Skip to content

Commit a8f3b4a

Browse files
author
Alvaro Muñoz
authored
Update CommandInjection.ql
1 parent 2c33a94 commit a8f3b4a

File tree

1 file changed

+12
-20
lines changed

1 file changed

+12
-20
lines changed

go/src/security/CWE-078/CommandInjection.ql

Lines changed: 12 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -13,35 +13,27 @@
1313

1414
import go
1515
import semmle.go.security.CommandInjection
16-
import semmle.go.security.CommandInjectionCustomizations::CommandInjection
16+
import DataFlow::PathGraph
17+
import semmle.go.security.FlowSources
1718

1819
//Override CommandInjection::Configuration to use the in-use sources
19-
class InUseAsSource extends Source instanceof UntrustedFlowSource {
20-
InUseAsSource() {
20+
class InUseCommandInjectionConfiguration extends CommandInjection::Configuration {
21+
override predicate isSource(DataFlow::Node node) {
2122
exists(UntrustedFlowSource source, Function function, DataFlow::CallNode callNode |
22-
source.asExpr() = this.asExpr() and
23+
source.asExpr() = node.asExpr() and
24+
2325
source.(DataFlow::ExprNode).asExpr().getEnclosingFunction() = function.getFuncDecl() and
2426
(
2527
// function is called directly
2628
callNode.getACallee() = function.getFuncDecl()
27-
or
29+
2830
// function is passed to another function to be called
29-
callNode.getCall().getAnArgument().(Ident).refersTo(function) //NEW with 2.13.2: or c.getASyntacticArgument().asExpr().(Ident).refersTo(f)
30-
)
31+
or callNode.getCall().getAnArgument().(Ident).refersTo(function) //NEW with 2.13.2: or c.getASyntacticArgument().asExpr().(Ident).refersTo(f)
32+
)
3133
)
3234
}
3335
}
3436

35-
module Flow =
36-
DataFlow::MergePathGraph<CommandInjection::Flow::PathNode,
37-
CommandInjection::DoubleDashSanitizingFlow::PathNode, CommandInjection::Flow::PathGraph,
38-
CommandInjection::DoubleDashSanitizingFlow::PathGraph>;
39-
40-
import Flow::PathGraph
41-
42-
from Flow::PathNode source, Flow::PathNode sink
43-
where
44-
CommandInjection::Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
45-
CommandInjection::DoubleDashSanitizingFlow::flowPath(source.asPathNode2(), sink.asPathNode2())
46-
select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(),
47-
"user-provided value"
37+
from InUseCommandInjectionConfiguration cfg, CommandInjection::DoubleDashSanitizingConfiguration cfg2, DataFlow::PathNode source, DataFlow::PathNode sink
38+
where (cfg.hasFlowPath(source, sink) or cfg2.hasFlowPath(source, sink))
39+
select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(), "user-provided value"

0 commit comments

Comments
 (0)