hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-18 07:53:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
1b70111dd256961bec3191ea04a1077bc4ad34fe
codeql/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll
Nora Dimitrijević 2a30ea923a JS/CommandInjectionQuery 
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql

javascript/ql/src/Security/CWE-078/CommandInjection.ql
2025-10-28 09:40:09 +01:00

62 lines
2.0 KiB
Plaintext
Raw Blame History

/**
* Provides a taint tracking configuration for reasoning about
* command-injection vulnerabilities (CWE-078).
*
* Note, for performance reasons: only import this file if
* `CommandInjection::Configuration` is needed, otherwise
* `CommandInjectionCustomizations` should be imported instead.
*/
import javascript
import CommandInjectionCustomizations::CommandInjection
import IndirectCommandArgument
/**
* Holds if `sink` is a data flow sink for command-injection vulnerabilities, and
* the alert should be placed at the node `highlight`.
*/
predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) {
sink instanceof Sink and highlight = sink
or
isIndirectCommandArgument(sink, highlight)
}
/**
* A taint-tracking configuration for reasoning about command-injection vulnerabilities.
*/
module CommandInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(DataFlow::Node node | isSinkWithHighlight(sink, node) |
result = sink.getLocation()
or
result = node.getLocation()
)
}
}
/**
* Taint-tracking for reasoning about command-injection vulnerabilities.
*/
module CommandInjectionFlow = TaintTracking::Global<CommandInjectionConfig>;
/**
* DEPRECATED. Use the `CommandInjectionFlow` module instead.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "CommandInjection" }
override predicate isSource(DataFlow::Node source) { CommandInjectionConfig::isSource(source) }
override predicate isSink(DataFlow::Node sink) { CommandInjectionConfig::isSink(sink) }
override predicate isSanitizer(DataFlow::Node node) { CommandInjectionConfig::isBarrier(node) }
}
Reference in New Issue View Git Blame Copy Permalink