add regexp check as a sanitizer for command-injection

erik-krogh · erik-krogh · commit b9a7f6a8f76b · 2024-05-16T08:55:03.000+02:00
diff --git a/go/ql/lib/semmle/go/security/CommandInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/CommandInjectionCustomizations.qll
@@ -45,4 +45,11 @@ module CommandInjection {
 
     override predicate doubleDashIsSanitizing() { exec.doubleDashIsSanitizing() }
   }
+
+  import semmle.go.dataflow.barrierguardutil.RegexpCheck
+
+  /**
+   * A call to a regexp match function, considered as a barrier guard for command injection.
+   */
+  class RegexpCheckBarrierAsSanitizer extends Sanitizer instanceof RegexpCheckBarrier { }
 }
diff --git a/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -6,11 +6,6 @@ edges
 | CommandInjection2.go:15:34:15:88 | []type{args} [array] | CommandInjection2.go:15:34:15:88 | call to Sprintf | provenance | MaD:245 |
 | CommandInjection2.go:15:67:15:75 | imageName | CommandInjection2.go:15:34:15:88 | []type{args} [array] | provenance |  |
 | CommandInjection2.go:15:67:15:75 | imageName | CommandInjection2.go:15:34:15:88 | call to Sprintf | provenance | FunctionModel |
-| CommandInjection2.go:41:18:41:24 | selection of URL | CommandInjection2.go:41:18:41:32 | call to Query | provenance | MaD:735 |
-| CommandInjection2.go:41:18:41:32 | call to Query | CommandInjection2.go:51:70:51:78 | imageName | provenance |  |
-| CommandInjection2.go:51:37:51:91 | []type{args} [array] | CommandInjection2.go:51:37:51:91 | call to Sprintf | provenance | MaD:245 |
-| CommandInjection2.go:51:70:51:78 | imageName | CommandInjection2.go:51:37:51:91 | []type{args} [array] | provenance |  |
-| CommandInjection2.go:51:70:51:78 | imageName | CommandInjection2.go:51:37:51:91 | call to Sprintf | provenance | FunctionModel |
 | CommandInjection.go:9:13:9:19 | selection of URL | CommandInjection.go:9:13:9:27 | call to Query | provenance | MaD:735 |
 | CommandInjection.go:9:13:9:27 | call to Query | CommandInjection.go:10:22:10:28 | cmdName | provenance |  |
 | GitSubcommands.go:10:13:10:19 | selection of URL | GitSubcommands.go:10:13:10:27 | call to Query | provenance | MaD:735 |
@@ -118,11 +113,6 @@ nodes
 | CommandInjection2.go:15:34:15:88 | []type{args} [array] | semmle.label | []type{args} [array] |
 | CommandInjection2.go:15:34:15:88 | call to Sprintf | semmle.label | call to Sprintf |
 | CommandInjection2.go:15:67:15:75 | imageName | semmle.label | imageName |
-| CommandInjection2.go:41:18:41:24 | selection of URL | semmle.label | selection of URL |
-| CommandInjection2.go:41:18:41:32 | call to Query | semmle.label | call to Query |
-| CommandInjection2.go:51:37:51:91 | []type{args} [array] | semmle.label | []type{args} [array] |
-| CommandInjection2.go:51:37:51:91 | call to Sprintf | semmle.label | call to Sprintf |
-| CommandInjection2.go:51:70:51:78 | imageName | semmle.label | imageName |
 | CommandInjection.go:9:13:9:19 | selection of URL | semmle.label | selection of URL |
 | CommandInjection.go:9:13:9:27 | call to Query | semmle.label | call to Query |
 | CommandInjection.go:10:22:10:28 | cmdName | semmle.label | cmdName |
@@ -216,7 +206,6 @@ subpaths
 #select
 | ArgumentInjection.go:10:31:10:34 | path | ArgumentInjection.go:9:10:9:16 | selection of URL | ArgumentInjection.go:10:31:10:34 | path | This command depends on a $@. | ArgumentInjection.go:9:10:9:16 | selection of URL | user-provided value |
 | CommandInjection2.go:15:34:15:88 | call to Sprintf | CommandInjection2.go:13:15:13:21 | selection of URL | CommandInjection2.go:15:34:15:88 | call to Sprintf | This command depends on a $@. | CommandInjection2.go:13:15:13:21 | selection of URL | user-provided value |
-| CommandInjection2.go:51:37:51:91 | call to Sprintf | CommandInjection2.go:41:18:41:24 | selection of URL | CommandInjection2.go:51:37:51:91 | call to Sprintf | This command depends on a $@. | CommandInjection2.go:41:18:41:24 | selection of URL | user-provided value |
 | CommandInjection.go:10:22:10:28 | cmdName | CommandInjection.go:9:13:9:19 | selection of URL | CommandInjection.go:10:22:10:28 | cmdName | This command depends on a $@. | CommandInjection.go:9:13:9:19 | selection of URL | user-provided value |
 | GitSubcommands.go:12:31:12:37 | tainted | GitSubcommands.go:10:13:10:19 | selection of URL | GitSubcommands.go:12:31:12:37 | tainted | This command depends on a $@. | GitSubcommands.go:10:13:10:19 | selection of URL | user-provided value |
 | GitSubcommands.go:13:31:13:37 | tainted | GitSubcommands.go:10:13:10:19 | selection of URL | GitSubcommands.go:13:31:13:37 | tainted | This command depends on a $@. | GitSubcommands.go:10:13:10:19 | selection of URL | user-provided value |

Original file line number	Diff line number	Diff line change
`@@ -45,4 +45,11 @@ module CommandInjection {`
`45`	`45`
`46`	`46`	`override predicate doubleDashIsSanitizing() { exec.doubleDashIsSanitizing() }`
`47`	`47`	`}`
	`48`	`+`
	`49`	`+ import semmle.go.dataflow.barrierguardutil.RegexpCheck`
	`50`	`+`
	`51`	`+ /**`
	`52`	`+ * A call to a regexp match function, considered as a barrier guard for command injection.`
	`53`	`+ */`
	`54`	`+ class RegexpCheckBarrierAsSanitizer extends Sanitizer instanceof RegexpCheckBarrier { }`
`48`	`55`	`}`