diff --git a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql index e95d81dcf06..a1e60c0bf41 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql @@ -15,7 +15,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.ExternalProcess -import ExecCommon +import semmle.code.java.security.CommandLineQuery import DataFlow::PathGraph from DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg diff --git a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql index d250b242c05..0890b3b6021 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql @@ -14,7 +14,7 @@ import java import semmle.code.java.security.ExternalProcess -import ExecCommon +import semmle.code.java.security.CommandLineQuery /** * Strings that are known to be sane by some simple local analysis. Such strings diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/ExecCommon.qll b/java/ql/src/experimental/Security/CWE/CWE-078/ExecCommon.qll deleted file mode 100644 index c0025043fce..00000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-078/ExecCommon.qll +++ /dev/null @@ -1,32 +0,0 @@ -import semmle.code.java.dataflow.FlowSources -import semmle.code.java.security.ExternalProcess -import semmle.code.java.security.CommandArguments - -private class RemoteUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration { - RemoteUserInputToArgumentToExecFlowConfig() { - this = "ExecCommon::RemoteUserInputToArgumentToExecFlowConfig" - } - - override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } - - override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec } - - override predicate isSanitizer(DataFlow::Node node) { - node.getType() instanceof PrimitiveType - or - node.getType() instanceof BoxedType - or - isSafeCommandArgument(node.asExpr()) - } -} - -/** - * Implementation of `ExecTainted.ql`. It is extracted to a QLL - * so that it can be excluded from `ExecUnescaped.ql` to avoid - * reporting overlapping results. - */ -predicate execTainted(DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg) { - exists(RemoteUserInputToArgumentToExecFlowConfig conf | - conf.hasFlowPath(source, sink) and sink.getNode() = DataFlow::exprNode(execArg) - ) -} diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql index b87d83a52a4..d5ddc9af1d4 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql @@ -14,7 +14,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.ExternalProcess -import ExecCommon +import semmle.code.java.security.CommandLineQuery import JSchOSInjection import DataFlow::PathGraph diff --git a/java/ql/src/Security/CWE/CWE-078/ExecCommon.qll b/java/ql/src/semmle/code/java/security/CommandLineQuery.qll similarity index 77% rename from java/ql/src/Security/CWE/CWE-078/ExecCommon.qll rename to java/ql/src/semmle/code/java/security/CommandLineQuery.qll index c0025043fce..80ec142f214 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecCommon.qll +++ b/java/ql/src/semmle/code/java/security/CommandLineQuery.qll @@ -1,3 +1,12 @@ +/** + * Provides classes and methods common to queries `java/command-line-injection`, `java/command-line-concatenation` + * and their experimental derivatives. + * + * Do not import this from a library file, in order to reduce the risk of + * unintentionally bringing a TaintTracking::Configuration into scope in an unrelated + * query. + */ + import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.ExternalProcess import semmle.code.java.security.CommandArguments