hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-28 06:36:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(query): Better identification of argument injection commands

Browse Source
This commit is contained in:
Alvaro Muñoz
2024-07-11 10:45:49 +02:00
parent 8d75250da7
commit adbb236465
5 changed files with 24 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ql/lib/codeql/actions/config/Config.qll
View File

@@ -91,5 +91,8 @@ predicate untrustedEventPropertiesDataModel(string property, string kind) {
* - argument_group: capture group for the argument.
*/
predicate argumentInjectionSinksDataModel(string regexp, int command_group, int argument_group) {
Extensions::argumentInjectionSinksDataModel(regexp, command_group, argument_group)
exists(string sub_regexp |
Extensions::argumentInjectionSinksDataModel(sub_regexp, command_group, argument_group) and
regexp = ".*(^|;|\\$\\(|`|\\||&&)\\s*" + sub_regexp + "\\s*(;|\\||\\)|`|-|&&|$).*"
)
}

2
ql/lib/ext/config/argument_injection_sinks.yml
View File

@@ -4,5 +4,5 @@ extensions:
extensible: argumentInjectionSinksDataModel
# https://gtfobins.github.io/
data:
- [".*(sed) (.*)", 1, 2]
- ["(sed)(.*?)", 2, 3]

8
ql/test/query-tests/Security/CWE-094/.github/workflows/arg_injection.yml vendored
View File

@@ -10,10 +10,10 @@ jobs:
env:
TITLE: ${{github.event.issue.title}}
steps:
- run: |
echo "s/FOO/$TITLE/g"
- run: |
sed "s/FOO/$TITLE/g"
- run: echo "s/FOO/$TITLE/g"
- run: sed "s/FOO/$TITLE/g"
- run: echo "foo" | sed "s/FOO/$TITLE/g" > bar
- run: echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar)

12
ql/test/query-tests/Security/CWE-094/ArgumentInjectionCritical.expected
View File

@@ -1,8 +1,14 @@
edges
| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | provenance | |
| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | |
| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | |
| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | |
nodes
| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title |
| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | semmle.label | sed "s/FOO/$TITLE/g"\n |
| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" |
| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar |
| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) |
subpaths
#select
| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | sed |
| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | sed |
| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | sed |
| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | Potential argument injection in $@ command, which may be controlled by an external user. | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | sed |

8
ql/test/query-tests/Security/CWE-094/ArgumentInjectionMedium.expected
View File

@@ -1,7 +1,11 @@
edges
| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | provenance | |
| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | provenance | |
| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | provenance | |
| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | provenance | |
nodes
| .github/workflows/arg_injection.yml:11:15:11:43 | github.event.issue.title | semmle.label | github.event.issue.title |
| .github/workflows/arg_injection.yml:15:14:16:31 | sed "s/FOO/$TITLE/g"\n | semmle.label | sed "s/FOO/$TITLE/g"\n |
| .github/workflows/arg_injection.yml:14:14:14:33 | sed "s/FOO/$TITLE/g" | semmle.label | sed "s/FOO/$TITLE/g" |
| .github/workflows/arg_injection.yml:15:14:15:52 | echo "foo" \| sed "s/FOO/$TITLE/g" > bar | semmle.label | echo "foo" \| sed "s/FOO/$TITLE/g" > bar |
| .github/workflows/arg_injection.yml:16:14:16:60 | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) | semmle.label | echo $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar) |
subpaths
#select