hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Add tests for ExecTainted

Browse Source
This commit is contained in:
Joe
2020-09-17 16:47:55 +01:00
parent b6cf1cce20
commit fcfc836720
7 changed files with 97 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/ql/test/query-tests/security/CWE-078/ExecRelative.expected Normal file
View File

@@ -0,0 +1 @@
| Test.java:50:46:50:49 | "ls" | Command with a relative path 'ls' is executed. |

1
java/ql/test/query-tests/security/CWE-078/ExecRelative.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-078/ExecRelative.ql

27
java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected Normal file
View File

@@ -0,0 +1,27 @@
edges
| Test.java:6:35:6:44 | arg : String | Test.java:7:44:7:69 | ... + ... |
| Test.java:6:35:6:44 | arg : String | Test.java:10:29:10:74 | new String[] |
| Test.java:6:35:6:44 | arg : String | Test.java:18:29:18:31 | cmd |
| Test.java:6:35:6:44 | arg : String | Test.java:24:29:24:32 | cmd1 |
| Test.java:28:38:28:47 | arg : String | Test.java:29:44:29:64 | ... + ... |
| Test.java:57:27:57:39 | args : String[] | Test.java:60:20:60:22 | arg : String |
| Test.java:57:27:57:39 | args : String[] | Test.java:61:23:61:25 | arg : String |
| Test.java:60:20:60:22 | arg : String | Test.java:6:35:6:44 | arg : String |
| Test.java:61:23:61:25 | arg : String | Test.java:28:38:28:47 | arg : String |
nodes
| Test.java:6:35:6:44 | arg : String | semmle.label | arg : String |
| Test.java:7:44:7:69 | ... + ... | semmle.label | ... + ... |
| Test.java:10:29:10:74 | new String[] | semmle.label | new String[] |
| Test.java:18:29:18:31 | cmd | semmle.label | cmd |
| Test.java:24:29:24:32 | cmd1 | semmle.label | cmd1 |
| Test.java:28:38:28:47 | arg : String | semmle.label | arg : String |
| Test.java:29:44:29:64 | ... + ... | semmle.label | ... + ... |
| Test.java:57:27:57:39 | args : String[] | semmle.label | args : String[] |
| Test.java:60:20:60:22 | arg : String | semmle.label | arg : String |
| Test.java:61:23:61:25 | arg : String | semmle.label | arg : String |
#select
| Test.java:7:44:7:69 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:7:44:7:69 | ... + ... | $@ flows to here and is used in a command. | Test.java:57:27:57:39 | args | User-provided value |
| Test.java:10:29:10:74 | new String[] | Test.java:57:27:57:39 | args : String[] | Test.java:10:29:10:74 | new String[] | $@ flows to here and is used in a command. | Test.java:57:27:57:39 | args | User-provided value |
| Test.java:18:29:18:31 | cmd | Test.java:57:27:57:39 | args : String[] | Test.java:18:29:18:31 | cmd | $@ flows to here and is used in a command. | Test.java:57:27:57:39 | args | User-provided value |
| Test.java:24:29:24:32 | cmd1 | Test.java:57:27:57:39 | args : String[] | Test.java:24:29:24:32 | cmd1 | $@ flows to here and is used in a command. | Test.java:57:27:57:39 | args | User-provided value |
| Test.java:29:44:29:64 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:29:44:29:64 | ... + ... | $@ flows to here and is used in a command. | Test.java:57:27:57:39 | args | User-provided value |

1
java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-078/ExecTaintedLocal.ql

2
java/ql/test/query-tests/security/CWE-078/ExecUnescaped.expected Normal file
View File

@@ -0,0 +1,2 @@
| Test.java:7:44:7:69 | ... + ... | Command line is built with string concatenation. |
| Test.java:29:44:29:64 | ... + ... | Command line is built with string concatenation. |

1
java/ql/test/query-tests/security/CWE-078/ExecUnescaped.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-078/ExecUnescaped.ql

64
java/ql/test/query-tests/security/CWE-078/Test.java Normal file
View File

@@ -0,0 +1,64 @@
import java.lang.ProcessBuilder;
import java.util.List;
import java.util.ArrayList;
class Test {
public static void shellCommand(String arg) {
ProcessBuilder pb = new ProcessBuilder("/bin/bash -c echo " + arg);
pb.start();
pb = new ProcessBuilder(new String[]{"/bin/bash", "-c", "echo " + arg});
pb.start();
List<String> cmd = new ArrayList<String>();
cmd.add("/bin/bash");
cmd.add("-c");
cmd.add("echo " + arg);
pb = new ProcessBuilder(cmd);
pb.start();
String[] cmd1 = new String[]{"/bin/bash", "-c", "<cmd>"};
cmd1[1] = "echo " + arg;
pb = new ProcessBuilder(cmd1);
pb.start();
}
public static void nonShellCommand(String arg) {
ProcessBuilder pb = new ProcessBuilder("./customTool " + arg);
pb.start();
pb = new ProcessBuilder(new String[]{"./customTool", arg});
pb.start();
List<String> cmd = new ArrayList<String>();
cmd.add("./customTool");
cmd.add(arg);
pb = new ProcessBuilder(cmd);
pb.start();
String[] cmd1 = new String[]{"./customTool", "<arg>"};
cmd1[1] = arg;
pb = new ProcessBuilder(cmd1);
pb.start();
}
public static void relativeCommand() {
ProcessBuilder pb = new ProcessBuilder("ls");
pb.start();
pb = new ProcessBuilder("/bin/ls");
pb.start();
}
public static void main(String[] args) {
String arg = args.length > 1 ? args[1] : "default";
shellCommand(arg);
nonShellCommand(arg);
relativeCommand();
}
}