hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-24 02:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add ExecTaintedLocal

Browse Source
This commit is contained in:
Ed Minnix
2023-04-13 22:58:46 -04:00
parent b39d5088de
commit aff299eafd
3 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll Normal file
View File

@@ -0,0 +1,27 @@
/** Provides a taint-tracking configuration to reason about use of externally controlled strings for command injection vulnerabilities. */
import java
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.security.ExternalProcess
private import semmle.code.java.security.CommandArguments
/** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */
module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
predicate isBarrier(DataFlow::Node node) {
node.getType() instanceof PrimitiveType
or
node.getType() instanceof BoxedType
or
isSafeCommandArgument(node.asExpr())
}
}
/**
* Taint-tracking flow for use of externally controlled strings to make command line commands.
*/
module LocalUserInputToArgumentToExecFlow =
TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;