add a sanitizer for chained replace-calls

2026-04-30 11:15:13 +02:00 · 2020-05-19 15:38:53 +02:00
parent b71919299b
commit 5b569a4d6d
3 changed files with 52 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -13,6 +13,7 @@ private import semmle.javascript.PackageExports as Exports
 */
 module UnsafeShellCommandConstruction {
  import IndirectCommandArgument
+  import semmle.javascript.security.IncompleteBlacklistSanitizer as IncompleteBlacklistSanitizer

  /**
   * A data flow source for shell command constructed from library input.
@@ -155,6 +156,19 @@ module UnsafeShellCommandConstruction {
    }
  }

+  /**
+   * A chain of replace calls that replaces all unsafe chars for shell-commands.
+   */
+  class ChainSanitizer extends Sanitizer, IncompleteBlacklistSanitizer::StringReplaceCallSequence {
+    ChainSanitizer() {
+      forall(string char |
+        char = ["&", "`", "$", "|", ">", "<", "#", ";", "(", ")", "[", "]", "\n"]
+      |
+        this.getAMember().getAReplacedString() = char
+      )
+    }
+  }
+
  /**
   * A sanitizer that sanitizers paths that exist in the file-system.
   * For example: `x` is sanitized in `fs.existsSync(x)` or `fs.existsSync(x + "/suffix/path")`.
--- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
@@ -169,6 +169,10 @@ nodes
 | lib/lib.js:277:23:277:26 | opts |
 | lib/lib.js:277:23:277:30 | opts.bla |
 | lib/lib.js:277:23:277:30 | opts.bla |
+| lib/lib.js:307:39:307:42 | name |
+| lib/lib.js:307:39:307:42 | name |
+| lib/lib.js:308:23:308:26 | name |
+| lib/lib.js:308:23:308:26 | name |
 edges
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
@@ -373,6 +377,10 @@ edges
 | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
 | lib/lib.js:277:23:277:26 | opts | lib/lib.js:277:23:277:30 | opts.bla |
 | lib/lib.js:277:23:277:26 | opts | lib/lib.js:277:23:277:30 | opts.bla |
+| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
+| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
+| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
+| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
 #select
 | lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | $@ based on libary input is later used in $@. | lib/lib2.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | $@ based on libary input is later used in $@. | lib/lib2.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command |
@@ -424,3 +432,4 @@ edges
 | lib/lib.js:268:10:268:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:268:10:268:32 | "rm -rf ... version | String concatenation | lib/lib.js:268:2:268:33 | cp.exec ... ersion) | shell command |
 | lib/lib.js:272:10:272:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:272:10:272:32 | "rm -rf ... version | String concatenation | lib/lib.js:272:2:272:33 | cp.exec ... ersion) | shell command |
 | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:30 | opts.bla | $@ based on libary input is later used in $@. | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | String concatenation | lib/lib.js:277:3:277:31 | cp.exec ... ts.bla) | shell command |
+| lib/lib.js:308:11:308:26 | "rm -rf " + name | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:308:11:308:26 | "rm -rf " + name | String concatenation | lib/lib.js:308:3:308:27 | cp.exec ... + name) | shell command |
--- a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -280,4 +280,33 @@ module.exports.Foo = class Foo {

 		cp.exec("rm -rf " + this.opts.bla); // NOT OK - but FN
 	}
+}
+
+function sanitizeShellString(str) {
+  let result = str;
+  result = result.replace(/>/g, "");
+  result = result.replace(/</g, "");
+  result = result.replace(/\*/g, "");
+  result = result.replace(/\?/g, "");
+  result = result.replace(/\[/g, "");
+  result = result.replace(/\]/g, "");
+  result = result.replace(/\|/g, "");
+  result = result.replace(/\`/g, "");
+  result = result.replace(/$/g, "");
+  result = result.replace(/;/g, "");
+  result = result.replace(/&/g, "");
+  result = result.replace(/\)/g, "");
+  result = result.replace(/\(/g, "");
+  result = result.replace(/\$/g, "");
+  result = result.replace(/#/g, "");
+  result = result.replace(/\\/g, "");
+  result = result.replace(/\n/g, "");
+  return result
+}
+
+module.exports.sanitizer2 = function (name) {
+  cp.exec("rm -rf " + name); // NOT OK
+
+  var sanitized = sanitizeShellString(name);
+  cp.exec("rm -rf " + sanitized); // OK
 }