hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

add command parsing model for "commander"

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-11-26 16:09:22 +01:00
committed by GitHub
parent 653ebf7668
commit fd0d5c9e46
3 changed files with 108 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll
View File

@@ -90,6 +90,34 @@ module IndirectCommandInjection {
)
}
/**
* A Command instance from the `commander` library.
*/
private API::Node commander() {
result = API::moduleImport("commander")
or
// `require("commander").program === require("commander")`
result = commander().getMember("program")
or
result = commander().getMember("Command").getInstance()
or
// lots of chainable methods
result = commander().getAMember().getReturn()
}
/**
* A source of user input from the command-line parsed by the `commander` library.
*/
private class CommanderSource extends Source {
CommanderSource() {
// the parsed commands are stored as properties on the command object.
this = commander().getAMember().getAnImmediateUse()
or
// or the `opts()` method gets a list of them.
this = commander().getMember("opts").getACall()
}
}
/**
* Gets an instance of `yargs`.
* Either directly imported as a module, or through some chained method call.

69
javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected
View File

@@ -180,13 +180,37 @@ nodes
| command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:124:22:124:25 | opts |
| command-line-parameter-command-injection.js:124:22:124:29 | opts.foo |
| command-line-parameter-command-injection.js:127:6:127:38 | opts |
| command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) |
| command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) |
| command-line-parameter-command-injection.js:127:6:127:26 | opts |
| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() |
| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() |
| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:129:22:129:25 | opts |
| command-line-parameter-command-injection.js:129:22:129:29 | opts.foo |
| command-line-parameter-command-injection.js:133:8:133:41 | program |
| command-line-parameter-command-injection.js:133:10:133:16 | program |
| command-line-parameter-command-injection.js:133:10:133:16 | program |
| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() |
| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() |
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:137:22:137:28 | program |
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType |
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType |
| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() |
| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() |
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType |
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType |
edges
| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
| command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] |
@@ -345,12 +369,36 @@ edges
| command-line-parameter-command-injection.js:124:22:124:25 | opts | command-line-parameter-command-injection.js:124:22:124:29 | opts.foo |
| command-line-parameter-command-injection.js:124:22:124:29 | opts.foo | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:124:22:124:29 | opts.foo | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:127:6:127:38 | opts | command-line-parameter-command-injection.js:129:22:129:25 | opts |
| command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) | command-line-parameter-command-injection.js:127:6:127:38 | opts |
| command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) | command-line-parameter-command-injection.js:127:6:127:38 | opts |
| command-line-parameter-command-injection.js:127:6:127:26 | opts | command-line-parameter-command-injection.js:129:22:129:25 | opts |
| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:127:6:127:26 | opts |
| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:127:6:127:26 | opts |
| command-line-parameter-command-injection.js:129:22:129:25 | opts | command-line-parameter-command-injection.js:129:22:129:29 | opts.foo |
| command-line-parameter-command-injection.js:129:22:129:29 | opts.foo | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:129:22:129:29 | opts.foo | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:133:8:133:41 | program | command-line-parameter-command-injection.js:137:22:137:28 | program |
| command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:133:8:133:41 | program |
| command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:133:8:133:41 | program |
| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:137:22:137:28 | program | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType |
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
#select
| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument |
@@ -381,4 +429,11 @@ edges
| command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line argument |
| command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line argument |
| command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line argument |
| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) | command-line argument |
| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line argument |
| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line argument |
| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line argument |
| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:133:10:133:16 | program | command-line argument |
| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line argument |
| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line argument |
| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line argument |
| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line argument |

19
javascript/ql/test/query-tests/Security/CWE-078/command-line-parameter-command-injection.js
View File

@@ -127,4 +127,21 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
var opts = parser.parse();
cp.exec("cmd.sh " + opts.foo); // NOT OK
})
});
(function () {
const { program } = require('commander');
program.version('0.0.1');
cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK
cp.exec("cmd.sh " + program.pizzaType); // NOT OK
});
(function () {
const { Command } = require('commander');
const program = new Command();
program.version('0.0.1');
cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK
cp.exec("cmd.sh " + program.pizzaType); // NOT OK
});