hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
1f37e70d83e77045966c71df27f5ea67d911979a
codeql/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll
Edward Minnix III 1f37e70d83 Fix typos 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
2024-01-08 09:38:51 -05:00

41 lines
1.5 KiB
Plaintext
Raw Blame History

/** Modules to reason about the tainting of environment variables */
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.Maps
private import semmle.code.java.JDK
private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(MethodCall mc | mc = source.asExpr() |
mc.getMethod().hasQualifiedName("java.lang", "ProcessBuilder", "environment")
)
}
predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(MapMutation mm).getQualifier() }
}
private module ProcessBuilderEnvironmentFlow = DataFlow::Global<ProcessBuilderEnvironmentConfig>;
/**
* A taint-tracking configuration that tracks flow from unvalidated data to an environment variable for a subprocess.
*/
module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "environment-injection")
or
// sink is a key or value added to a `ProcessBuilder::environment` map.
exists(MapMutation mm | mm.getAnArgument() = sink.asExpr() |
ProcessBuilderEnvironmentFlow::flowToExpr(mm.getQualifier())
)
}
}
/**
* Taint-tracking flow for unvalidated data to an environment variable for a subprocess.
*/
module ExecTaintedEnvironmentFlow = TaintTracking::Global<ExecTaintedEnvironmentConfig>;
Reference in New Issue View Git Blame Copy Permalink