rename secondary to remote :), complete the previous commit changes

Author: am0o0

python/ql/src/experimental/Security/CWE-074/secondaryCommandInjection/SecondaryServerCmdInjection.qhelp renamed to python/ql/src/experimental/Security/CWE-074/remoteCommandExecution/RemoteCommandExecution.qhelp

@@ -2,10 +2,10 @@
 <qhelp>
     <overview>
         <p>
-            Allowing users to execute arbitrary commands using an SSH connection on a secondary server can lead to security issues unless you implement proper authorization.
+            Allowing users to execute arbitrary commands using an SSH connection on a remote server can lead to security issues unless you implement proper authorization.
         </p>
         <p>
-            Assume that you connect to a secondary system via SSH connection from your main or local server that accepts user-controlled data and has interaction with users that you don't trust, passing these data to SSH API as a part of a command that will be executed on a secondary remote server can lead to security issues. You should consider proper authorization rules very carefully.
+            Assume that you connect to a remote system via SSH connection from your main or local server that accepts user-controlled data and has interaction with users that you don't trust, passing these data to SSH API as a part of a command that will be executed on a secondary remote server can lead to security issues. You should consider proper authorization rules very carefully.
         </p>
     </overview>
     <recommendation>

python/ql/src/experimental/Security/CWE-074/secondaryCommandInjection/SecondaryServerCmdInjection.ql renamed to python/ql/src/experimental/Security/CWE-074/remoteCommandExecution/RemoteCommandExecution.ql

@@ -12,10 +12,10 @@
  */
 
 import python
-import experimental.semmle.python.security.SecondaryServerCmdInjection
-import SecondaryCommandInjectionFlow::PathGraph
+import experimental.semmle.python.security.RemoteCommandExecution
+import RemoteCommandExecutionFlow::PathGraph
 
-from SecondaryCommandInjectionFlow::PathNode source, SecondaryCommandInjectionFlow::PathNode sink
-where SecondaryCommandInjectionFlow::flowPath(source, sink)
+from RemoteCommandExecutionFlow::PathNode source, RemoteCommandExecutionFlow::PathNode sink
+where RemoteCommandExecutionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
   "a user-provided value"

python/ql/src/experimental/Security/CWE-074/secondaryCommandInjection/paramikoBad.py renamed to python/ql/src/experimental/Security/CWE-074/remoteCommandExecution/paramikoBad.py

@@ -15,14 +15,29 @@ private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
 private import semmle.python.Concepts
 
-/** Provides classes for modeling remote server command execution related APIs. */
+/**
+ * A data-flow node that executes an operating system command,
+ * on a remote server likely by SSH connections.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `RemoteCommandExecution::Range` instead.
+ */
+class RemoteCommandExecution extends DataFlow::Node instanceof RemoteCommandExecution::Range {
+  /** Holds if a shell interprets `arg`. */
+  predicate isShellInterpreted(DataFlow::Node arg) { super.isShellInterpreted(arg) }
+
+  /** Gets the argument that specifies the command to be executed. */
+  DataFlow::Node getCommand() { result = super.getCommand() }
+}
+
+/** Provides classes for modeling new remote server command execution APIs. */
 module RemoteCommandExecution {
   /**
    * A data-flow node that executes an operating system command,
    * on a remote server likely by SSH connections.
    *
    * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `SystemCommandExecution` instead.
+   * extend `RemoteCommandExecution` instead.
    */
   abstract class Range extends DataFlow::Node {
     /** Gets the argument that specifies the command to be executed. */

python/ql/src/experimental/Security/CWE-074/secondaryCommandInjection/paramikoGood.py renamed to python/ql/src/experimental/Security/CWE-074/remoteCommandExecution/paramikoGood.py

@@ -6,11 +6,11 @@ import semmle.python.dataflow.new.internal.DataFlowPublic
 import codeql.util.Unit
 import experimental.semmle.python.Concepts
 
-module SecondaryCommandInjectionConfig implements DataFlow::ConfigSig {
+module RemoteCommandExecutionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  predicate isSink(DataFlow::Node sink) { sink instanceof SecondaryCommandInjection }
+  predicate isSink(DataFlow::Node sink) { sink = any(RemoteCommandExecution rce).getCommand() }
 }
 
 /** Global taint-tracking for detecting "secondary server command injection" vulnerabilities. */
-module SecondaryCommandInjectionFlow = TaintTracking::Global<SecondaryCommandInjectionConfig>;
+module RemoteCommandExecutionFlow = TaintTracking::Global<RemoteCommandExecutionConfig>;

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -14,6 +14,6 @@
 @app.get("/bad1")
 async def bad1(cmd: str):
     async with asyncssh.connect('localhost') as conn:
-        result = await conn.run(cmd, check=True) # $ result=BAD getSecondaryCommand=cmd
+        result = await conn.run(cmd, check=True) # $ result=BAD getRemoteCommand=cmd
         print(result.stdout, end='')
     return {"success": "Dangerous"}

python/ql/src/experimental/semmle/python/security/SecondaryServerCmdInjection.qll renamed to python/ql/src/experimental/semmle/python/security/RemoteCommandExecution.qll

@@ -6,16 +6,16 @@ private import semmle.python.dataflow.new.internal.PrintNode
 import experimental.semmle.python.Concepts
 
 module SystemCommandExecutionTest implements TestSig {
-  string getARelevantTag() { result = "getSecondaryCommand" }
+  string getARelevantTag() { result = "getRemoteCommand" }
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(location.getFile().getRelativePath()) and
-    exists(SecondaryCommandInjection sci, DataFlow::Node command |
-      command = sci and
+    exists(RemoteCommandExecution sci, DataFlow::Node command |
+      command = sci.getCommand() and
       location = command.getLocation() and
       element = command.toString() and
       value = prettyNodeForInlineTest(command) and
-      tag = "getSecondaryCommand"
+      tag = "getRemoteCommand"
     )
   }
 }