Merge pull request #12685 from atorralba/atorralba/java/command-injection-mad

Java: Add command-injection sink kind and refactor command injection queries
2026-04-28 02:05:14 +02:00 · 2023-04-13 11:38:14 +02:00
parent 2d2d32a3f6 3102199a69
commit d7feaf4098
7 changed files with 127 additions and 98 deletions
--- a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -13,14 +13,12 @@
 */

 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.ExternalProcess
 import semmle.code.java.security.CommandLineQuery
 import RemoteUserInputToArgumentToExecFlow::PathGraph

 from
  RemoteUserInputToArgumentToExecFlow::PathNode source,
-  RemoteUserInputToArgumentToExecFlow::PathNode sink, ArgumentToExec execArg
+  RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
 where execIsTainted(source, sink, execArg)
 select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
  "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
@@ -12,35 +12,12 @@
 *       external/cwe/cwe-088
 */

-import semmle.code.java.Expr
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.ExternalProcess
-import semmle.code.java.security.CommandArguments
-
-module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
-
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
-
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType
-    or
-    node.getType() instanceof BoxedType
-    or
-    isSafeCommandArgument(node.asExpr())
-  }
-}
-
-module LocalUserInputToArgumentToExecFlow =
-  TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;
-
+import semmle.code.java.security.CommandLineQuery
 import LocalUserInputToArgumentToExecFlow::PathGraph

 from
  LocalUserInputToArgumentToExecFlow::PathNode source,
-  LocalUserInputToArgumentToExecFlow::PathNode sink, ArgumentToExec execArg
-where
-  LocalUserInputToArgumentToExecFlow::flowPath(source, sink) and
-  sink.getNode().asExpr() = execArg
-select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
-  "user-provided value"
+  LocalUserInputToArgumentToExecFlow::PathNode sink
+where LocalUserInputToArgumentToExecFlow::flowPath(source, sink)
+select sink.getNode().asExpr(), source, sink, "This command line depends on a $@.",
+  source.getNode(), "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
@@ -13,7 +13,6 @@
 */

 import java
-import semmle.code.java.security.ExternalProcess
 import semmle.code.java.security.CommandLineQuery

 /**
--- a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
@@ -13,16 +13,14 @@
 */

 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.ExternalProcess
 import semmle.code.java.security.CommandLineQuery
-import JSchOSInjection
 import RemoteUserInputToArgumentToExecFlow::PathGraph
+import JSchOSInjection

 // This is a clone of query `java/command-line-injection` that also includes experimental sinks.
 from
  RemoteUserInputToArgumentToExecFlow::PathNode source,
-  RemoteUserInputToArgumentToExecFlow::PathNode sink, ArgumentToExec execArg
+  RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
 where execIsTainted(source, sink, execArg)
 select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
  "user-provided value"