mirror of
https://github.com/github/codeql.git
synced 2026-05-25 00:27:09 +02:00
PS: Add more injetion sinks and type models.
This commit is contained in:
Mathias Vorreiter Pedersen
@@ -2,3 +2,6 @@
|
||||
* Helper file that imports all framework modeling.
|
||||
*/
|
||||
|
||||
import semmle.code.powershell.frameworks.SystemManagementAutomationRunspaces.Runspaces
|
||||
import semmle.code.powershell.frameworks.SystemManagementAutomationPowerShell.PowerShell
|
||||
import semmle.code.powershell.frameworks.SystemManagementAutomationEngineIntrinsics.EngineIntrinsics
|
||||
|
||||
@@ -13,6 +13,9 @@ private import internal.DataFlowPrivate
|
||||
private module Summaries {
|
||||
private import semmle.code.powershell.Frameworks
|
||||
private import semmle.code.powershell.frameworks.data.ModelsAsData
|
||||
import RunspaceFactory
|
||||
import PowerShell
|
||||
import EngineIntrinsics
|
||||
}
|
||||
|
||||
/** A callable with a flow summary, identified by a unique string. */
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
import powershell
|
||||
import semmle.code.powershell.frameworks.data.internal.ApiGraphModels
|
||||
private import semmle.code.powershell.dataflow.internal.DataFlowPublic as DataFlow
|
||||
|
||||
module EngineIntrinsics {
|
||||
private class EngineIntrinsicsGlobalEntry extends ModelInput::TypeModel {
|
||||
override DataFlow::Node getASource(string type) {
|
||||
type = "System.Management.Automation.EngineIntrinsics" and
|
||||
result.asExpr().getExpr().(VarReadAccess).getUserPath().toLowerCase() = "executioncontext"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: microsoft-sdl/powershell-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["System.Management.Automation.CommandInvocationIntrinsics", "Method[ExpandString].Argument[0]", "command-injection"]
|
||||
|
||||
- addsTo:
|
||||
pack: microsoft-sdl/powershell-all
|
||||
extensible: typeModel
|
||||
data:
|
||||
- ["System.Management.Automation.CommandInvocationIntrinsics","System.Management.Automation.EngineIntrinsics","Member[InvokeCommand]"]
|
||||
@@ -0,0 +1,12 @@
|
||||
import powershell
|
||||
import semmle.code.powershell.frameworks.data.internal.ApiGraphModels
|
||||
private import semmle.code.powershell.dataflow.internal.DataFlowPublic as DataFlow
|
||||
|
||||
module PowerShell {
|
||||
private class PowerShellGlobalEntry extends ModelInput::TypeModel {
|
||||
override DataFlow::Node getASource(string type) {
|
||||
type = "System.Management.Automation.PowerShell!" and
|
||||
result.asExpr().getExpr().(TypeNameExpr).getName().toLowerCase() = "powershell"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: microsoft-sdl/powershell-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["System.Management.Automation.PowerShell", "Method[AddScript].Argument[0]", "command-injection"]
|
||||
- ["System.Management.Automation.ScriptBlock!", "Method[Create].Argument[0]", "command-injection"]
|
||||
|
||||
- addsTo:
|
||||
pack: microsoft-sdl/powershell-all
|
||||
extensible: typeModel
|
||||
data:
|
||||
- ["System.Management.Automation.PowerShell","System.Management.Automation.PowerShell!","Method[Create].ReturnValue"]
|
||||
@@ -0,0 +1,12 @@
|
||||
import powershell
|
||||
import semmle.code.powershell.frameworks.data.internal.ApiGraphModels
|
||||
private import semmle.code.powershell.dataflow.internal.DataFlowPublic as DataFlow
|
||||
|
||||
module RunspaceFactory {
|
||||
private class RunspaceFactoryGlobalEntry extends ModelInput::TypeModel {
|
||||
override DataFlow::Node getASource(string type) {
|
||||
type = "System.Management.Automation.Runspaces.RunspaceFactory!" and
|
||||
result.asExpr().getExpr().(TypeNameExpr).getName().toLowerCase() = "runspacefactory"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: microsoft-sdl/powershell-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["System.Management.Automation.Runspaces.Runspace", "Method[CreateNestedPipeline].Argument[0]", "command-injection"]
|
||||
- ["System.Management.Automation.Runspaces.Runspace", "Method[CreatePipeline].Argument[0]", "command-injection"]
|
||||
|
||||
- addsTo:
|
||||
pack: microsoft-sdl/powershell-all
|
||||
extensible: typeModel
|
||||
data:
|
||||
- ["System.Management.Automation.Runspaces.Runspace","System.Management.Automation.Runspaces.RunspaceFactory!","Method[CreateRunspace].ReturnValue"]
|
||||
@@ -0,0 +1,6 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: microsoft-sdl/powershell-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["System.Management.Automation.ScriptBlock!", "Method[Create].Argument[0]", "command-injection"]
|
||||
@@ -3,7 +3,7 @@ extensions:
|
||||
pack: microsoft-sdl/powershell-all
|
||||
extensible: sourceModel
|
||||
data:
|
||||
- ["System.Net.Sockets.TcpClient", "Instance.Method[GetStream].ReturnValue", "remote"]
|
||||
- ["System.Net.Sockets.UpdClient", "Instance.Method[EndReceive].ReturnValue", "remote"]
|
||||
- ["System.Net.Sockets.UpdClient", "Instance.Method[Receive].ReturnValue", "remote"]
|
||||
- ["System.Net.Sockets.UpdClient", "Instance.Method[ReceiveAsync].ReturnValue", "remote"]
|
||||
- ["System.Net.Sockets.TcpClient", "Method[GetStream].ReturnValue", "remote"]
|
||||
- ["System.Net.Sockets.UpdClient", "Method[EndReceive].ReturnValue", "remote"]
|
||||
- ["System.Net.Sockets.UpdClient", "Method[Receive].ReturnValue", "remote"]
|
||||
- ["System.Net.Sockets.UpdClient", "Method[ReceiveAsync].ReturnValue", "remote"]
|
||||
@@ -48,6 +48,15 @@ module CommandInjection {
|
||||
}
|
||||
}
|
||||
|
||||
class AddTypeSink extends Sink {
|
||||
AddTypeSink() {
|
||||
exists(DataFlow::CallNode call |
|
||||
call.getName() = "Add-Type" and
|
||||
call.getAnArgument() = this
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
private class ExternalCommandInjectionSink extends Sink {
|
||||
ExternalCommandInjectionSink() {
|
||||
this = ModelOutput::getASinkNode("command-injection").asSink()
|
||||
|
||||
Reference in New Issue
Block a user