hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

add command parsing model for "arg"

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-11-26 15:35:56 +01:00
committed by GitHub
parent 821b4be522
commit 45067ee651
3 changed files with 45 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll
View File

@@ -49,6 +49,9 @@ module IndirectCommandInjection {
or
// `require('optimist').argv` => `{ _: [], a: ... b: ... }`
this = DataFlow::moduleMember("optimist", "argv")
or
// `require("arg")({...spec})` => `{_: [], a: ..., b: ...}`
this = DataFlow::moduleImport("arg").getACall()
}
}

58
javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected
View File

@@ -115,15 +115,15 @@ nodes
| command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
| command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
| command-line-parameter-command-injection.js:72:22:72:27 | taint4 |
| command-line-parameter-command-injection.js:76:8:76:35 | args |
| command-line-parameter-command-injection.js:76:8:76:35 | argv |
| command-line-parameter-command-injection.js:76:15:76:26 | process.argv |
| command-line-parameter-command-injection.js:76:15:76:26 | process.argv |
| command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) |
| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gs).foo |
| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gs).foo |
| command-line-parameter-command-injection.js:79:22:79:35 | minimist(args) |
| command-line-parameter-command-injection.js:79:22:79:39 | minimist(args).foo |
| command-line-parameter-command-injection.js:79:31:79:34 | args |
| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo |
| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo |
| command-line-parameter-command-injection.js:79:22:79:35 | minimist(argv) |
| command-line-parameter-command-injection.js:79:22:79:39 | minimist(argv).foo |
| command-line-parameter-command-injection.js:79:31:79:34 | argv |
| command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo |
| command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo |
| command-line-parameter-command-injection.js:82:22:82:50 | subarg( ... ice(2)) |
@@ -138,14 +138,21 @@ nodes
| command-line-parameter-command-injection.js:85:34:85:45 | process.argv |
| command-line-parameter-command-injection.js:85:34:85:45 | process.argv |
| command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) |
| command-line-parameter-command-injection.js:88:8:88:39 | flags |
| command-line-parameter-command-injection.js:88:16:88:39 | args.pa ... s.argv) |
| command-line-parameter-command-injection.js:88:27:88:38 | process.argv |
| command-line-parameter-command-injection.js:88:27:88:38 | process.argv |
| command-line-parameter-command-injection.js:88:6:88:37 | flags |
| command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) |
| command-line-parameter-command-injection.js:88:25:88:36 | process.argv |
| command-line-parameter-command-injection.js:88:25:88:36 | process.argv |
| command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:89:22:89:26 | flags |
| command-line-parameter-command-injection.js:89:22:89:30 | flags.foo |
| command-line-parameter-command-injection.js:91:6:91:38 | flags |
| command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) |
| command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) |
| command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:92:22:92:26 | flags |
| command-line-parameter-command-injection.js:92:22:92:30 | flags.foo |
edges
| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
| command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] |
@@ -248,14 +255,14 @@ edges
| command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line-parameter-command-injection.js:71:6:71:16 | [...taint4] |
| command-line-parameter-command-injection.js:72:22:72:27 | taint4 | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
| command-line-parameter-command-injection.js:72:22:72:27 | taint4 | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
| command-line-parameter-command-injection.js:76:8:76:35 | args | command-line-parameter-command-injection.js:79:31:79:34 | args |
| command-line-parameter-command-injection.js:76:8:76:35 | argv | command-line-parameter-command-injection.js:79:31:79:34 | argv |
| command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) |
| command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) |
| command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) | command-line-parameter-command-injection.js:76:8:76:35 | args |
| command-line-parameter-command-injection.js:79:22:79:35 | minimist(args) | command-line-parameter-command-injection.js:79:22:79:39 | minimist(args).foo |
| command-line-parameter-command-injection.js:79:22:79:39 | minimist(args).foo | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gs).foo |
| command-line-parameter-command-injection.js:79:22:79:39 | minimist(args).foo | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gs).foo |
| command-line-parameter-command-injection.js:79:31:79:34 | args | command-line-parameter-command-injection.js:79:22:79:35 | minimist(args) |
| command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) | command-line-parameter-command-injection.js:76:8:76:35 | argv |
| command-line-parameter-command-injection.js:79:22:79:35 | minimist(argv) | command-line-parameter-command-injection.js:79:22:79:39 | minimist(argv).foo |
| command-line-parameter-command-injection.js:79:22:79:39 | minimist(argv).foo | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo |
| command-line-parameter-command-injection.js:79:22:79:39 | minimist(argv).foo | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo |
| command-line-parameter-command-injection.js:79:31:79:34 | argv | command-line-parameter-command-injection.js:79:22:79:35 | minimist(argv) |
| command-line-parameter-command-injection.js:82:22:82:50 | subarg( ... ice(2)) | command-line-parameter-command-injection.js:82:22:82:54 | subarg( ... 2)).foo |
| command-line-parameter-command-injection.js:82:22:82:54 | subarg( ... 2)).foo | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo |
| command-line-parameter-command-injection.js:82:22:82:54 | subarg( ... 2)).foo | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo |
@@ -268,13 +275,19 @@ edges
| command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) |
| command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) |
| command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) | command-line-parameter-command-injection.js:85:22:85:55 | yargsPa ... ice(2)) |
| command-line-parameter-command-injection.js:88:8:88:39 | flags | command-line-parameter-command-injection.js:89:22:89:26 | flags |
| command-line-parameter-command-injection.js:88:16:88:39 | args.pa ... s.argv) | command-line-parameter-command-injection.js:88:8:88:39 | flags |
| command-line-parameter-command-injection.js:88:27:88:38 | process.argv | command-line-parameter-command-injection.js:88:16:88:39 | args.pa ... s.argv) |
| command-line-parameter-command-injection.js:88:27:88:38 | process.argv | command-line-parameter-command-injection.js:88:16:88:39 | args.pa ... s.argv) |
| command-line-parameter-command-injection.js:88:6:88:37 | flags | command-line-parameter-command-injection.js:89:22:89:26 | flags |
| command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) | command-line-parameter-command-injection.js:88:6:88:37 | flags |
| command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) |
| command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) |
| command-line-parameter-command-injection.js:89:22:89:26 | flags | command-line-parameter-command-injection.js:89:22:89:30 | flags.foo |
| command-line-parameter-command-injection.js:89:22:89:30 | flags.foo | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:89:22:89:30 | flags.foo | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:91:6:91:38 | flags | command-line-parameter-command-injection.js:92:22:92:26 | flags |
| command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:91:6:91:38 | flags |
| command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:91:6:91:38 | flags |
| command-line-parameter-command-injection.js:92:22:92:26 | flags | command-line-parameter-command-injection.js:92:22:92:30 | flags.foo |
| command-line-parameter-command-injection.js:92:22:92:30 | flags.foo | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:92:22:92:30 | flags.foo | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo |
#select
| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument |
@@ -296,7 +309,8 @@ edges
| command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest | command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line argument |
| command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 | command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line argument |
| command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line argument |
| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gs).foo | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gs).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo | command-line-parameter-command-injection.js:82:29:82:40 | process.argv | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:82:29:82:40 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo | command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:88:27:88:38 | process.argv | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:88:27:88:38 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line argument |

9
javascript/ql/test/query-tests/Security/CWE-078/command-line-parameter-command-injection.js
View File

@@ -73,10 +73,10 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
});
(function () {
const args = process.argv.slice(2);
const argv = process.argv.slice(2);
var minimist = require("minimist");
cp.exec("cmd.sh " + minimist(args).foo); // NOT OK
cp.exec("cmd.sh " + minimist(argv).foo); // NOT OK
var subarg = require('subarg');
cp.exec("cmd.sh " + subarg(process.argv.slice(2)).foo); // NOT OK
@@ -85,6 +85,9 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // NOT OK
import args from 'args'
const flags = args.parse(process.argv);
var flags = args.parse(process.argv);
cp.exec("cmd.sh " + flags.foo); // NOT OK
var flags = require('arg')({...spec});
cp.exec("cmd.sh " + flags.foo); // NOT OK
})