hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-05 07:06:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

TaintedEnvironmentVariableQuery docs

Browse Source
This commit is contained in:
Ed Minnix
2023-11-14 13:11:43 -05:00
parent 818c5de8d5
commit f1f0f50c92
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll
View File

@@ -18,16 +18,23 @@ private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {
private module ProcessBuilderEnvironmentFlow = DataFlow::Global<ProcessBuilderEnvironmentConfig>;
/**
* A taint-tracking configuration that tracks flow from unvalidated data to an environment variable for a subprocess.
*/
module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "environment-injection")
or
// sink is an added to a `ProcessBuilder::environment` map.
exists(MapPutCall mpc | mpc.getAnArgument() = sink.asExpr() |
ProcessBuilderEnvironmentFlow::flowToExpr(mpc.getQualifier())
)
}
}
/**
* Taint-tracking flow for unvalidated data to an environment variable for a subprocess.
*/
module ExecTaintedEnvironmentFlow = TaintTracking::Global<ExecTaintedEnvironmentConfig>;