From 83ca4ef6d9dd36ed55262fd26df24663f74991c2 Mon Sep 17 00:00:00 2001 From: Asger Feldthaus Date: Tue, 5 Oct 2021 08:11:57 +0200 Subject: [PATCH] JS: Lower security-severity of queries with speculative threat model In the CVSS calculator we model this by setting 'Attack Complexity' to High and 'User Interaction' to Low (as opposed to None). CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N --- javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql | 2 +- .../Security/CWE-078/ShellCommandInjectionFromEnvironment.ql | 2 +- .../ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql | 2 +- javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql | 2 +- javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql b/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql index eb29b56cac3..7520a95ed9c 100644 --- a/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql +++ b/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql @@ -5,7 +5,7 @@ * command-line injection vulnerabilities. * @kind path-problem * @problem.severity warning - * @security-severity 9.8 + * @security-severity 6.3 * @precision medium * @id js/indirect-command-line-injection * @tags correctness diff --git a/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql b/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql index b4bd735d493..cad1039814c 100644 --- a/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql +++ b/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql @@ -4,7 +4,7 @@ * environment may cause subtle bugs or vulnerabilities. * @kind path-problem * @problem.severity warning - * @security-severity 9.8 + * @security-severity 6.3 * @precision high * @id js/shell-command-injection-from-environment * @tags correctness diff --git a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql index b0b22a96704..e29a75c1163 100644 --- a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql +++ b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql @@ -4,7 +4,7 @@ * user to change the meaning of the command. * @kind path-problem * @problem.severity error - * @security-severity 9.8 + * @security-severity 6.3 * @precision high * @id js/shell-command-constructed-from-input * @tags correctness diff --git a/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql b/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql index fd29399546a..e0678b4142b 100644 --- a/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql +++ b/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql @@ -3,7 +3,7 @@ * @description Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities. * @kind problem * @problem.severity error - * @security-severity 9.8 + * @security-severity 6.3 * @precision high * @id js/unnecessary-use-of-cat * @tags correctness diff --git a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql index 9a8ac7b4b73..772297dda63 100644 --- a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql +++ b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql @@ -3,7 +3,7 @@ * @description Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor. * @kind path-problem * @problem.severity warning - * @security-severity 9.8 + * @security-severity 6.3 * @precision medium * @id js/http-to-file-access * @tags security