Add CommandInjection dataflow config

hmac · hmac · commit 8440fe2ba991 · 2021-09-17T17:02:17.000+01:00
diff --git a/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll b/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll
@@ -0,0 +1,44 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * command-injection vulnerabilities, as well as extension points for
+ * adding your own.
+ */
+
+private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.RemoteFlowSources
+private import codeql.ruby.Concepts
+private import codeql.ruby.Frameworks
+
+module CommandInjection {
+  /**
+   * A data flow source for command-injection vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node {
+    /** Gets a string that describes the type of this remote flow source. */
+    abstract string getSourceType();
+  }
+
+  /**
+   * A data flow sink for command-injection vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for command-injection vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for command injection. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+
+    override string getSourceType() { result = "a user-provided value" }
+  }
+
+  /**
+   * A command argument to a function that initiates an operating system command.
+   */
+  class SystemCommandExecutionSink extends Sink, DataFlow::Node {
+    SystemCommandExecutionSink() { this instanceof SystemCommandExecution }
+  }
+}
diff --git a/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll b/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll
@@ -0,0 +1,27 @@
+/**
+ * Provides a taint tracking configuration for reasoning about
+ * command-injection vulnerabilities (CWE-078).
+ *
+ * Note, for performance reasons: only import this file if
+ * `CommandInjection::Configuration` is needed, otherwise
+ * `CommandInjectionCustomizations` should be imported instead.
+ */
+
+import ruby
+// import IndirectCommandArgument
+import codeql.ruby.TaintTracking
+import CommandInjectionCustomizations::CommandInjection
+import codeql.ruby.DataFlow
+
+/**
+ * A taint-tracking configuration for reasoning about command-injection vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CommandInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+}
