Merge pull request #280 from github/hmac-cli-injection

Add CLI Injection query

ql/test/library-tests/frameworks/CommandExecution.rb

@@ -0,0 +1,90 @@
+`echo foo`
+%x(echo foo)
+%x{echo foo}
+%x[echo foo]
+%x/echo foo/
+
+system("echo foo")
+system("echo", "foo")
+system(["echo", "echo"], "foo")
+
+system({"FOO" => "BAR"}, "echo foo")
+system({"FOO" => "BAR"}, "echo", "foo")
+system({"FOO" => "BAR"}, ["echo", "echo"], "foo")
+
+system("echo foo", unsetenv_others: true)
+system("echo", "foo", unsetenv_others: true)
+system(["echo", "echo"], "foo", unsetenv_others: true)
+
+system({"FOO" => "BAR"}, "echo foo", unsetenv_others: true)
+system({"FOO" => "BAR"}, "echo", "foo", unsetenv_others: true)
+system({"FOO" => "BAR"}, ["echo", "echo"], "foo", unsetenv_others: true)
+
+exec("echo foo")
+exec("echo", "foo")
+exec(["echo", "echo"], "foo")
+
+exec({"FOO" => "BAR"}, "echo foo")
+exec({"FOO" => "BAR"}, "echo", "foo")
+exec({"FOO" => "BAR"}, ["echo", "echo"], "foo")
+
+exec("echo foo", unsetenv_others: true)
+exec("echo", "foo", unsetenv_others: true)
+exec(["echo", "echo"], "foo", unsetenv_others: true)
+
+exec({"FOO" => "BAR"}, "echo foo", unsetenv_others: true)
+exec({"FOO" => "BAR"}, "echo", "foo", unsetenv_others: true)
+exec({"FOO" => "BAR"}, ["echo", "echo"], "foo", unsetenv_others: true)
+
+spawn("echo foo")
+spawn("echo", "foo")
+spawn(["echo", "echo"], "foo")
+
+spawn({"FOO" => "BAR"}, "echo foo")
+spawn({"FOO" => "BAR"}, "echo", "foo")
+spawn({"FOO" => "BAR"}, ["echo", "echo"], "foo")
+
+spawn("echo foo", unsetenv_others: true)
+spawn("echo", "foo", unsetenv_others: true)
+spawn(["echo", "echo"], "foo", unsetenv_others: true)
+
+spawn({"FOO" => "BAR"}, "echo foo", unsetenv_others: true)
+spawn({"FOO" => "BAR"}, "echo", "foo", unsetenv_others: true)
+spawn({"FOO" => "BAR"}, ["echo", "echo"], "foo", unsetenv_others: true)
+
+Open3.popen3("echo foo")
+Open3.popen2("echo foo")
+Open3.popen2e("echo foo")
+Open3.capture3("echo foo")
+Open3.capture2("echo foo")
+Open3.capture2e("echo foo")
+Open3.pipeline_rw("echo foo", "grep bar")
+Open3.pipeline_r("echo foo", "grep bar")
+Open3.pipeline_w("echo foo", "grep bar")
+Open3.pipeline_start("echo foo", "grep bar")
+Open3.pipeline("echo foo", "grep bar")
+
+<<`EOF`
+echo foo
+EOF
+
+module MockSystem
+  def system(*args)
+    args
+  end
+
+  def self.system(*args)
+    args
+  end
+end
+
+class Foo
+  include MockSystem
+
+  def run
+    system("ls")
+    MockSystem.system("ls")
+  end
+end
+
+UnknownModule.system("ls")

ql/test/library-tests/frameworks/StandardLibrary.expected

@@ -0,0 +1,60 @@
+subshellLiteralExecutions
+| CommandExecution.rb:1:1:1:10 | `echo foo` |
+| CommandExecution.rb:2:1:2:12 | `echo foo` |
+| CommandExecution.rb:3:1:3:12 | `echo foo` |
+| CommandExecution.rb:4:1:4:12 | `echo foo` |
+| CommandExecution.rb:5:1:5:12 | `echo foo` |
+subshellHeredocExecutions
+| CommandExecution.rb:67:1:67:7 | <<`EOF` |
+kernelSystemCallExecutions
+| CommandExecution.rb:7:1:7:18 | call to system |
+| CommandExecution.rb:8:1:8:21 | call to system |
+| CommandExecution.rb:9:1:9:31 | call to system |
+| CommandExecution.rb:11:1:11:36 | call to system |
+| CommandExecution.rb:12:1:12:39 | call to system |
+| CommandExecution.rb:13:1:13:49 | call to system |
+| CommandExecution.rb:15:1:15:41 | call to system |
+| CommandExecution.rb:16:1:16:44 | call to system |
+| CommandExecution.rb:17:1:17:54 | call to system |
+| CommandExecution.rb:19:1:19:59 | call to system |
+| CommandExecution.rb:20:1:20:62 | call to system |
+| CommandExecution.rb:21:1:21:72 | call to system |
+kernelExecCallExecutions
+| CommandExecution.rb:23:1:23:16 | call to exec |
+| CommandExecution.rb:24:1:24:19 | call to exec |
+| CommandExecution.rb:25:1:25:29 | call to exec |
+| CommandExecution.rb:27:1:27:34 | call to exec |
+| CommandExecution.rb:28:1:28:37 | call to exec |
+| CommandExecution.rb:29:1:29:47 | call to exec |
+| CommandExecution.rb:31:1:31:39 | call to exec |
+| CommandExecution.rb:32:1:32:42 | call to exec |
+| CommandExecution.rb:33:1:33:52 | call to exec |
+| CommandExecution.rb:35:1:35:57 | call to exec |
+| CommandExecution.rb:36:1:36:60 | call to exec |
+| CommandExecution.rb:37:1:37:70 | call to exec |
+kernelSpawnCallExecutions
+| CommandExecution.rb:39:1:39:17 | call to spawn |
+| CommandExecution.rb:40:1:40:20 | call to spawn |
+| CommandExecution.rb:41:1:41:30 | call to spawn |
+| CommandExecution.rb:43:1:43:35 | call to spawn |
+| CommandExecution.rb:44:1:44:38 | call to spawn |
+| CommandExecution.rb:45:1:45:48 | call to spawn |
+| CommandExecution.rb:47:1:47:40 | call to spawn |
+| CommandExecution.rb:48:1:48:43 | call to spawn |
+| CommandExecution.rb:49:1:49:53 | call to spawn |
+| CommandExecution.rb:51:1:51:58 | call to spawn |
+| CommandExecution.rb:52:1:52:61 | call to spawn |
+| CommandExecution.rb:53:1:53:71 | call to spawn |
+open3CallExecutions
+| CommandExecution.rb:55:1:55:24 | call to popen3 |
+| CommandExecution.rb:56:1:56:24 | call to popen2 |
+| CommandExecution.rb:57:1:57:25 | call to popen2e |
+| CommandExecution.rb:58:1:58:26 | call to capture3 |
+| CommandExecution.rb:59:1:59:26 | call to capture2 |
+| CommandExecution.rb:60:1:60:27 | call to capture2e |
+open3PipelineCallExecutions
+| CommandExecution.rb:61:1:61:41 | call to pipeline_rw |
+| CommandExecution.rb:62:1:62:40 | call to pipeline_r |
+| CommandExecution.rb:63:1:63:40 | call to pipeline_w |
+| CommandExecution.rb:64:1:64:44 | call to pipeline_start |
+| CommandExecution.rb:65:1:65:38 | call to pipeline |

ql/test/library-tests/frameworks/StandardLibrary.ql

@@ -0,0 +1,15 @@
+import codeql.ruby.frameworks.StandardLibrary
+
+query predicate subshellLiteralExecutions(SubshellLiteralExecution e) { any() }
+
+query predicate subshellHeredocExecutions(SubshellHeredocExecution e) { any() }
+
+query predicate kernelSystemCallExecutions(KernelSystemCall c) { any() }
+
+query predicate kernelExecCallExecutions(KernelExecCall c) { any() }
+
+query predicate kernelSpawnCallExecutions(KernelSpawnCall c) { any() }
+
+query predicate open3CallExecutions(Open3Call c) { any() }
+
+query predicate open3PipelineCallExecutions(Open3PipelineCall c) { any() }

ql/test/query-tests/security/cwe-078/CommandInjection.expected

@@ -0,0 +1,33 @@
+edges
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:7:10:7:15 | #{...} |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:8:16:8:18 | cmd |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:10:14:10:16 | cmd |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:11:17:11:22 | #{...} |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:13:9:13:14 | #{...} |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:29:19:29:24 | #{...} |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:33:24:33:36 | "echo #{...}" |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:34:39:34:51 | "grep #{...}" |
+| CommandInjection.rb:46:15:46:20 | call to params :  | CommandInjection.rb:50:24:50:36 | "echo #{...}" |
+nodes
+| CommandInjection.rb:6:15:6:20 | call to params :  | semmle.label | call to params :  |
+| CommandInjection.rb:7:10:7:15 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:8:16:8:18 | cmd | semmle.label | cmd |
+| CommandInjection.rb:10:14:10:16 | cmd | semmle.label | cmd |
+| CommandInjection.rb:11:17:11:22 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:13:9:13:14 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:29:19:29:24 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:33:24:33:36 | "echo #{...}" | semmle.label | "echo #{...}" |
+| CommandInjection.rb:34:39:34:51 | "grep #{...}" | semmle.label | "grep #{...}" |
+| CommandInjection.rb:46:15:46:20 | call to params :  | semmle.label | call to params :  |
+| CommandInjection.rb:50:24:50:36 | "echo #{...}" | semmle.label | "echo #{...}" |
+subpaths
+#select
+| CommandInjection.rb:7:10:7:15 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:7:10:7:15 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:8:16:8:18 | cmd | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:8:16:8:18 | cmd | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:10:14:10:16 | cmd | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:10:14:10:16 | cmd | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:11:17:11:22 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:11:17:11:22 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:13:9:13:14 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:13:9:13:14 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:29:19:29:24 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:29:19:29:24 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:33:24:33:36 | "echo #{...}" | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:33:24:33:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:34:39:34:51 | "grep #{...}" | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:34:39:34:51 | "grep #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:50:24:50:36 | "echo #{...}" | CommandInjection.rb:46:15:46:20 | call to params :  | CommandInjection.rb:50:24:50:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:46:15:46:20 | call to params | a user-provided value |

ql/test/query-tests/security/cwe-078/CommandInjection.qlref

@@ -0,0 +1 @@
+queries/security/cwe-078/CommandInjection.ql

ql/test/query-tests/security/cwe-078/CommandInjection.rb

@@ -0,0 +1,52 @@
+require "shellwords"
+require "open3"
+
+class UsersController < ActionController::Base
+    def create
+        cmd = params[:cmd]
+        `#{cmd}`
+        system(cmd)
+        system("echo", cmd) # OK, because cmd is not shell interpreted
+        exec(cmd)
+        %x(echo #{cmd})
+        result = <<`EOF`
+        #{cmd}
+EOF
+
+        safe_cmd_1 = Shellwords.escape(cmd)
+        `echo #{safe_cmd_1}`
+
+        safe_cmd_2 = Shellwords.shellescape(cmd)
+        `echo #{safe_cmd_2}`
+
+        if cmd == "some constant"
+            `echo #{cmd}`
+        end
+
+        if %w(foo bar).include? cmd
+            `echo #{cmd}`
+        else
+            `echo #{cmd}`
+        end
+
+        # Open3 methods
+        Open3.capture2("echo #{cmd}")
+        Open3.pipeline("cat foo.txt", "grep #{cmd}")
+        Open3.pipeline(["echo", cmd], "tail") # OK, because cmd is not shell interpreted
+    end
+
+    def show
+        `ls`
+        system("ls")
+        exec("ls")
+        %x(ls)
+    end
+
+    def index
+        cmd = params[:key]
+        if %w(foo bar).include? cmd
+            `echo #{cmd}`
+        end
+        Open3.capture2("echo #{cmd}")
+    end
+end