Add ExecTaintedLocal

2026-04-30 19:26:02 +02:00 · 2023-04-13 22:58:46 -04:00
parent b39d5088de
commit aff299eafd
3 changed files with 30 additions and 1 deletions
--- a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
+++ b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
@@ -6,4 +6,5 @@ category: minorAnalysis
 * Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
 * Added the `XssLocalQuery.qll` library to provide the `XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow.
 * Added the `ExternallyControlledFormatStringLocalQuery.qll` library to provide the `ExternallyControlledFormatStringLocalFlow` taint-tracking module to reason about format string vulnerabilities caused by local data flow.
-* Added the `InsecureCookieQuery.qll` library to provide the `SecureCookieFlow` taint-tracking module to reason about insecure cookie vulnerabilities.
+* Added the `InsecureCookieQuery.qll` library to provide the `SecureCookieFlow` taint-tracking module to reason about insecure cookie vulnerabilities.
+* Added the `ExecTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToExecFlow` taint-tracking module to reason about command injection vulnerabilities caused by local data flow.
--- a/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll
@@ -0,0 +1,27 @@
+/** Provides a taint-tracking configuration to reason about use of externally controlled strings for command injection vulnerabilities. */
+
+import java
+private import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.ExternalProcess
+private import semmle.code.java.security.CommandArguments
+
+/** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */
+module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
+
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType
+    or
+    node.getType() instanceof BoxedType
+    or
+    isSafeCommandArgument(node.asExpr())
+  }
+}
+
+/**
+ * Taint-tracking flow for use of externally controlled strings to make command line commands.
+ */
+module LocalUserInputToArgumentToExecFlow =
+  TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;
--- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
@@ -12,6 +12,7 @@
 *       external/cwe/cwe-088
 */

+import java
 import semmle.code.java.security.CommandLineQuery
 import LocalUserInputToArgumentToExecFlow::PathGraph