Ruby: configsig rb/command-line-injection

2026-04-27 09:45:15 +02:00 · 2023-08-24 12:16:31 +01:00
parent b1a49ddb0d
commit 377570f361
2 changed files with 23 additions and 5 deletions
--- a/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll
@@ -3,7 +3,7 @@
 * command-injection vulnerabilities (CWE-078).
 *
 * Note, for performance reasons: only import this file if
- * `CommandInjection::Configuration` is needed, otherwise
+ * `CommandInjectionFlow` is needed, otherwise
 * `CommandInjectionCustomizations` should be imported instead.
 */

@@ -15,8 +15,9 @@ import codeql.ruby.dataflow.BarrierGuards

 /**
 * A taint-tracking configuration for reasoning about command-injection vulnerabilities.
+ * DEPRECATED: Use `CommandInjectionFlow` instead
 */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "CommandInjection" }

  override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -29,3 +30,20 @@ class Configuration extends TaintTracking::Configuration {
    node instanceof StringConstArrayInclusionCallBarrier
  }
 }
+
+private module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof Sanitizer or
+    node instanceof StringConstCompareBarrier or
+    node instanceof StringConstArrayInclusionCallBarrier
+  }
+}
+
+/**
+ * Taint-tracking for reasoning about command-injection vulnerabilities.
+ */
+module CommandInjectionFlow = TaintTracking::Global<Config>;
--- a/ruby/ql/src/queries/security/cwe-078/CommandInjection.ql
+++ b/ruby/ql/src/queries/security/cwe-078/CommandInjection.ql
@@ -15,11 +15,11 @@

 import codeql.ruby.AST
 import codeql.ruby.security.CommandInjectionQuery
-import DataFlow::PathGraph
+import CommandInjectionFlow::PathGraph

-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Source sourceNode
+from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Source sourceNode
 where
-  config.hasFlowPath(source, sink) and
+  CommandInjectionFlow::flowPath(source, sink) and
  sourceNode = source.getNode()
 select sink.getNode(), source, sink, "This command depends on a $@.", sourceNode,
  sourceNode.getSourceType()