hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add Shellwords.escape as CLI injection sanitizer

Browse Source
This commit is contained in:
Harry Maclean
2021-09-03 11:12:10 +01:00
parent fe8fc0697b
commit 8f65d78cb5
3 changed files with 30 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll
View File

@@ -8,6 +8,7 @@ private import codeql.ruby.DataFlow
private import codeql.ruby.dataflow.RemoteFlowSources
private import codeql.ruby.Concepts
private import codeql.ruby.Frameworks
private import codeql.ruby.ApiGraphs
module CommandInjection {
/**
@@ -38,7 +39,17 @@ module CommandInjection {
/**
* A command argument to a function that initiates an operating system command.
*/
class SystemCommandExecutionSink extends Sink, DataFlow::Node {
class SystemCommandExecutionSink extends Sink {
SystemCommandExecutionSink() { this = any(SystemCommandExecution c).getAnArgument() }
}
/**
* A call to `Shellwords.escape` or `Shellwords.shellescape` sanitizes its input.
*/
class ShellwordsEscapeAsSanitizer extends Sanitizer {
ShellwordsEscapeAsSanitizer() {
this = API::getTopLevelMember("Shellwords").getAMethodCall("escape") or
this = API::getTopLevelMember("Shellwords").getAMethodCall("shellescape")
}
}
}

26
ql/test/query-tests/security/cwe-078/CommandInjection.expected
View File

@@ -1,16 +1,16 @@
edges
| CommandInjection.rb:3:15:3:20 | call to params : | CommandInjection.rb:4:10:4:15 | #{...} |
| CommandInjection.rb:3:15:3:20 | call to params : | CommandInjection.rb:5:16:5:18 | cmd |
| CommandInjection.rb:3:15:3:20 | call to params : | CommandInjection.rb:6:14:6:16 | cmd |
| CommandInjection.rb:3:15:3:20 | call to params : | CommandInjection.rb:7:12:7:17 | #{...} |
| CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:6:10:6:15 | #{...} |
| CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:7:16:7:18 | cmd |
| CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:8:14:8:16 | cmd |
| CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:9:17:9:22 | #{...} |
nodes
| CommandInjection.rb:3:15:3:20 | call to params : | semmle.label | call to params : |
| CommandInjection.rb:4:10:4:15 | #{...} | semmle.label | #{...} |
| CommandInjection.rb:5:16:5:18 | cmd | semmle.label | cmd |
| CommandInjection.rb:6:14:6:16 | cmd | semmle.label | cmd |
| CommandInjection.rb:7:12:7:17 | #{...} | semmle.label | #{...} |
| CommandInjection.rb:5:15:5:20 | call to params : | semmle.label | call to params : |
| CommandInjection.rb:6:10:6:15 | #{...} | semmle.label | #{...} |
| CommandInjection.rb:7:16:7:18 | cmd | semmle.label | cmd |
| CommandInjection.rb:8:14:8:16 | cmd | semmle.label | cmd |
| CommandInjection.rb:9:17:9:22 | #{...} | semmle.label | #{...} |
#select
| CommandInjection.rb:4:10:4:15 | #{...} | CommandInjection.rb:3:15:3:20 | call to params : | CommandInjection.rb:4:10:4:15 | #{...} | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
| CommandInjection.rb:5:16:5:18 | cmd | CommandInjection.rb:3:15:3:20 | call to params : | CommandInjection.rb:5:16:5:18 | cmd | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
| CommandInjection.rb:6:14:6:16 | cmd | CommandInjection.rb:3:15:3:20 | call to params : | CommandInjection.rb:6:14:6:16 | cmd | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
| CommandInjection.rb:7:12:7:17 | #{...} | CommandInjection.rb:3:15:3:20 | call to params : | CommandInjection.rb:7:12:7:17 | #{...} | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
| CommandInjection.rb:6:10:6:15 | #{...} | CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:6:10:6:15 | #{...} | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
| CommandInjection.rb:7:16:7:18 | cmd | CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:7:16:7:18 | cmd | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
| CommandInjection.rb:8:14:8:16 | cmd | CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:8:14:8:16 | cmd | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
| CommandInjection.rb:9:17:9:22 | #{...} | CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:9:17:9:22 | #{...} | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |

6
ql/test/query-tests/security/cwe-078/CommandInjection.rb
View File

@@ -1,10 +1,14 @@
require "shellwords"
class UsersController < ActionController::Base
def create
cmd = params[:cmd]
`#{cmd}`
system(cmd)
exec(cmd)
%x(#{cmd})
%x(echo #{cmd})
safe_cmd = Shellwords.escape(cmd)
`echo #{safe_cmd}`
end
def show