Java: Deprecate the local content of CommandLineQuery and remove the exec tainted local query variant.

2026-04-26 17:25:19 +02:00 · 2024-04-30 14:04:54 +02:00
parent 072f19008a
commit 85a4dd0325
10 changed files with 31 additions and 53 deletions
--- a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -14,11 +14,10 @@

 import java
 import semmle.code.java.security.CommandLineQuery
-import RemoteUserInputToArgumentToExecFlow::PathGraph
+import InputToArgumentToExecFlow::PathGraph

 from
-  RemoteUserInputToArgumentToExecFlow::PathNode source,
-  RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
+  InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
 where execIsTainted(source, sink, execArg)
 select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
  "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="ExecTainted.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
@@ -1,27 +0,0 @@
-/**
- * @name Local-user-controlled command line
- * @description Using externally controlled strings in a command line is vulnerable to malicious
- *              changes in the strings.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 9.8
- * @precision medium
- * @id java/command-line-injection-local
- * @tags security
- *       external/cwe/cwe-078
- *       external/cwe/cwe-088
- */
-
-import java
-import semmle.code.java.security.CommandLineQuery
-import semmle.code.java.security.ExternalProcess
-import LocalUserInputToArgumentToExecFlow::PathGraph
-
-from
-  LocalUserInputToArgumentToExecFlow::PathNode source,
-  LocalUserInputToArgumentToExecFlow::PathNode sink, Expr e
-where
-  LocalUserInputToArgumentToExecFlow::flowPath(source, sink) and
-  argumentToExec(e, sink.getNode())
-select e, source, sink, "This command line depends on a $@.", source.getNode(),
-  "user-provided value"
--- a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
@@ -14,7 +14,7 @@

 import java
 import semmle.code.java.security.CommandLineQuery
-import RemoteUserInputToArgumentToExecFlow::PathGraph
+import InputToArgumentToExecFlow::PathGraph
 private import semmle.code.java.dataflow.ExternalFlow

 private class ActivateModels extends ActiveExperimentalModels {
@@ -23,8 +23,7 @@ private class ActivateModels extends ActiveExperimentalModels {

 // This is a clone of query `java/command-line-injection` that also includes experimental sinks.
 from
-  RemoteUserInputToArgumentToExecFlow::PathNode source,
-  RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
+  InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
 where execIsTainted(source, sink, execArg)
 select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
  "user-provided value"