update the QHelp to add a "--" example

erik-krogh · erik-krogh · commit 9aeebc6f39b3 · 2024-05-16T19:49:22.000+02:00
diff --git a/go/ql/src/Security/CWE-078/CommandInjection.qhelp b/go/ql/src/Security/CWE-078/CommandInjection.qhelp
@@ -12,18 +12,17 @@ a malicious user may be able to run commands to exfiltrate data or compromise th
 
 <recommendation>
 <p>
-If possible, use hard-coded string literals to specify the command to run, and avoid using 
-shell string interpreters such as <code>sh -c</code> to execute shell commands. 
+Whenever possible, use hard-coded string literals for commands and avoid shell 
+string interpreters like <code>sh -c</code>.
 </p>
 <p>
 If given arguments as a single string, avoid simply splitting the string on 
 whitespace. Arguments may contain quoted whitespace, causing them to split into 
 multiple arguments.
 </p>
 <p>
-If this is not possible, then add sanitization code to verify that the user input is 
-safe before using it, thereby avoiding characters that can change the meaning of the 
-command such as spaces and quotes.
+If this is not possible, sanitize user input to avoid characters like spaces and
+various kinds of quotes that can alter the meaning of the command.
 </p>
 </recommendation>
 
@@ -34,12 +33,11 @@ handler in a web application, whose parameter <code>req</code> contains the requ
 </p>
 <sample src="examples/CommandInjection.go"/>
 <p>
-The handler extracts the name of an image file from the request object, and then runs a command
-to process the image. The command is constructed by concatenating the image path and the output path, 
-and then running it with <code>sh -c</code>. This can cause a command-injection vulnerability.
+The handler extracts the image file name from the request and uses the image name to construct a 
+shell command that is executed using <code>`sh -c`</code>, which can lead to command injection.
 </p>
 <p>
-It's better to avoid shell strings by using the <code>exec.Command</code> function directly, 
+It's better to avoid shell commands by using the <code>exec.Command</code> function directly, 
 as shown in the following example:
 </p>
 <sample src="examples/CommandInjectionGood.go"/>
@@ -48,6 +46,15 @@ Alternatively, a regular expression can be used to ensure that the image name is
 in a shell command:
 </p>
 <sample src="examples/CommandInjectionGood2.go"/>
+<p>
+Some commands, like <code>git</code>, can indirectly execute commands if an attacker specifies
+the flags given to the command. 
+</p>
+<p>
+To mitigate this risk, either add a <code>--</code> argument to ensure subsequent arguments are
+not interpreted as flags, or verify that the argument does not start with <code>"--"</code>.
+</p>
+<sample src="examples/CommandInjectionGood3.go"/>
 </example>
 <references>
 <li>
diff --git a/go/ql/src/Security/CWE-078/examples/CommandInjection.go b/go/ql/src/Security/CWE-078/examples/CommandInjection.go
@@ -7,8 +7,8 @@ import (
 
 func handler(req *http.Request) {
 	imageName := req.URL.Query()["imageName"][0]
-	outputPath = "/tmp/output.svg"
+	outputPath := "/tmp/output.svg"
 	cmd := exec.Command("sh", "-c", fmt.Sprintf("imagetool %s > %s", imageName, outputPath))
 	cmd.Run()
- 	// ...
+	// ...
 }
diff --git a/go/ql/src/Security/CWE-078/examples/CommandInjectionGood.go b/go/ql/src/Security/CWE-078/examples/CommandInjectionGood.go
@@ -1,28 +1,28 @@
 package main
 
 import (
-    "log"
-    "net/http"
-    "os"
-    "os/exec"
+	"log"
+	"net/http"
+	"os"
+	"os/exec"
 )
 
 func handler(req *http.Request) {
-    imageName := req.URL.Query()["imageName"][0]
-    outputPath := "/tmp/output.svg"
+	imageName := req.URL.Query()["imageName"][0]
+	outputPath := "/tmp/output.svg"
 
-    // Create the output file
-    outfile, err := os.Create(outputPath)
-    if err != nil {
-        log.Fatal(err)
-    }
-    defer outfile.Close()
+	// Create the output file
+	outfile, err := os.Create(outputPath)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer outfile.Close()
 
-    // Prepare the command
-    cmd := exec.Command("imagetool", imageName)
+	// Prepare the command
+	cmd := exec.Command("imagetool", imageName)
 
-    // Set the output to our file
-    cmd.Stdout = outfile
+	// Set the output to our file
+	cmd.Stdout = outfile
 
-    cmd.Run()
+	cmd.Run()
 }
diff --git a/go/ql/src/Security/CWE-078/examples/CommandInjectionGood3.go b/go/ql/src/Security/CWE-078/examples/CommandInjectionGood3.go
@@ -0,0 +1,26 @@
+package main
+
+import (
+	"log"
+	"net/http"
+	"os/exec"
+	"strings"
+)
+
+func handler(req *http.Request) {
+	repoURL := req.URL.Query()["repoURL"][0]
+	outputPath := "/tmp/repo"
+
+	// Sanitize the repoURL to ensure it does not start with "--"
+	if strings.HasPrefix(repoURL, "--") {
+		log.Fatal("Invalid repository URL")
+		return
+	}
+
+	// Or: add "--" to ensure that the repoURL is not interpreted as a flag
+	cmd := exec.Command("git", "clone", "--", repoURL, outputPath)
+	err := cmd.Run()
+	if err != nil {
+		log.Fatal(err)
+	}
+}
