add indirect command injection sink for a concatenated array

2026-04-30 11:15:13 +02:00 · 2020-02-06 18:09:08 +01:00
parent 180e9d4731
commit 8ea6070120
3 changed files with 25 additions and 12 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll
@@ -30,9 +30,7 @@ private DataFlow::Node commandArgument(SystemCommandExecution sys, DataFlow::Typ
  t.start() and
  result = sys.getACommandArgument()
  or
-  exists(DataFlow::TypeBackTracker t2 |
-    t = t2.smallstep(result, commandArgument(sys, t2))
-  )
+  exists(DataFlow::TypeBackTracker t2 | t = t2.smallstep(result, commandArgument(sys, t2)))
 }

 /**
@@ -43,9 +41,7 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::
  t.start() and
  result = sys.getArgumentList().getALocalSource()
  or
-  exists(DataFlow::TypeBackTracker t2 |
-    result = argumentList(sys, t2).backtrack(t2, t)
-  )
+  exists(DataFlow::TypeBackTracker t2 | result = argumentList(sys, t2).backtrack(t2, t))
 }

 /**
@@ -61,15 +57,29 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::
 * let args = ["-c", cmd];
 * childProcess.spawn(sh, args, cb);
 * ```
+ * or
+ * ```
+ * let cmd = getCommand();
+ * childProcess.spawn("cmd.exe", ["/c"].concat(cmd), cb);
+ * ```
 */
 predicate isIndirectCommandArgument(DataFlow::Node source, SystemCommandExecution sys) {
-  exists(
-    DataFlow::ArrayCreationNode args, DataFlow::Node shell, string dashC
-  |
+  exists(DataFlow::ArrayCreationNode args, DataFlow::Node shell, string dashC |
    shellCmd(shell.asExpr(), dashC) and
    shell = commandArgument(sys, DataFlow::TypeBackTracker::end()) and
-    args = argumentList(sys, DataFlow::TypeBackTracker::end()) and
    args.getAPropertyWrite().getRhs().mayHaveStringValue(dashC) and
-    source = args.getAPropertyWrite().getRhs()
+    (
+      args = argumentList(sys, DataFlow::TypeBackTracker::end()) and
+      source = args.getAPropertyWrite().getRhs()
+      or
+      exists(DataFlow::MethodCallNode concatCall |
+        args = concatCall.getReceiver() and
+        concatCall.getMethodName() = "concat" and
+        concatCall = argumentList(sys, DataFlow::TypeBackTracker::end())
+      |
+        source = concatCall.getAnArgument() or
+        source = concatCall.getAnArgument().getALocalSource().getAPropertyWrite().getRhs()
+      )
+    )
  )
 }
--- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -168,7 +168,8 @@ edges
 | child_process-test.js:39:5:39:31 | cp.spaw ...  cmd ]) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:39:26:39:28 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:44:5:44:34 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:51:5:51:39 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:50:15:50:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
-| child_process-test.js:56:3:56:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
+| child_process-test.js:53:5:53:51 | cp.spaw ... (args)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:50:15:50:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
+| child_process-test.js:58:3:58:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command depends on $@. | execSeries.js:18:34:18:40 | req.url | a user-provided value |
 | other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-078/child_process-test.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/child_process-test.js
@@ -50,6 +50,8 @@ var server = http.createServer(function(req, res) {
    args[1] = cmd;
    cp.execFile(`/bin` + "/bash", args); // NOT OK

+    cp.spawn('cmd.exe', ['/C', 'foo'].concat(args)); // NOT OK
+
 });

 function run(cmd, args) {