mirror of
https://github.com/github/codeql.git
synced 2026-02-24 10:53:49 +01:00
28 lines
1.1 KiB
Plaintext
28 lines
1.1 KiB
Plaintext
/** Provides a taint-tracking configuration to reason about use of externally controlled strings for command injection vulnerabilities. */
|
|
|
|
import java
|
|
private import semmle.code.java.dataflow.FlowSources
|
|
private import semmle.code.java.security.ExternalProcess
|
|
private import semmle.code.java.security.CommandArguments
|
|
|
|
/** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */
|
|
module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
|
|
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
|
|
|
|
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
|
|
|
|
predicate isBarrier(DataFlow::Node node) {
|
|
node.getType() instanceof PrimitiveType
|
|
or
|
|
node.getType() instanceof BoxedType
|
|
or
|
|
isSafeCommandArgument(node.asExpr())
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Taint-tracking flow for use of externally controlled strings to make command line commands.
|
|
*/
|
|
module LocalUserInputToArgumentToExecFlow =
|
|
TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;
|