remove FPs related to parameters that are meant to be commands

2025-12-20 18:56:32 +01:00 · 2023-02-02 16:59:27 +01:00
parent e9ebba3350
commit ef44cb86c2
2 changed files with 8 additions and 2 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -21,7 +21,10 @@ module UnsafeShellCommandConstruction {

  /** An input parameter to a gem seen as a source. */
  private class LibraryInputAsSource extends Source instanceof DataFlow::ParameterNode {
-    LibraryInputAsSource() { this = Setuptools::getALibraryInput() }
+    LibraryInputAsSource() {
+      this = Setuptools::getALibraryInput() and
+      not this.getParameter().getName().matches(["cmd%", "command%", "%_command", "%_cmd"])
+    }
  }

  /** A sink for shell command constructed from library input vulnerabilities. */
--- a/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/src/unsafe_shell_test.py
+++ b/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/src/unsafe_shell_test.py
@@ -43,4 +43,7 @@ def subprocess_flag (name):

    indirect(True, name)

-    subprocess.Popen("ping " + name, shell=unknownValue) # OK - shell assumed to be False
+    subprocess.Popen("ping " + name, shell=unknownValue) # OK - shell assumed to be False
+
+def intentional(command): 
+    os.system("fish -ic " + command) # $result=OK - intentional