hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Formatting

Browse Source
This commit is contained in:
Tony Torralba
2023-08-01 09:35:25 +02:00
parent 3bc7cf6ac7
commit b5d08ade59
3 changed files with 12 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
View File

@@ -17,10 +17,9 @@ import ExecUserFlow::PathGraph
class RemoteSource extends Source instanceof RemoteFlowSource { }
from
ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink,
MethodAccess call, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd
where
callIsTaintedByUserInputAndDangerousCommand(call, source, sink, sourceCmd, sinkCmd)
ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, MethodAccess call,
DataFlow::Node sourceCmd, DataFlow::Node sinkCmd
where callIsTaintedByUserInputAndDangerousCommand(call, source, sink, sourceCmd, sinkCmd)
select sink, source, sink,
"Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()

11
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll
View File

@@ -89,9 +89,7 @@ deprecated class ExecTaintConfiguration2 extends TaintTracking::Configuration {
}
module ExecUserFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof Source
}
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) {
exists(RuntimeExecMethod method, MethodAccess call |
@@ -155,7 +153,10 @@ class UnSafeExecutable extends string {
}
}
predicate callIsTaintedByUserInputAndDangerousCommand(MethodAccess call, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd) {
predicate callIsTaintedByUserInputAndDangerousCommand(
MethodAccess call, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink,
DataFlow::Node sourceCmd, DataFlow::Node sinkCmd
) {
call.getMethod() instanceof RuntimeExecMethod and
// this is a command-accepting call to exec, e.g. rt.exec(new String[]{"/bin/sh", ...})
(
@@ -167,4 +168,4 @@ predicate callIsTaintedByUserInputAndDangerousCommand(MethodAccess call, ExecUse
ExecUserFlow::flowPath(source, sink) and
sink.getNode().asExpr() = call.getArgument(0)
)
}
}

7
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
View File

@@ -18,10 +18,9 @@ import ExecUserFlow::PathGraph
class LocalSource extends Source instanceof LocalUserInput { }
from
ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink,
MethodAccess call, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd
where
callIsTaintedByUserInputAndDangerousCommand(call, source, sink, sourceCmd, sinkCmd)
ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, MethodAccess call,
DataFlow::Node sourceCmd, DataFlow::Node sinkCmd
where callIsTaintedByUserInputAndDangerousCommand(call, source, sink, sourceCmd, sinkCmd)
select sink, source, sink,
"Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()