Skip to content

Commit 2f461c9

Browse files
michaelnebelmichaelnebel
committed
Java: Use the experimental versions of the CWE-078 queries.
1 parent 691dd99 commit 2f461c9

15 files changed

+23
-193
lines changed

java/src/CWE-078/CommandInjectionRuntimeExec.java

Lines changed: 0 additions & 9 deletions
This file was deleted.

java/src/CWE-078/CommandInjectionRuntimeExec.qhelp

Lines changed: 0 additions & 41 deletions
This file was deleted.

java/src/CWE-078/CommandInjectionRuntimeExec.ql

Lines changed: 0 additions & 25 deletions
This file was deleted.

java/src/CWE-078/CommandInjectionRuntimeExecLocal.qhelp

Lines changed: 0 additions & 41 deletions
This file was deleted.

java/src/CWE-078/CommandInjectionRuntimeExecLocal.ql

Lines changed: 0 additions & 26 deletions
This file was deleted.

java/src/security/CWE-078/CommandInjectionRuntimeExec.qhelp

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -37,10 +37,5 @@ OWASP:
3737
<li>SEI CERT Oracle Coding Standard for Java:
3838
<a href="https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method">IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method</a>.</li>
3939

40-
41-
42-
<!-- LocalWords: CWE untrusted unsanitized Runtime
43-
-->
44-
4540
</references>
4641
</qhelp>

java/src/security/CWE-078/CommandInjectionRuntimeExec.ql

Lines changed: 12 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -3,32 +3,23 @@
33
* @description High sensitvity and precision version of java/command-line-injection, designed to find more cases of command injection in rare cases that the default query does not find
44
* @kind path-problem
55
* @problem.severity error
6-
* @security-severity 6.1
6+
* @security-severity 9.8
77
* @precision high
8-
* @id githubsecuritylab/command-line-injection-extra
8+
* @id java/command-line-injection-extra
99
* @tags security
10+
* experimental
1011
* external/cwe/cwe-078
1112
*/
1213

13-
import ghsl.CommandInjectionRuntimeExec
14+
import CommandInjectionRuntimeExec
15+
import ExecUserFlow::PathGraph
1416

15-
class RemoteSource extends Source {
16-
RemoteSource() { this instanceof RemoteFlowSource }
17-
}
17+
class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
1818

19-
module Flow = TaintTracking::Global<RuntimeExec::RuntimeExecConfiguration>;
20-
21-
module Flow2 = TaintTracking::Global<ExecTaint::ExecTaintConfiguration>;
22-
23-
module FlowGraph =
24-
DataFlow::MergePathGraph<Flow::PathNode, Flow2::PathNode, Flow::PathGraph, Flow2::PathGraph>;
25-
26-
import FlowGraph::PathGraph
27-
28-
from FlowGraph::PathNode source, FlowGraph::PathNode sink
29-
where
30-
Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
31-
Flow2::flowPath(source.asPathNode2(), sink.asPathNode2())
32-
select sink.getNode(), source, sink,
19+
from
20+
ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,
21+
DataFlow::Node sinkCmd
22+
where callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd)
23+
select sink, source, sink,
3324
"Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
34-
source, source.toString(), source.getNode(), source.toString()
25+
sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()

java/src/CWE-078/CommandInjectionRuntimeExec.qll renamed to java/src/security/CWE-078/CommandInjectionRuntimeExec.qll

File renamed without changes.

java/src/security/CWE-078/CommandInjectionRuntimeExecLocal.qhelp

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -37,10 +37,5 @@ OWASP:
3737
<li>SEI CERT Oracle Coding Standard for Java:
3838
<a href="https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method">IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method</a>.</li>
3939

40-
41-
42-
<!-- LocalWords: CWE untrusted unsanitized local Runtime
43-
-->
44-
4540
</references>
4641
</qhelp>

java/src/security/CWE-078/CommandInjectionRuntimeExecLocal.ql

Lines changed: 11 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -5,31 +5,22 @@
55
* @problem.severity error
66
* @security-severity 6.1
77
* @precision high
8-
* @id githubsecuritylab/command-line-injection-extra-local
8+
* @id java/command-line-injection-extra-local
99
* @tags security
10+
* experimental
1011
* local
1112
* external/cwe/cwe-078
1213
*/
1314

14-
import ghsl.CommandInjectionRuntimeExec
15+
import CommandInjectionRuntimeExec
16+
import ExecUserFlow::PathGraph
1517

16-
class LocalSource extends Source {
17-
LocalSource() { this instanceof LocalUserInput }
18-
}
18+
class LocalSource extends Source instanceof LocalUserInput { }
1919

20-
module Flow = TaintTracking::Global<RuntimeExec::RuntimeExecConfiguration>;
21-
22-
module Flow2 = TaintTracking::Global<ExecTaint::ExecTaintConfiguration>;
23-
24-
module FlowGraph =
25-
DataFlow::MergePathGraph<Flow::PathNode, Flow2::PathNode, Flow::PathGraph, Flow2::PathGraph>;
26-
27-
import FlowGraph::PathGraph
28-
29-
from FlowGraph::PathNode source, FlowGraph::PathNode sink
30-
where
31-
Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
32-
Flow2::flowPath(source.asPathNode2(), sink.asPathNode2())
33-
select sink.getNode(), source, sink,
20+
from
21+
ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,
22+
DataFlow::Node sinkCmd
23+
where callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd)
24+
select sink, source, sink,
3425
"Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
35-
source, source.toString(), source.getNode(), source.toString()
26+
sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()

0 commit comments

Comments
 (0)