Converting command-injection sinks to use MaD

owen-mc · owen-mc · commit 5ef37c4501ec · 2024-08-08T17:03:57.000+01:00
diff --git a/go/ql/lib/ext/github.com.codeskyblue.go-sh.model.yml b/go/ql/lib/ext/github.com.codeskyblue.go-sh.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/codeskyblue/go-sh", "", False, "Command", "", "", "Argument[0]", "command-injection", "manual"]
+      - ["github.com/codeskyblue/go-sh", "Session", False, "Call", "", "", "Argument[0]", "command-injection", "manual"]
+      - ["github.com/codeskyblue/go-sh", "Session", False, "Command", "", "", "Argument[0]", "command-injection", "manual"]
+      - ["github.com/codeskyblue/go-sh", "Session", False, "Exec", "", "", "Argument[0]", "command-injection", "manual"]
diff --git a/go/ql/lib/ext/golang.org.x.crypto.ssh.model.yml b/go/ql/lib/ext/golang.org.x.crypto.ssh.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["golang.org/x/crypto/ssh", "Session", False, "CombinedOutput", "", "", "Argument[0]", "command-injection", "manual"]
+      - ["golang.org/x/crypto/ssh", "Session", False, "Output", "", "", "Argument[0]", "command-injection", "manual"]
+      - ["golang.org/x/crypto/ssh", "Session", False, "Run", "", "", "Argument[0]", "command-injection", "manual"]
+      - ["golang.org/x/crypto/ssh", "Session", False, "Start", "", "", "Argument[0]", "command-injection", "manual"]
diff --git a/go/ql/lib/ext/os.exec.model.yml b/go/ql/lib/ext/os.exec.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["os/exec", "", False, "Command", "", "", "Argument[0]", "command-injection", "manual"]
+      - ["os/exec", "", False, "CommandContext", "", "", "Argument[1]", "command-injection", "manual"]
diff --git a/go/ql/lib/ext/os.model.yml b/go/ql/lib/ext/os.model.yml
@@ -3,6 +3,7 @@ extensions:
       pack: codeql/go-all
       extensible: sinkModel
     data:
+      # path-injection
       - ["os", "", False, "Chdir", "", "", "Argument[0]", "path-injection", "manual"]
       - ["os", "", False, "Chmod", "", "", "Argument[0]", "path-injection", "manual"]
       - ["os", "", False, "Chown", "", "", "Argument[0]", "path-injection", "manual"]
@@ -29,6 +30,8 @@ extensions:
       - ["os", "", False, "MkdirTemp", "", "", "Argument[0..1]", "path-injection", "manual"]
       - ["os", "", False, "CreateTemp", "", "", "Argument[0..1]", "path-injection", "manual"]
       - ["os", "", False, "WriteFile", "", "", "Argument[0]", "path-injection", "manual"]
+      # command-injection
+      - ["os", "", False, "StartProcess", "", "", "Argument[0]", "command-injection", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel
diff --git a/go/ql/lib/ext/syscall.model.yml b/go/ql/lib/ext/syscall.model.yml
@@ -1,4 +1,13 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["syscall", "", False, "Exec", "", "", "Argument[0]", "command-injection", "manual"]
+      - ["syscall", "", False, "ForkExec", "", "", "Argument[0]", "command-injection", "manual"]
+      - ["syscall", "", False, "StartProcess", "", "", "Argument[0]", "command-injection", "manual"]
+      - ["syscall", "", False, "CreateProcess", "", "", "Argument[0]", "command-injection", "manual"]
+      - ["syscall", "", False, "CreateProcessAsUser", "", "", "Argument[1]", "command-injection", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel
diff --git a/go/ql/lib/semmle/go/frameworks/SystemCommandExecutors.qll b/go/ql/lib/semmle/go/frameworks/SystemCommandExecutors.qll
@@ -5,6 +5,25 @@
 
 import go
 
+private class DefaultSystemCommandExecution extends SystemCommandExecution::Range,
+  DataFlow::CallNode
+{
+  DataFlow::ArgumentNode commandName;
+
+  DefaultSystemCommandExecution() {
+    sinkNode(commandName, "command-injection") and
+    this = commandName.getCall()
+  }
+
+  override DataFlow::Node getCommandName() {
+    not commandName instanceof DataFlow::ImplicitVarargsSlice and
+    result = commandName
+    or
+    commandName instanceof DataFlow::ImplicitVarargsSlice and
+    result = this.getAnImplicitVarargsArgument()
+  }
+}
+
 /**
  * An indirect system-command execution via an argument argument passed to a command interpreter
  * such as a shell, `sudo`, or a programming-language interpreter.
@@ -26,85 +45,19 @@ private class ShellOrSudoExecution extends SystemCommandExecution::Range, DataFl
   }
 }
 
-private class SystemCommandExecutors extends SystemCommandExecution::Range, DataFlow::CallNode {
-  int cmdArg;
-
-  SystemCommandExecutors() {
-    exists(string pkg, string name | this.getTarget().hasQualifiedName(pkg, name) |
-      pkg = "os" and name = "StartProcess" and cmdArg = 0
-      or
-      // assume that if a `Cmd` is instantiated it will be run
-      pkg = "os/exec" and name = "Command" and cmdArg = 0
-      or
-      pkg = "os/exec" and name = "CommandContext" and cmdArg = 1
-      or
-      // NOTE: syscall.ForkExec exists only on unix.
-      // NOTE: syscall.CreateProcess and syscall.CreateProcessAsUser exist only on windows.
-      pkg = "syscall" and
-      name = ["Exec", "ForkExec", "StartProcess", "CreateProcess"] and
-      cmdArg = 0
-      or
-      pkg = "syscall" and
-      name = "CreateProcessAsUser" and
-      cmdArg = 1
-    )
-  }
-
-  override DataFlow::Node getCommandName() { result = this.getSyntacticArgument(cmdArg) }
-}
-
-/**
- * A call to the `Command` function, or `Call` or `Command` methods on a `Session` object
- * from the [go-sh](https://github.com/codeskyblue/go-sh) package, viewed as a
- * system-command execution.
- */
-private class GoShCommandExecution extends SystemCommandExecution::Range, DataFlow::CallNode {
-  GoShCommandExecution() {
-    exists(string packagePath | packagePath = package("github.com/codeskyblue/go-sh", "") |
-      // Catch method calls on the `Session` object:
-      exists(Method method |
-        method.hasQualifiedName(packagePath, "Session", "Call")
-        or
-        method.hasQualifiedName(packagePath, "Session", "Command")
-        or
-        method.hasQualifiedName(packagePath, "Session", "Exec")
-      |
-        this = method.getACall()
-      )
-      or
-      // Catch calls to the `Command` function:
-      this.getTarget().hasQualifiedName(packagePath, "Command")
-    )
-  }
-
-  override DataFlow::Node getCommandName() { result = this.getSyntacticArgument(0) }
-}
-
 /**
+ * DEPRECATED
+ *
  * Provides classes for working with the
  * [golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh) package.
  */
-module CryptoSsh {
-  /** Gets the package path `golang.org/x/crypto/ssh`. */
-  string packagePath() { result = package("golang.org/x/crypto", "ssh") }
-
+deprecated module CryptoSsh {
   /**
-   * A call to a method on a `Session` object from the [ssh](golang.org/x/crypto/ssh)
-   * package, viewed as a system-command execution.
+   * DEPRECATED: Use `package("golang.org/x/crypto", "ssh")` instead.
+   *
+   * Gets the package path `golang.org/x/crypto/ssh`.
    */
-  private class SshCommandExecution extends SystemCommandExecution::Range, DataFlow::CallNode {
-    SshCommandExecution() {
-      // Catch method calls on the `Session` object:
-      exists(Method method, string methodName |
-        methodName = ["CombinedOutput", "Output", "Run", "Start"]
-      |
-        method.hasQualifiedName(packagePath(), "Session", methodName) and
-        this = method.getACall()
-      )
-    }
-
-    override DataFlow::Node getCommandName() { result = this.getSyntacticArgument(0) }
-  }
+  deprecated string packagePath() { result = package("golang.org/x/crypto", "ssh") }
 }
 
 /**
diff --git a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
@@ -12,17 +12,17 @@
 
 import go
 
+private string cryptoSshPackage() { result = package("golang.org/x/crypto", "ssh") }
+
 /** The `ssh.InsecureIgnoreHostKey` function, which allows connecting to any host regardless of its host key. */
 class InsecureIgnoreHostKey extends Function {
-  InsecureIgnoreHostKey() {
-    this.hasQualifiedName(CryptoSsh::packagePath(), "InsecureIgnoreHostKey")
-  }
+  InsecureIgnoreHostKey() { this.hasQualifiedName(cryptoSshPackage(), "InsecureIgnoreHostKey") }
 }
 
 /** An SSH host-key checking function. */
 class HostKeyCallbackFunc extends DataFlow::Node {
   HostKeyCallbackFunc() {
-    exists(NamedType nt | nt.hasQualifiedName(CryptoSsh::packagePath(), "HostKeyCallback") |
+    exists(NamedType nt | nt.hasQualifiedName(cryptoSshPackage(), "HostKeyCallback") |
       this.getType().getUnderlyingType() = nt.getUnderlyingType()
     ) and
     // Restrict possible sources to either function definitions or
@@ -62,7 +62,7 @@ module Config implements DataFlow::ConfigSig {
    */
   additional predicate writeIsSink(DataFlow::Node sink, Write write) {
     exists(Field f |
-      f.hasQualifiedName(CryptoSsh::packagePath(), "ClientConfig", "HostKeyCallback") and
+      f.hasQualifiedName(cryptoSshPackage(), "ClientConfig", "HostKeyCallback") and
       write.writesField(_, f, sink)
     )
   }
