hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #280 from github/hmac-cli-injection

Browse Source 
Add CLI Injection query
This commit is contained in:
Harry Maclean
2021-09-20 08:54:01 +01:00
committed by GitHub
parent 36289aa9d9 739661eb10
commit 916b844557
14 changed files with 688 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
ql/test/query-tests/security/cwe-078/CommandInjection.expected Normal file
View File

@@ -0,0 +1,33 @@
edges
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:7:10:7:15 | #{...} |
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:8:16:8:18 | cmd |
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:10:14:10:16 | cmd |
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:11:17:11:22 | #{...} |
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:13:9:13:14 | #{...} |
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:29:19:29:24 | #{...} |
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:33:24:33:36 | "echo #{...}" |
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:34:39:34:51 | "grep #{...}" |
| CommandInjection.rb:46:15:46:20 | call to params : | CommandInjection.rb:50:24:50:36 | "echo #{...}" |
nodes
| CommandInjection.rb:6:15:6:20 | call to params : | semmle.label | call to params : |
| CommandInjection.rb:7:10:7:15 | #{...} | semmle.label | #{...} |
| CommandInjection.rb:8:16:8:18 | cmd | semmle.label | cmd |
| CommandInjection.rb:10:14:10:16 | cmd | semmle.label | cmd |
| CommandInjection.rb:11:17:11:22 | #{...} | semmle.label | #{...} |
| CommandInjection.rb:13:9:13:14 | #{...} | semmle.label | #{...} |
| CommandInjection.rb:29:19:29:24 | #{...} | semmle.label | #{...} |
| CommandInjection.rb:33:24:33:36 | "echo #{...}" | semmle.label | "echo #{...}" |
| CommandInjection.rb:34:39:34:51 | "grep #{...}" | semmle.label | "grep #{...}" |
| CommandInjection.rb:46:15:46:20 | call to params : | semmle.label | call to params : |
| CommandInjection.rb:50:24:50:36 | "echo #{...}" | semmle.label | "echo #{...}" |
subpaths
#select
| CommandInjection.rb:7:10:7:15 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:7:10:7:15 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
| CommandInjection.rb:8:16:8:18 | cmd | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:8:16:8:18 | cmd | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
| CommandInjection.rb:10:14:10:16 | cmd | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:10:14:10:16 | cmd | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
| CommandInjection.rb:11:17:11:22 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:11:17:11:22 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
| CommandInjection.rb:13:9:13:14 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:13:9:13:14 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
| CommandInjection.rb:29:19:29:24 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:29:19:29:24 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
| CommandInjection.rb:33:24:33:36 | "echo #{...}" | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:33:24:33:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
| CommandInjection.rb:34:39:34:51 | "grep #{...}" | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:34:39:34:51 | "grep #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
| CommandInjection.rb:50:24:50:36 | "echo #{...}" | CommandInjection.rb:46:15:46:20 | call to params : | CommandInjection.rb:50:24:50:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:46:15:46:20 | call to params | a user-provided value |

1
ql/test/query-tests/security/cwe-078/CommandInjection.qlref Normal file
View File

@@ -0,0 +1 @@
queries/security/cwe-078/CommandInjection.ql

52
ql/test/query-tests/security/cwe-078/CommandInjection.rb Normal file
View File

@@ -0,0 +1,52 @@
require "shellwords"
require "open3"
class UsersController < ActionController::Base
def create
cmd = params[:cmd]
`#{cmd}`
system(cmd)
system("echo", cmd) # OK, because cmd is not shell interpreted
exec(cmd)
%x(echo #{cmd})
result = <<`EOF`
#{cmd}
EOF
safe_cmd_1 = Shellwords.escape(cmd)
`echo #{safe_cmd_1}`
safe_cmd_2 = Shellwords.shellescape(cmd)
`echo #{safe_cmd_2}`
if cmd == "some constant"
`echo #{cmd}`
end
if %w(foo bar).include? cmd
`echo #{cmd}`
else
`echo #{cmd}`
end
# Open3 methods
Open3.capture2("echo #{cmd}")
Open3.pipeline("cat foo.txt", "grep #{cmd}")
Open3.pipeline(["echo", cmd], "tail") # OK, because cmd is not shell interpreted
end
def show
`ls`
system("ls")
exec("ls")
%x(ls)
end
def index
cmd = params[:key]
if %w(foo bar).include? cmd
`echo #{cmd}`
end
Open3.capture2("echo #{cmd}")
end
end