mirror of
https://github.com/github/codeql.git
synced 2025-12-21 03:06:31 +01:00
58 lines
1.7 KiB
Plaintext
58 lines
1.7 KiB
Plaintext
/**
|
|
* Provides default sources, sinks and sanitizers for reasoning about
|
|
* command-injection vulnerabilities, as well as extension points for
|
|
* adding your own.
|
|
*/
|
|
|
|
import javascript
|
|
|
|
module CommandInjection {
|
|
/**
|
|
* A data flow source for command-injection vulnerabilities.
|
|
*/
|
|
abstract class Source extends DataFlow::Node {
|
|
/** Gets a string that describes the type of this remote flow source. */
|
|
abstract string getSourceType();
|
|
}
|
|
|
|
/**
|
|
* A data flow sink for command-injection vulnerabilities.
|
|
*/
|
|
abstract class Sink extends DataFlow::Node { }
|
|
|
|
/**
|
|
* A sanitizer for command-injection vulnerabilities.
|
|
*/
|
|
abstract class Sanitizer extends DataFlow::Node { }
|
|
|
|
/** A source of remote user input, considered as a flow source for command injection. */
|
|
class RemoteFlowSourceAsSource extends Source {
|
|
RemoteFlowSourceAsSource() {
|
|
this instanceof RemoteFlowSource and
|
|
not this instanceof ClientSideRemoteFlowSource
|
|
}
|
|
|
|
override string getSourceType() { result = "a user-provided value" }
|
|
}
|
|
|
|
/**
|
|
* A response from a server, considered as a flow source for command injection.
|
|
*/
|
|
class ServerResponse extends Source {
|
|
ServerResponse() { this = any(ClientRequest r).getAResponseDataNode() }
|
|
|
|
override string getSourceType() { result = "a server-provided value" }
|
|
}
|
|
|
|
/**
|
|
* A command argument to a function that initiates an operating system command.
|
|
*/
|
|
class SystemCommandExecutionSink extends Sink, DataFlow::ValueNode {
|
|
SystemCommandExecutionSink() { this = any(SystemCommandExecution sys).getACommandArgument() }
|
|
}
|
|
|
|
private class SinkFromModel extends Sink {
|
|
SinkFromModel() { this = ModelOutput::getASinkNode("command-line-injection").asSink() }
|
|
}
|
|
}
|