From 45d51a4d00996bec8af9cd8f2cd12891856afa59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 2 Jul 2024 23:29:53 +0200 Subject: [PATCH] Add more poisonable steps --- .../codeql/actions/security/PoisonableSteps.qll | 2 +- ql/lib/ext/config/poisonable_steps.yml | 15 +++++++++------ 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index 4165df17a4d..c228965736d 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -29,7 +29,7 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run { LocalScriptExecutionRunStep() { exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | poisonableLocalScriptsDataModel(regexp, group) and - cmd = line.regexpCapture("(^|\\b|\\s+)" + regexp, group) + cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group) ) } diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml index dc835e7dab2..f13a2a16d35 100644 --- a/ql/lib/ext/config/poisonable_steps.yml +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -35,6 +35,9 @@ extensions: - ["npm i(nstall)?"] - ["npm run"] - ["npm ci"] + - ["pnpm i(nstall)?"] + - ["pnpm run"] + - ["pnpm ci"] - ["pre-commit"] - ["prettier"] - ["pip install -r"] @@ -54,10 +57,10 @@ extensions: extensible: poisonableLocalScriptsDataModel data: # TODO: It could also be in the form of `dir/cmd` - - ["(\\.\\/)(.*)(\\s+|;|$)", 3] - - ["(source|sh|bash|zsh|fish)\\s+(.*)(\\s+|;|$)", 3] - - ["(node)\\s+(.*)(\\.js|\\.ts)(\\s+|;|$)", 3] - - ["(python)\\s+(.*)\\.py(\\s+|;|$)", 3] - - ["(ruby)\\s+(.*)\\.rb(\\s+|;|$)", 3] - - ["(go)\\s+(.*)\\.go(\\s+|;|$)", 3] + - ["(\\.\\/)(.*)", 3] + - ["(source|sh|bash|zsh|fish)\\s+(.*)", 3] + - ["(node)\\s+(.*)(\\.js|\\.ts)", 3] + - ["(python)\\s+(.*)\\.py", 3] + - ["(ruby)\\s+(.*)\\.rb", 3] + - ["(go)\\s+(.*)\\.go", 3]