Merge pull request #6202 from smowton/smowton/admin/cleanup-duplicated-experimental-query

Deduplicate shared body of regular and experimental versions of `java/command-line-injection` query.
2025-12-24 04:36:35 +01:00 · 2021-07-02 09:23:50 +02:00
parent f9da044e54 d5a9f3d87b
commit 4e1155cfd2
5 changed files with 12 additions and 35 deletions
--- a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -15,7 +15,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.ExternalProcess
-import ExecCommon
+import semmle.code.java.security.CommandLineQuery
 import DataFlow::PathGraph

 from DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg
--- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
@@ -14,7 +14,7 @@

 import java
 import semmle.code.java.security.ExternalProcess
-import ExecCommon
+import semmle.code.java.security.CommandLineQuery

 /**
 * Strings that are known to be sane by some simple local analysis. Such strings
--- a/java/ql/src/experimental/Security/CWE/CWE-078/ExecCommon.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecCommon.qll
@@ -1,32 +0,0 @@
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.ExternalProcess
-import semmle.code.java.security.CommandArguments
-
-private class RemoteUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration {
-  RemoteUserInputToArgumentToExecFlowConfig() {
-    this = "ExecCommon::RemoteUserInputToArgumentToExecFlowConfig"
-  }
-
-  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType
-    or
-    node.getType() instanceof BoxedType
-    or
-    isSafeCommandArgument(node.asExpr())
-  }
-}
-
-/**
- * Implementation of `ExecTainted.ql`. It is extracted to a QLL
- * so that it can be excluded from `ExecUnescaped.ql` to avoid
- * reporting overlapping results.
- */
-predicate execTainted(DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg) {
-  exists(RemoteUserInputToArgumentToExecFlowConfig conf |
-    conf.hasFlowPath(source, sink) and sink.getNode() = DataFlow::exprNode(execArg)
-  )
-}
--- a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
@@ -14,7 +14,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.ExternalProcess
-import ExecCommon
+import semmle.code.java.security.CommandLineQuery
 import JSchOSInjection
 import DataFlow::PathGraph

--- a/java/ql/src/semmle/code/java/security/CommandLineQuery.qll
+++ b/java/ql/src/semmle/code/java/security/CommandLineQuery.qll
@@ -1,3 +1,12 @@
+/**
+ * Provides classes and methods common to queries `java/command-line-injection`, `java/command-line-concatenation`
+ * and their experimental derivatives.
+ *
+ * Do not import this from a library file, in order to reduce the risk of
+ * unintentionally bringing a TaintTracking::Configuration into scope in an unrelated
+ * query.
+ */
+
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.ExternalProcess
 import semmle.code.java.security.CommandArguments