hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
727bddea19e810bafdf2a880beb0f34c5d5a875b
codeql/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll
Nora Dimitrijević 71cf042607 JS/IndirectCommandInjectionQuery 
javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
2025-10-28 09:40:11 +01:00

68 lines
2.2 KiB
Plaintext
Raw Blame History

/**
* Provides a taint-tracking configuration for reasoning about command-injection
* vulnerabilities (CWE-078).
*/
import javascript
import IndirectCommandInjectionCustomizations::IndirectCommandInjection
private import IndirectCommandArgument
/**
* A taint-tracking configuration for reasoning about command-injection vulnerabilities.
*/
module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
/**
* Holds if `sink` is a data-flow sink for command-injection vulnerabilities, and
* the alert should be placed at the node `highlight`.
*/
additional predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) {
sink instanceof Sink and highlight = sink
or
isIndirectCommandArgument(sink, highlight)
}
predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(DataFlow::Node node | isSinkWithHighlight(sink, node) |
result = sink.getLocation()
or
result = node.getLocation()
)
}
}
/**
* Taint-tracking for reasoning about command-injection vulnerabilities.
*/
module IndirectCommandInjectionFlow = TaintTracking::Global<IndirectCommandInjectionConfig>;
/**
* DEPRECATED. Use the `IndirectCommandInjectionFlow` module instead.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "IndirectCommandInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
/**
* Holds if `sink` is a data-flow sink for command-injection vulnerabilities, and
* the alert should be placed at the node `highlight`.
*/
predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) {
sink instanceof Sink and highlight = sink
or
isIndirectCommandArgument(sink, highlight)
}
override predicate isSink(DataFlow::Node sink) { this.isSinkWithHighlight(sink, _) }
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
}
Reference in New Issue View Git Blame Copy Permalink