diff --git a/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll b/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll index 489f72950fc..024cb6a4632 100644 --- a/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll +++ b/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll @@ -5,6 +5,19 @@ import go +/** + * An indirect system-command execution via an argument argument passed to a command interpreter + * such as a shell, `sudo`, or a programming-language interpreter. + */ +private class ShellOrSudoExecution extends SystemCommandExecution::Range, DataFlow::CallNode { + ShellOrSudoExecution() { + this instanceof SystemCommandExecution and + this.getAnArgument().getAPredecessor*() instanceof ShellLike + } + + override DataFlow::Node getCommandName() { result = getAnArgument() } +} + private class SystemCommandExecutors extends SystemCommandExecution::Range, DataFlow::CallNode { int cmdArg; @@ -23,13 +36,171 @@ private class SystemCommandExecutors extends SystemCommandExecution::Range, Data } /** - * A call to the `Command` function from the [go-sh](https://github.com/codeskyblue/go-sh) - * package, viewed as a system-command execution. + * A call to the `Command` function, or `Call` or `Command` methods on a `Session` object + * from the [go-sh](https://github.com/codeskyblue/go-sh) package, viewed as a + * system-command execution. */ private class GoShCommandExecution extends SystemCommandExecution::Range, DataFlow::CallNode { GoShCommandExecution() { - getTarget().hasQualifiedName("github.com/codeskyblue/go-sh", "Command") + exists(string packagePath | packagePath = "github.com/codeskyblue/go-sh" | + // Catch method calls on the `Session` object: + exists(Method method | + method.hasQualifiedName(packagePath, "Session", "Call") + or + method.hasQualifiedName(packagePath, "Session", "Command") + or + method.hasQualifiedName(packagePath, "Session", "Exec") + | + this = method.getACall() + ) + or + // Catch calls to the `Command` function: + getTarget().hasQualifiedName(packagePath, "Command") + ) } override DataFlow::Node getCommandName() { result = this.getArgument(0) } } + +/** + * A call to a method on a `Session` object from the [ssh](golang.org/x/crypto/ssh) + * package, viewed as a system-command execution. + */ +private class SshCommandExecution extends SystemCommandExecution::Range, DataFlow::CallNode { + SshCommandExecution() { + // Catch method calls on the `Session` object: + exists(Method method, string methodName | + methodName = "CombinedOutput" + or + methodName = "Output" + or + methodName = "Run" + or + methodName = "Start" + | + method.hasQualifiedName("golang.org/x/crypto/ssh", "Session", methodName) and + this = method.getACall() + ) + } + + override DataFlow::Node getCommandName() { result = this.getArgument(0) } +} + +/** + * A data-flow node whose string value might refer to a command that interprets (some of) + * its arguments as commands. + * + * Examples include shells, `sudo`, programming-language interpreters, and SSH clients. + */ +private class ShellLike extends DataFlow::Node { + ShellLike() { + isSudoOrSimilar(this) or + isShell(this) or + isProgrammingLanguageCli(this) or + isSsh(this) + } +} + +private string getASudoCommand() { + result = "sudo" or + result = "su" or + result = "doas" or + result = "access" or + result = "vsys" or + result = "userv" or + result = "sus" or + result = "super" or + result = "priv" or + result = "calife" or + result = "ssu" or + result = "su1" or + result = "op" or + result = "sudowin" or + result = "sudown" +} + +/** + * A data-flow node whose string value might refer to a command that interprets (some of) + * its arguments as system commands in a similar manner to `sudo`. + */ +private predicate isSudoOrSimilar(DataFlow::Node node) { + exists(string regex | + regex = ".*(^|/)(" + concat(string cmd | cmd = getASudoCommand() | cmd, "|") + ")" + | + node.getStringValue().regexpMatch(regex) + ) +} + +private string getAShellCommand() { + result = "bash" or + result = "sh" or + result = "rbash" or + result = "dash" or + result = "zsh" or + result = "csh" or + result = "tcsh" or + result = "fish" or + result = "pwsh" or + result = "elvish" or + result = "oh" or + result = "ion" or + result = "ksh" or + result = "rksh" or + result = "tksh" or + result = "mksh" or + result = "nu" or + result = "oksh" or + result = "osh" or + result = "shpp" or + result = "xiki" or + result = "xonsh" or + result = "yash" +} + +/** + * A data-flow node whose string value might refer to a shell. + */ +private predicate isShell(DataFlow::Node node) { + exists(string regex | + regex = ".*(^|/)(" + concat(string cmd | cmd = getAShellCommand() | cmd, "|") + ")" + | + node.getStringValue().regexpMatch(regex) + ) +} + +private string getAnInterpreterName() { + result = "python" or + result = "php" or + result = "ruby" or + result = "perl" or + result = "node" or + result = "nodejs" +} + +/** + * A data-flow node whose string value might refer to a programming-language interpreter. + */ +private predicate isProgrammingLanguageCli(DataFlow::Node node) { + // NOTE: we can encounter cases like /usr/bin/python3.1 or python3.7m + exists(string regex | + regex = + ".*(^|/)(" + concat(string cmd | cmd = getAnInterpreterName() | cmd + "[\\d.\\-vm]*", "|") + + ")" + | + node.getStringValue().regexpMatch(regex) + ) +} + +private string getASshCommand() { result = "ssh" or result = "putty.exe" or result = "kitty.exe" } + +/** + * A data-flow node whose string value might refer to an SSH client or similar, whose arguments can be + * commands that will be executed on the remote host. + */ +private predicate isSsh(DataFlow::Node node) { + exists(string regex | + regex = ".*(^|/)(" + concat(string cmd | cmd = getASshCommand() | cmd, "|") + ")" + | + node.getStringValue().regexpMatch(regex) + ) +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/SystemCommandExecutors.expected b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/SystemCommandExecutors.expected new file mode 100644 index 00000000000..1a1ce9b7a81 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/SystemCommandExecutors.expected @@ -0,0 +1,55 @@ +| SystemCommandExecutors.go:26:3:26:36 | call to StartProcess | SystemCommandExecutors.go:26:19:26:24 | source | +| SystemCommandExecutors.go:30:3:30:47 | call to StartProcess | SystemCommandExecutors.go:30:19:30:23 | shell | +| SystemCommandExecutors.go:30:3:30:47 | call to StartProcess | SystemCommandExecutors.go:30:26:30:41 | composite literal | +| SystemCommandExecutors.go:30:3:30:47 | call to StartProcess | SystemCommandExecutors.go:30:44:30:46 | nil | +| SystemCommandExecutors.go:33:3:33:64 | call to StartProcess | SystemCommandExecutors.go:33:19:33:23 | shell | +| SystemCommandExecutors.go:33:3:33:64 | call to StartProcess | SystemCommandExecutors.go:33:26:33:58 | call to append | +| SystemCommandExecutors.go:33:3:33:64 | call to StartProcess | SystemCommandExecutors.go:33:61:33:63 | nil | +| SystemCommandExecutors.go:36:3:36:61 | call to StartProcess | SystemCommandExecutors.go:36:19:36:23 | shell | +| SystemCommandExecutors.go:36:3:36:61 | call to StartProcess | SystemCommandExecutors.go:36:26:36:55 | call to append | +| SystemCommandExecutors.go:36:3:36:61 | call to StartProcess | SystemCommandExecutors.go:36:58:36:60 | nil | +| SystemCommandExecutors.go:44:3:44:57 | call to StartProcess | SystemCommandExecutors.go:44:19:44:33 | assumedNonShell | +| SystemCommandExecutors.go:47:3:47:74 | call to StartProcess | SystemCommandExecutors.go:47:19:47:33 | assumedNonShell | +| SystemCommandExecutors.go:50:3:50:82 | call to StartProcess | SystemCommandExecutors.go:50:19:50:33 | assumedNonShell | +| SystemCommandExecutors.go:56:3:56:31 | call to Command | SystemCommandExecutors.go:56:16:56:21 | source | +| SystemCommandExecutors.go:59:3:59:41 | call to Command | SystemCommandExecutors.go:59:16:59:20 | shell | +| SystemCommandExecutors.go:59:3:59:41 | call to Command | SystemCommandExecutors.go:59:23:59:26 | "a0" | +| SystemCommandExecutors.go:59:3:59:41 | call to Command | SystemCommandExecutors.go:59:29:59:32 | "a1" | +| SystemCommandExecutors.go:59:3:59:41 | call to Command | SystemCommandExecutors.go:59:35:59:40 | source | +| SystemCommandExecutors.go:62:3:62:56 | call to Command | SystemCommandExecutors.go:62:16:62:20 | shell | +| SystemCommandExecutors.go:62:3:62:56 | call to Command | SystemCommandExecutors.go:62:23:62:52 | call to append | +| SystemCommandExecutors.go:65:3:65:114 | call to Command | SystemCommandExecutors.go:65:16:65:19 | "sh" | +| SystemCommandExecutors.go:65:3:65:114 | call to Command | SystemCommandExecutors.go:65:22:65:25 | "-c" | +| SystemCommandExecutors.go:65:3:65:114 | call to Command | SystemCommandExecutors.go:65:28:65:113 | ...+... | +| SystemCommandExecutors.go:66:3:66:42 | call to Command | SystemCommandExecutors.go:66:16:66:21 | "sudo" | +| SystemCommandExecutors.go:66:3:66:42 | call to Command | SystemCommandExecutors.go:66:24:66:27 | "sh" | +| SystemCommandExecutors.go:66:3:66:42 | call to Command | SystemCommandExecutors.go:66:30:66:33 | "-c" | +| SystemCommandExecutors.go:66:3:66:42 | call to Command | SystemCommandExecutors.go:66:36:66:41 | source | +| SystemCommandExecutors.go:69:3:69:68 | call to Command | SystemCommandExecutors.go:69:16:69:21 | "ruby" | +| SystemCommandExecutors.go:69:3:69:68 | call to Command | SystemCommandExecutors.go:69:24:69:27 | "-e" | +| SystemCommandExecutors.go:69:3:69:68 | call to Command | SystemCommandExecutors.go:69:30:69:67 | call to Sprintf | +| SystemCommandExecutors.go:70:3:70:80 | call to Command | SystemCommandExecutors.go:70:16:70:21 | "perl" | +| SystemCommandExecutors.go:70:3:70:80 | call to Command | SystemCommandExecutors.go:70:24:70:27 | "-e" | +| SystemCommandExecutors.go:70:3:70:80 | call to Command | SystemCommandExecutors.go:70:30:70:79 | call to Sprintf | +| SystemCommandExecutors.go:71:3:71:86 | call to Command | SystemCommandExecutors.go:71:16:71:26 | "python2.7" | +| SystemCommandExecutors.go:71:3:71:86 | call to Command | SystemCommandExecutors.go:71:29:71:32 | "-c" | +| SystemCommandExecutors.go:71:3:71:86 | call to Command | SystemCommandExecutors.go:71:35:71:85 | call to Sprintf | +| SystemCommandExecutors.go:72:3:72:87 | call to Command | SystemCommandExecutors.go:72:16:72:27 | "python3.6m" | +| SystemCommandExecutors.go:72:3:72:87 | call to Command | SystemCommandExecutors.go:72:30:72:33 | "-c" | +| SystemCommandExecutors.go:72:3:72:87 | call to Command | SystemCommandExecutors.go:72:36:72:86 | call to Sprintf | +| SystemCommandExecutors.go:74:3:74:56 | call to Command | SystemCommandExecutors.go:74:16:74:33 | "python3.7-config" | +| SystemCommandExecutors.go:75:3:75:44 | call to Command | SystemCommandExecutors.go:75:16:75:28 | "python3-pbr" | +| SystemCommandExecutors.go:78:3:78:56 | call to Command | SystemCommandExecutors.go:78:16:78:20 | "ssh" | +| SystemCommandExecutors.go:78:3:78:56 | call to Command | SystemCommandExecutors.go:78:23:78:26 | "-t" | +| SystemCommandExecutors.go:78:3:78:56 | call to Command | SystemCommandExecutors.go:78:29:78:39 | "user@host" | +| SystemCommandExecutors.go:78:3:78:56 | call to Command | SystemCommandExecutors.go:78:42:78:55 | ...+... | +| SystemCommandExecutors.go:83:3:83:32 | call to CombinedOutput | SystemCommandExecutors.go:83:26:83:31 | source | +| SystemCommandExecutors.go:84:3:84:24 | call to Output | SystemCommandExecutors.go:84:18:84:23 | source | +| SystemCommandExecutors.go:85:3:85:21 | call to Run | SystemCommandExecutors.go:85:15:85:20 | source | +| SystemCommandExecutors.go:86:3:86:23 | call to Start | SystemCommandExecutors.go:86:17:86:22 | source | +| SystemCommandExecutors.go:90:3:90:86 | call to Command | SystemCommandExecutors.go:90:14:90:18 | shell | +| SystemCommandExecutors.go:90:3:90:86 | call to Command | SystemCommandExecutors.go:90:21:90:82 | call to toInterfaceArray | +| SystemCommandExecutors.go:91:3:91:104 | call to Call | SystemCommandExecutors.go:91:32:91:36 | shell | +| SystemCommandExecutors.go:91:3:91:104 | call to Call | SystemCommandExecutors.go:91:39:91:100 | call to toInterfaceArray | +| SystemCommandExecutors.go:92:3:92:107 | call to Command | SystemCommandExecutors.go:92:35:92:39 | shell | +| SystemCommandExecutors.go:92:3:92:107 | call to Command | SystemCommandExecutors.go:92:42:92:103 | call to toInterfaceArray | diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/SystemCommandExecutors.go b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/SystemCommandExecutors.go new file mode 100644 index 00000000000..681604f11fe --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/SystemCommandExecutors.go @@ -0,0 +1,101 @@ +package main + +import ( + "fmt" + "net/http" + "os" + "os/exec" + + "github.com/codeskyblue/go-sh" + "golang.org/x/crypto/ssh" +) + +func main() {} + +func handler(w http.ResponseWriter, req *http.Request) { + sudo := "sudo" + shell := "/bin/bash" + assumedNonShell := "ls" + args := []string{} + + source := req.URL.Query()["cmd"][0] + + // os.StartProcess: these MUST be caught. + { + // `source` is used directly as command: + os.StartProcess(source, args, nil) + + // `source` flows into a composite literal which is used + // as arguments, and the command is a shell: + os.StartProcess(shell, []string{source}, nil) + + // `source` flows into a composite literal as first argument to append: + os.StartProcess(shell, append([]string{source}, args...), nil) + + // `source` flows into a composite literal as Nth argument to append: + os.StartProcess(shell, append([]string{sudo}, source), nil) + } + + // os.StartProcess: `source` MUST NOT be caught here because the first argument is not a ShellOrSudoExecution. + { + // `source` is an argument to a non-shell command that does not execute + // the `source` as a command, i.e. the source is just an argument to a command + // that will not execute it. + os.StartProcess(assumedNonShell, []string{source}, nil) + + // as above, except the source is inside a composite literal inside an append: + os.StartProcess(assumedNonShell, append([]string{source}, args...), nil) + + // source is used inside append as nth argument: + os.StartProcess(assumedNonShell, append([]string{assumedNonShell}, source), nil) + } + + // exec.Command: these MUST be caught. + { + // source is used directly as command: + exec.Command(source, args...).Run() + + // source comes as nth arg to a shell: + exec.Command(shell, "a0", "a1", source) + + // source flows into a composite literal as Nth argument to append: + exec.Command(shell, append([]string{sudo}, source)...) + + // other ways to compose a command: + exec.Command("sh", "-c", "GOOS=windows GOARCH=386 go build -ldflags \"-s -w -H=windowsgui\" -o \""+source+".go") + exec.Command("sudo", "sh", "-c", source) + + // programming-language interpreters: + exec.Command("ruby", "-e", fmt.Sprintf(`system("ls %s")`, source)) + exec.Command("perl", "-e", fmt.Sprintf(`system("sh sudo cp %s dst")`, source)) + exec.Command("python2.7", "-c", fmt.Sprintf(`import os;os.system("ls %s")`, source)) + exec.Command("python3.6m", "-c", fmt.Sprintf(`import os;os.system("ls %s")`, source)) + // negative examples (args should not be caught): + exec.Command("python3.7-config", "--includes", source) + exec.Command("python3-pbr", "sha", source) + + // ssh: + exec.Command("ssh", "-t", "user@host", "ping "+source) + } + // golang.org/x/crypto/ssh + { + session := &ssh.Session{} + session.CombinedOutput(source) + session.Output(source) + session.Run(source) + session.Start(source) + } + // github.com/codeskyblue/go-sh + { + sh.Command(shell, toInterfaceArray(append([]string{assumedNonShell}, source)...)...) + sh.InteractiveSession().Call(shell, toInterfaceArray(append([]string{assumedNonShell}, source)...)...) + sh.InteractiveSession().Command(shell, toInterfaceArray(append([]string{assumedNonShell}, source)...)...) + } +} +func toInterfaceArray(str ...string) []interface{} { + res := make([]interface{}, 0) + for i := range str { + res = append(res, str[i]) + } + return res +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/SystemCommandExecutors.ql b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/SystemCommandExecutors.ql new file mode 100644 index 00000000000..0d0ccb6d54e --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/SystemCommandExecutors.ql @@ -0,0 +1,5 @@ +import go +import semmle.go.security.CommandInjection + +from SystemCommandExecution exec +select exec, exec.getCommandName() diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/go.mod b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/go.mod new file mode 100644 index 00000000000..a38d4a4518b --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/go.mod @@ -0,0 +1,8 @@ +module github.com/gagliardetto/codeql-go/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors + +go 1.14 + +require ( + github.com/codeskyblue/go-sh v0.0.0-20190412065543-76bd3d59ff27 + golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 +) diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/LICENSE b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/LICENSE new file mode 100644 index 00000000000..e06d2081865 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/LICENSE @@ -0,0 +1,202 @@ +Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/README.md b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/README.md new file mode 100644 index 00000000000..fc62543ff69 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/README.md @@ -0,0 +1,3 @@ +This is a simple stub for https://github.com/codeskyblue/go-sh, strictly for use in query testing. + +See the LICENSE file in this folder for information about the licensing of the original library. diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/go-sh.go b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/go-sh.go new file mode 100644 index 00000000000..09f9e1b9d1a --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/go-sh.go @@ -0,0 +1,23 @@ +package sh + +type Session struct{} + +func InteractiveSession() *Session { + return &Session{} +} + +func Command(name string, a ...interface{}) *Session { + s := &Session{} + return s.Command(name, a...) +} +func (s *Session) Command(name string, a ...interface{}) *Session { + return s +} + +// combine Command and Run +func (s *Session) Call(name string, a ...interface{}) error { + return s.Command(name, a...).Run() +} +func (s *Session) Run() (err error) { + return nil +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/go.mod b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/go.mod new file mode 100644 index 00000000000..5eb706029ee --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/go.mod @@ -0,0 +1 @@ +module github.com/codeskyblue/go-sh diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/LICENSE b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/LICENSE new file mode 100644 index 00000000000..6a66aea5eaf --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/LICENSE @@ -0,0 +1,27 @@ +Copyright (c) 2009 The Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/README.md b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/README.md new file mode 100644 index 00000000000..3ed8f9d1459 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/README.md @@ -0,0 +1,3 @@ +This is a simple stub for https://golang.org/x/crypto/ssh, strictly for use in query testing. + +See the LICENSE file in this folder for information about the licensing of the original library. diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/go.mod b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/go.mod new file mode 100644 index 00000000000..7c5da887c5a --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/go.mod @@ -0,0 +1 @@ +module golang.org/x/crypto/ssh diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/ssh.go b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/ssh.go new file mode 100644 index 00000000000..b6eec669d72 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/ssh.go @@ -0,0 +1,16 @@ +package ssh + +type Session struct{} + +func (s *Session) CombinedOutput(cmd string) ([]byte, error) { + return nil, nil +} +func (s *Session) Output(cmd string) ([]byte, error) { + return nil, nil +} +func (s *Session) Run(cmd string) error { + return nil +} +func (s *Session) Start(cmd string) error { + return nil +} diff --git a/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/modules.txt new file mode 100644 index 00000000000..d6e69c7b298 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/modules.txt @@ -0,0 +1,6 @@ +# github.com/codeskyblue/go-sh v0.0.0-20190412065543-76bd3d59ff27 +## explicit +github.com/codeskyblue/go-sh +# golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 +## explicit +golang.org/x/crypto/ssh