in configurations related to environment variable injection.
*/
abstract class ExecTaintedEnvironmentSanitizer extends DataFlow::Node { }
/**
* A taint-tracking configuration that tracks flow from unvalidated data to an environment variable for a subprocess.
*/
module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isBarrier(DataFlow::Node barrier) { barrier instanceof ExecTaintedEnvironmentSanitizer }
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "environment-injection")
or
// sink is a key or value added to a `ProcessBuilder::environment` map.
exists(MapMutation mm | mm.getAnArgument() = sink.asExpr() |
exists(MapPutOrRemove mm | mm.getAnArgument() = sink.asExpr() |
ProcessBuilderEnvironmentFlow::flowToExpr(mm.getQualifier())
)
}