diff --git a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md index 6ff8225baae..d8157fef64d 100644 --- a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md +++ b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md @@ -6,4 +6,5 @@ category: minorAnalysis * Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings. * Added the `XssLocalQuery.qll` library to provide the `XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow. * Added the `ExternallyControlledFormatStringLocalQuery.qll` library to provide the `ExternallyControlledFormatStringLocalFlow` taint-tracking module to reason about format string vulnerabilities caused by local data flow. -* Added the `InsecureCookieQuery.qll` library to provide the `SecureCookieFlow` taint-tracking module to reason about insecure cookie vulnerabilities. \ No newline at end of file +* Added the `InsecureCookieQuery.qll` library to provide the `SecureCookieFlow` taint-tracking module to reason about insecure cookie vulnerabilities. +* Added the `ExecTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToExecFlow` taint-tracking module to reason about command injection vulnerabilities caused by local data flow. \ No newline at end of file diff --git a/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll b/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll new file mode 100644 index 00000000000..cb444372b72 --- /dev/null +++ b/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll @@ -0,0 +1,27 @@ +/** Provides a taint-tracking configuration to reason about use of externally controlled strings for command injection vulnerabilities. */ + +import java +private import semmle.code.java.dataflow.FlowSources +private import semmle.code.java.security.ExternalProcess +private import semmle.code.java.security.CommandArguments + +/** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */ +module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput } + + predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec } + + predicate isBarrier(DataFlow::Node node) { + node.getType() instanceof PrimitiveType + or + node.getType() instanceof BoxedType + or + isSafeCommandArgument(node.asExpr()) + } +} + +/** + * Taint-tracking flow for use of externally controlled strings to make command line commands. + */ +module LocalUserInputToArgumentToExecFlow = + TaintTracking::Global; diff --git a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql index e6d69a00557..08c230cb43a 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql @@ -12,6 +12,7 @@ * external/cwe/cwe-088 */ +import java import semmle.code.java.security.CommandLineQuery import LocalUserInputToArgumentToExecFlow::PathGraph