mirror of
https://github.com/github/codeql.git
synced 2026-04-26 17:25:19 +02:00
Initial commit
This commit is contained in:
Maiky
@@ -0,0 +1,50 @@
|
||||
/**
|
||||
* Provides classes and predicates for reasoning about system
|
||||
* commands built from user-controlled sources (that is, command injection
|
||||
* vulnerabilities).
|
||||
*/
|
||||
|
||||
import swift
|
||||
import codeql.swift.dataflow.DataFlow
|
||||
import codeql.swift.dataflow.ExternalFlow
|
||||
|
||||
/**
|
||||
* A dataflow sink for command injection vulnerabilities.
|
||||
*/
|
||||
abstract class CommandInjectionSink extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A barrier for command injection vulnerabilities.
|
||||
*/
|
||||
abstract class CommandInjectionBarrier extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A unit class for adding additional flow steps.
|
||||
*/
|
||||
class CommandInjectionAdditionalFlowStep extends Unit {
|
||||
/**
|
||||
* Holds if the step from `node1` to `node2` should be considered a flow
|
||||
* step for paths related to command injection vulnerabilities.
|
||||
*/
|
||||
abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
|
||||
}
|
||||
|
||||
/** An expression of type `Process`. */
|
||||
private class ProcessRef extends Expr {
|
||||
ProcessRef() {
|
||||
this.getType() instanceof ProcessType or
|
||||
this.getType() = any(OptionalType t | t.getBaseType() instanceof ProcessType)
|
||||
}
|
||||
}
|
||||
|
||||
/** The type `Process`. */
|
||||
private class ProcessType extends NominalType {
|
||||
ProcessType() { this.getFullName() = "Process" }
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink defined in a CSV model.
|
||||
*/
|
||||
private class DefaultCommandInjectionSink extends CommandInjectionSink {
|
||||
DefaultCommandInjectionSink() { sinkNode(this, "command-injection") }
|
||||
}
|
||||
27
swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll
Normal file
27
swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll
Normal file
@@ -0,0 +1,27 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about system
|
||||
* commands built from user-controlled sources (that is, Command injection
|
||||
* vulnerabilities).
|
||||
*/
|
||||
|
||||
import swift
|
||||
import codeql.swift.dataflow.DataFlow
|
||||
import codeql.swift.dataflow.TaintTracking
|
||||
import codeql.swift.dataflow.FlowSources
|
||||
import codeql.swift.security.CommandInjectionExtensions
|
||||
|
||||
/**
|
||||
* A taint configuration for tainted data that reaches a Command Injection sink.
|
||||
*/
|
||||
module CommandInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node node) { node instanceof CommandInjectionSink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node barrier) { barrier instanceof CommandInjectionBarrier }
|
||||
}
|
||||
|
||||
/**
|
||||
* Detect taint flow of tainted data that reaches a Command Injection sink.
|
||||
*/
|
||||
module CommandInjectionFlow = TaintTracking::Global<CommandInjectionConfig>;
|
||||
Reference in New Issue
Block a user