Merge branch 'main' into shellSanitizer

2026-05-05 13:45:19 +02:00 · 2020-12-22 13:57:15 +01:00
parent f7f88689c4 2bb96369f1
commit 530a4aea35
17 changed files with 161 additions and 45 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment.expected
@@ -1,13 +1,33 @@
 nodes
-| tst_shell-command-injection-from-environment.js:5:14:5:53 | 'rm -rf ... "temp") |
-| tst_shell-command-injection-from-environment.js:5:14:5:53 | 'rm -rf ... "temp") |
-| tst_shell-command-injection-from-environment.js:5:26:5:53 | path.jo ... "temp") |
-| tst_shell-command-injection-from-environment.js:5:36:5:44 | __dirname |
-| tst_shell-command-injection-from-environment.js:5:36:5:44 | __dirname |
+| tst_shell-command-injection-from-environment.js:6:14:6:53 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:6:14:6:53 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:6:26:6:53 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:6:36:6:44 | __dirname |
+| tst_shell-command-injection-from-environment.js:6:36:6:44 | __dirname |
+| tst_shell-command-injection-from-environment.js:8:14:8:53 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:14:8:53 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:26:8:53 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:36:8:44 | __dirname |
+| tst_shell-command-injection-from-environment.js:8:36:8:44 | __dirname |
+| tst_shell-command-injection-from-environment.js:9:18:9:57 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:18:9:57 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:30:9:57 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:40:9:48 | __dirname |
+| tst_shell-command-injection-from-environment.js:9:40:9:48 | __dirname |
 edges
-| tst_shell-command-injection-from-environment.js:5:26:5:53 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:5:14:5:53 | 'rm -rf ... "temp") |
-| tst_shell-command-injection-from-environment.js:5:26:5:53 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:5:14:5:53 | 'rm -rf ... "temp") |
-| tst_shell-command-injection-from-environment.js:5:36:5:44 | __dirname | tst_shell-command-injection-from-environment.js:5:26:5:53 | path.jo ... "temp") |
-| tst_shell-command-injection-from-environment.js:5:36:5:44 | __dirname | tst_shell-command-injection-from-environment.js:5:26:5:53 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:6:26:6:53 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:6:14:6:53 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:6:26:6:53 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:6:14:6:53 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:6:36:6:44 | __dirname | tst_shell-command-injection-from-environment.js:6:26:6:53 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:6:36:6:44 | __dirname | tst_shell-command-injection-from-environment.js:6:26:6:53 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:26:8:53 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:8:14:8:53 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:26:8:53 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:8:14:8:53 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:36:8:44 | __dirname | tst_shell-command-injection-from-environment.js:8:26:8:53 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:36:8:44 | __dirname | tst_shell-command-injection-from-environment.js:8:26:8:53 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:30:9:57 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:9:18:9:57 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:30:9:57 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:9:18:9:57 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:40:9:48 | __dirname | tst_shell-command-injection-from-environment.js:9:30:9:57 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:40:9:48 | __dirname | tst_shell-command-injection-from-environment.js:9:30:9:57 | path.jo ... "temp") |
 #select
-| tst_shell-command-injection-from-environment.js:5:14:5:53 | 'rm -rf ... "temp") | tst_shell-command-injection-from-environment.js:5:36:5:44 | __dirname | tst_shell-command-injection-from-environment.js:5:14:5:53 | 'rm -rf ... "temp") | This shell command depends on an uncontrolled $@. | tst_shell-command-injection-from-environment.js:5:36:5:44 | __dirname | absolute path |
+| tst_shell-command-injection-from-environment.js:6:14:6:53 | 'rm -rf ... "temp") | tst_shell-command-injection-from-environment.js:6:36:6:44 | __dirname | tst_shell-command-injection-from-environment.js:6:14:6:53 | 'rm -rf ... "temp") | This shell command depends on an uncontrolled $@. | tst_shell-command-injection-from-environment.js:6:36:6:44 | __dirname | absolute path |
+| tst_shell-command-injection-from-environment.js:8:14:8:53 | 'rm -rf ... "temp") | tst_shell-command-injection-from-environment.js:8:36:8:44 | __dirname | tst_shell-command-injection-from-environment.js:8:14:8:53 | 'rm -rf ... "temp") | This shell command depends on an uncontrolled $@. | tst_shell-command-injection-from-environment.js:8:36:8:44 | __dirname | absolute path |
+| tst_shell-command-injection-from-environment.js:9:18:9:57 | 'rm -rf ... "temp") | tst_shell-command-injection-from-environment.js:9:40:9:48 | __dirname | tst_shell-command-injection-from-environment.js:9:18:9:57 | 'rm -rf ... "temp") | This shell command depends on an uncontrolled $@. | tst_shell-command-injection-from-environment.js:9:40:9:48 | __dirname | absolute path |
--- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
@@ -191,6 +191,10 @@ nodes
 | lib/lib.js:340:22:340:26 | id(n) |
 | lib/lib.js:340:22:340:26 | id(n) |
 | lib/lib.js:340:25:340:25 | n |
+| lib/lib.js:349:29:349:34 | unsafe |
+| lib/lib.js:349:29:349:34 | unsafe |
+| lib/lib.js:351:22:351:27 | unsafe |
+| lib/lib.js:351:22:351:27 | unsafe |
 edges
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
@@ -417,6 +421,10 @@ edges
 | lib/lib.js:339:39:339:39 | n | lib/lib.js:340:25:340:25 | n |
 | lib/lib.js:340:25:340:25 | n | lib/lib.js:340:22:340:26 | id(n) |
 | lib/lib.js:340:25:340:25 | n | lib/lib.js:340:22:340:26 | id(n) |
+| lib/lib.js:349:29:349:34 | unsafe | lib/lib.js:351:22:351:27 | unsafe |
+| lib/lib.js:349:29:349:34 | unsafe | lib/lib.js:351:22:351:27 | unsafe |
+| lib/lib.js:349:29:349:34 | unsafe | lib/lib.js:351:22:351:27 | unsafe |
+| lib/lib.js:349:29:349:34 | unsafe | lib/lib.js:351:22:351:27 | unsafe |
 #select
 | lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | $@ based on library input is later used in $@. | lib/lib2.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | $@ based on library input is later used in $@. | lib/lib2.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command |
@@ -472,3 +480,4 @@ edges
 | lib/lib.js:320:11:320:26 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name | $@ based on library input is later used in $@. | lib/lib.js:320:11:320:26 | "rm -rf " + name | String concatenation | lib/lib.js:320:3:320:27 | cp.exec ... + name) | shell command |
 | lib/lib.js:325:12:325:51 | "MyWind ... " + arg | lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg | $@ based on library input is later used in $@. | lib/lib.js:325:12:325:51 | "MyWind ... " + arg | String concatenation | lib/lib.js:326:2:326:13 | cp.exec(cmd) | shell command |
 | lib/lib.js:340:10:340:26 | "rm -rf " + id(n) | lib/lib.js:339:39:339:39 | n | lib/lib.js:340:22:340:26 | id(n) | $@ based on library input is later used in $@. | lib/lib.js:340:10:340:26 | "rm -rf " + id(n) | String concatenation | lib/lib.js:340:2:340:27 | cp.exec ...  id(n)) | shell command |
+| lib/lib.js:351:10:351:27 | "rm -rf " + unsafe | lib/lib.js:349:29:349:34 | unsafe | lib/lib.js:351:22:351:27 | unsafe | $@ based on library input is later used in $@. | lib/lib.js:351:10:351:27 | "rm -rf " + unsafe | String concatenation | lib/lib.js:351:2:351:28 | cp.exec ... unsafe) | shell command |
--- a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.expected
@@ -58,8 +58,9 @@ syncCommand
 | other.js:12:5:12:30 | require ... nc(cmd) |
 | other.js:30:5:30:36 | require ... ")(cmd) |
 | third-party-command-injection.js:6:9:6:28 | cp.execSync(command) |
-| tst_shell-command-injection-from-environment.js:4:2:4:62 | cp.exec ... emp")]) |
-| tst_shell-command-injection-from-environment.js:5:2:5:54 | cp.exec ... temp")) |
+| tst_shell-command-injection-from-environment.js:5:2:5:62 | cp.exec ... emp")]) |
+| tst_shell-command-injection-from-environment.js:6:2:6:54 | cp.exec ... temp")) |
+| tst_shell-command-injection-from-environment.js:9:2:9:58 | execa.s ... temp")) |
 | uselesscat.js:16:1:16:29 | execSyn ... uinfo') |
 | uselesscat.js:18:1:18:26 | execSyn ... path}`) |
 | uselesscat.js:20:1:20:36 | execSyn ... wc -l') |
--- a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -345,3 +345,14 @@ module.exports.typeofNumber = function(n) {
 		cp.exec("rm -rf " + n); // OK
 	}
 };
+
+function boundProblem(safe, unsafe) {
+	cp.exec("rm -rf " + safe); // OK
+	cp.exec("rm -rf " + unsafe); // NOT OK
+}
+
+Object.defineProperty(module.exports, "boundProblem", {
+	get: function () {
+		return boundProblem.bind(this, "safe");
+	}
+});
--- a/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js
@@ -1,6 +1,10 @@
 var cp = require('child_process'),
-    path = require('path');
+    path = require('path'),
+    execa = require("execa");
 (function() {
 	cp.execFileSync('rm',  ['-rf', path.join(__dirname, "temp")]); // GOOD
 	cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // BAD
+
+	execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
+	execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
 });
--- a/javascript/ql/test/query-tests/Security/CWE-807/ConditionalBypass.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-807/ConditionalBypass.expected
@@ -1,4 +1,14 @@
 nodes
+| example_bypass.js:6:9:6:19 | req.cookies |
+| example_bypass.js:6:9:6:19 | req.cookies |
+| example_bypass.js:6:9:6:34 | req.coo ... nUserId |
+| example_bypass.js:6:9:6:34 | req.coo ... nUserId |
+| example_bypass.js:6:40:6:56 | req.params.userId |
+| example_bypass.js:6:40:6:56 | req.params.userId |
+| example_bypass.js:6:40:6:56 | req.params.userId |
+| example_bypass.js:17:46:17:62 | req.params.userId |
+| example_bypass.js:17:46:17:62 | req.params.userId |
+| example_bypass.js:17:46:17:62 | req.params.userId |
 | tst.js:9:8:9:26 | req.params.shutDown |
 | tst.js:9:8:9:26 | req.params.shutDown |
 | tst.js:9:8:9:26 | req.params.shutDown |
@@ -60,6 +70,12 @@ nodes
 | tst.js:113:13:113:32 | req.query.vulnerable |
 | tst.js:113:13:113:32 | req.query.vulnerable |
 edges
+| example_bypass.js:6:9:6:19 | req.cookies | example_bypass.js:6:9:6:34 | req.coo ... nUserId |
+| example_bypass.js:6:9:6:19 | req.cookies | example_bypass.js:6:9:6:34 | req.coo ... nUserId |
+| example_bypass.js:6:9:6:19 | req.cookies | example_bypass.js:6:9:6:34 | req.coo ... nUserId |
+| example_bypass.js:6:9:6:19 | req.cookies | example_bypass.js:6:9:6:34 | req.coo ... nUserId |
+| example_bypass.js:6:40:6:56 | req.params.userId | example_bypass.js:6:40:6:56 | req.params.userId |
+| example_bypass.js:17:46:17:62 | req.params.userId | example_bypass.js:17:46:17:62 | req.params.userId |
 | tst.js:9:8:9:26 | req.params.shutDown | tst.js:9:8:9:26 | req.params.shutDown |
 | tst.js:13:9:13:19 | req.cookies | tst.js:13:9:13:30 | req.coo ... inThing |
 | tst.js:13:9:13:19 | req.cookies | tst.js:13:9:13:30 | req.coo ... inThing |
--- a/javascript/ql/test/query-tests/Security/CWE-807/DifferentKindsComparisonBypass.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-807/DifferentKindsComparisonBypass.expected
@@ -1,3 +1,4 @@
+| example_bypass.js:6:9:6:56 | req.coo ... .userId | This comparison of $@ and $@ is a potential security risk since it is controlled by the user. | example_bypass.js:6:9:6:19 | req.cookies | req.cookies | example_bypass.js:6:40:6:56 | req.params.userId | req.params.userId |
 | tst-different-kinds-comparison-bypass.js:7:5:7:42 | req.que ... .userId | This comparison of $@ and $@ is a potential security risk since it is controlled by the user. | tst-different-kinds-comparison-bypass.js:7:5:7:20 | req.query.userId | req.query.userId | tst-different-kinds-comparison-bypass.js:7:25:7:35 | req.cookies | req.cookies |
 | tst-different-kinds-comparison-bypass.js:11:5:11:23 | req.url == req.body | This comparison of $@ and $@ is a potential security risk since it is controlled by the user. | tst-different-kinds-comparison-bypass.js:11:5:11:11 | req.url | req.url | tst-different-kinds-comparison-bypass.js:11:16:11:23 | req.body | req.body |
 | tst-different-kinds-comparison-bypass.js:16:9:16:14 | a == b | This comparison of $@ and $@ is a potential security risk since it is controlled by the user. | tst-different-kinds-comparison-bypass.js:13:11:13:26 | req.query.userId | req.query.userId | tst-different-kinds-comparison-bypass.js:13:29:13:39 | req.cookies | req.cookies |
--- a/javascript/ql/test/query-tests/Security/CWE-807/example_bypass.js
+++ b/javascript/ql/test/query-tests/Security/CWE-807/example_bypass.js
@@ -0,0 +1,24 @@
+var express = require('express');
+var app = express();
+// ...
+app.get('/full-profile/:userId', function(req, res) {
+
+    if (req.cookies.loggedInUserId !== req.params.userId) { // NOT OK
+        // BAD: login decision made based on user controlled data
+        requireLogin();
+    } else {
+        // ... show private information
+    }
+
+});
+
+app.get('/full-profile/:userId', function(req, res) {
+
+    if (req.signedCookies.loggedInUserId !== req.params.userId) { // OK
+        // GOOD: login decision made based on server controlled data
+        requireLogin();
+    } else {
+        // ... show private information
+    }
+
+});