hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

[DIFF-INFORMED] Actions: ArgumentInjection

Browse Source 
Query:
- https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql#L23
- https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql#L27
This commit is contained in:
Nora Dimitrijević
2025-07-15 11:46:59 +02:00
parent ec605b2c95
commit 896819fdf3
2 changed files with 22 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
View File

@@ -1,6 +1,7 @@
private import actions
private import codeql.actions.TaintTracking
private import codeql.actions.dataflow.ExternalFlow
private import codeql.actions.security.ControlChecks
import codeql.actions.dataflow.FlowSources
import codeql.actions.DataFlow
@@ -65,6 +66,16 @@ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink {
override string getCommand() { result = "unknown" }
}
/**
* Gets the event that is relevant for the given node in the context of argument injection.
*
* This is used to highlight the event in the query results when an alert is raised.
*/
Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
inPrivilegedContext(node.asExpr(), result) and
not exists(ControlCheck check | check.protects(node.asExpr(), result, "argument-injection"))
}
/**
* A taint-tracking configuration for unsafe user input
* that is used to construct and evaluate a code script.
@@ -88,6 +99,16 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
)
}
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
result = getRelevantEventInPrivilegedContext(sink).getLocation()
}
}
/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */

5
actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
View File

@@ -20,10 +20,7 @@ import codeql.actions.security.ControlChecks
from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink, Event event
where
ArgumentInjectionFlow::flowPath(source, sink) and
inPrivilegedContext(sink.getNode().asExpr(), event) and
not exists(ControlCheck check |
check.protects(sink.getNode().asExpr(), event, "argument-injection")
)
event = getRelevantEventInPrivilegedContext(sink.getNode())
select sink.getNode(), source, sink,
"Potential argument injection in $@ command, which may be controlled by an external user ($@).",
sink, sink.getNode().(ArgumentInjectionSink).getCommand(), event, event.getName()