hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b29ee2acdeffacdbb09e63d19f85752893ac934d
codeql/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll

67 lines
2.6 KiB
Plaintext
Raw Blame History

/**
* Provides a taint tracking configuration for reasoning about shell command
* constructed from library input vulnerabilities (CWE-078).
*
* Note, for performance reasons: only import this file if
* `UnsafeShellCommandConstruction::Configuration` is needed, otherwise
* `UnsafeShellCommandConstructionCustomizations` should be imported instead.
*/
import javascript
import UnsafeShellCommandConstructionCustomizations::UnsafeShellCommandConstruction
/**
* A taint-tracking configuration for reasoning about shell command constructed from library input vulnerabilities.
*/
module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
// TODO: we get a FP in the test case due to SanitizingRegExpTest not being able to generate a barrier edge
// for an edge into a phi node.
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) {
node instanceof Sanitizer or
node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode() or
node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
}
DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
}
/**
* Taint-tracking for reasoning about shell command constructed from library input vulnerabilities.
*/
module UnsafeShellCommandConstructionFlow =
TaintTracking::Global<UnsafeShellCommandConstructionConfig>;
/**
* DEPRECATED. Use the `UnsafeShellCommandConstructionFlow` module instead.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "UnsafeShellCommandConstruction" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
guard instanceof PathExistsSanitizerGuard or
guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer or
guard instanceof NumberGuard or
guard instanceof TypeOfSanitizer
}
// override to require that there is a path without unmatched return steps
override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
super.hasFlowPath(source, sink) and
DataFlow::hasPathWithoutUnmatchedReturn(source, sink)
}
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
DataFlow::localFieldStep(pred, succ)
}
}
Reference in New Issue View Git Blame Copy Permalink