hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

don't call environment variables for command-line arguments

Browse Source
This commit is contained in:
erik-krogh
2023-02-14 14:27:41 +01:00
parent 36478124ae
commit 393649b7ce
4 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll
View File

@@ -10,7 +10,10 @@ module IndirectCommandInjection {
/**
* A data flow source for command-injection vulnerabilities.
*/
abstract class Source extends DataFlow::Node { }
abstract class Source extends DataFlow::Node {
/** Gets a description of this source. */
string describe() { result = "command-line argument" }
}
/**
* A data flow sink for command-injection vulnerabilities.
@@ -42,6 +45,8 @@ module IndirectCommandInjection {
*/
private class ProcessEnvAsSource extends Source {
ProcessEnvAsSource() { this = NodeJSLib::process().getAPropertyRead("env") }
override string describe() { result = "environment variable" }
}
/**

2
javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
View File

@@ -40,7 +40,7 @@ module RegExpInjection {
* expression injection.
*/
class ArgvAsSource extends Source instanceof IndirectCommandInjection::Source {
override string describe() { result = "command-line argument" }
override string describe() { result = IndirectCommandInjection::Source.super.describe() }
}
/**

2
javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
View File

@@ -25,4 +25,4 @@ where
then cfg.isSinkWithHighlight(sink.getNode(), highlight)
else highlight = sink.getNode()
select highlight, source, sink, "This command depends on an unsanitized $@.", source.getNode(),
"command-line argument"
source.getNode().(Source).describe()

2
javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
View File

@@ -164,6 +164,6 @@ edges
| RegExpInjection.js:54:14:54:52 | key.spl ... in("-") | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:54:14:54:52 | key.spl ... in("-") | This regular expression is constructed from a $@. | RegExpInjection.js:5:13:5:28 | req.param("key") | user-provided value |
| RegExpInjection.js:64:14:64:18 | input | RegExpInjection.js:60:39:60:56 | req.param("input") | RegExpInjection.js:64:14:64:18 | input | This regular expression is constructed from a $@. | RegExpInjection.js:60:39:60:56 | req.param("input") | user-provided value |
| RegExpInjection.js:87:14:87:55 | "^.*\\.( ... + ")$" | RegExpInjection.js:82:15:82:32 | req.param("input") | RegExpInjection.js:87:14:87:55 | "^.*\\.( ... + ")$" | This regular expression is constructed from a $@. | RegExpInjection.js:82:15:82:32 | req.param("input") | user-provided value |
| RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | RegExpInjection.js:91:20:91:30 | process.env | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:91:20:91:30 | process.env | command-line argument |
| RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | RegExpInjection.js:91:20:91:30 | process.env | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:91:20:91:30 | process.env | environment variable |
| RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:93:20:93:31 | process.argv | command-line argument |
| tst.js:3:16:3:35 | "^"+ data.name + "$" | tst.js:1:46:1:46 | e | tst.js:3:16:3:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:1:46:1:46 | e | user-provided value |