hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-12 02:24:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add another test for shell interpretation

Browse Source
This commit is contained in:
Harry Maclean
2021-09-13 12:05:40 +01:00
parent f8359767bc
commit 599dc28ffa
2 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ql/test/query-tests/security/cwe-078/CommandInjection.expected
View File

@@ -7,7 +7,7 @@ edges
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:26:19:26:24 | #{...} |
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:30:24:30:36 | "echo #{...}" |
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:31:39:31:51 | "grep #{...}" |
| CommandInjection.rb:42:15:42:20 | call to params : | CommandInjection.rb:46:24:46:36 | "echo #{...}" |
| CommandInjection.rb:43:15:43:20 | call to params : | CommandInjection.rb:47:24:47:36 | "echo #{...}" |
nodes
| CommandInjection.rb:6:15:6:20 | call to params : | semmle.label | call to params : |
| CommandInjection.rb:7:10:7:15 | #{...} | semmle.label | #{...} |
@@ -18,8 +18,8 @@ nodes
| CommandInjection.rb:26:19:26:24 | #{...} | semmle.label | #{...} |
| CommandInjection.rb:30:24:30:36 | "echo #{...}" | semmle.label | "echo #{...}" |
| CommandInjection.rb:31:39:31:51 | "grep #{...}" | semmle.label | "grep #{...}" |
| CommandInjection.rb:42:15:42:20 | call to params : | semmle.label | call to params : |
| CommandInjection.rb:46:24:46:36 | "echo #{...}" | semmle.label | "echo #{...}" |
| CommandInjection.rb:43:15:43:20 | call to params : | semmle.label | call to params : |
| CommandInjection.rb:47:24:47:36 | "echo #{...}" | semmle.label | "echo #{...}" |
#select
| CommandInjection.rb:7:10:7:15 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:7:10:7:15 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
| CommandInjection.rb:8:16:8:18 | cmd | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:8:16:8:18 | cmd | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
@@ -29,4 +29,4 @@ nodes
| CommandInjection.rb:26:19:26:24 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:26:19:26:24 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
| CommandInjection.rb:30:24:30:36 | "echo #{...}" | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:30:24:30:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
| CommandInjection.rb:31:39:31:51 | "grep #{...}" | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:31:39:31:51 | "grep #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
| CommandInjection.rb:46:24:46:36 | "echo #{...}" | CommandInjection.rb:42:15:42:20 | call to params : | CommandInjection.rb:46:24:46:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:42:15:42:20 | call to params | a user-provided value |
| CommandInjection.rb:47:24:47:36 | "echo #{...}" | CommandInjection.rb:43:15:43:20 | call to params : | CommandInjection.rb:47:24:47:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:43:15:43:20 | call to params | a user-provided value |

3
ql/test/query-tests/security/cwe-078/CommandInjection.rb
View File

@@ -6,7 +6,7 @@ class UsersController < ActionController::Base
cmd = params[:cmd]
`#{cmd}`
system(cmd)
system("echo", cmd)
system("echo", cmd) # OK, because cmd is not shell interpreted
exec(cmd)
%x(echo #{cmd})
result = <<`EOF`
@@ -29,6 +29,7 @@ EOF
# Open3 methods
Open3.capture2("echo #{cmd}")
Open3.pipeline("cat foo.txt", "grep #{cmd}")
Open3.pipeline(["echo", cmd], "tail") # OK, because cmd is not shell interpreted
end
def show