Skip to content

Commit c8e9a59

Browse files
hmachmac
committed
Update CLI injection tests
Cover more cases, like sinks after (but not guarded by) barrier guards.
1 parent d046fb0 commit c8e9a59

File tree

2 files changed

+44
-16
lines changed

2 files changed

+44
-16
lines changed

ql/test/query-tests/security/cwe-078/CommandInjection.expected

Lines changed: 29 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,32 @@
11
edges
2-
| CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:6:10:6:15 | #{...} |
3-
| CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:7:16:7:18 | cmd |
4-
| CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:8:14:8:16 | cmd |
5-
| CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:9:17:9:22 | #{...} |
6-
| CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:11:9:11:14 | #{...} |
2+
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:7:10:7:15 | #{...} |
3+
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:8:16:8:18 | cmd |
4+
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:9:14:9:16 | cmd |
5+
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:10:17:10:22 | #{...} |
6+
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:12:9:12:14 | #{...} |
7+
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:25:19:25:24 | #{...} |
8+
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:29:24:29:36 | "echo #{...}" |
9+
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:30:39:30:51 | "grep #{...}" |
10+
| CommandInjection.rb:41:15:41:20 | call to params : | CommandInjection.rb:45:24:45:36 | "echo #{...}" |
711
nodes
8-
| CommandInjection.rb:5:15:5:20 | call to params : | semmle.label | call to params : |
9-
| CommandInjection.rb:6:10:6:15 | #{...} | semmle.label | #{...} |
10-
| CommandInjection.rb:7:16:7:18 | cmd | semmle.label | cmd |
11-
| CommandInjection.rb:8:14:8:16 | cmd | semmle.label | cmd |
12-
| CommandInjection.rb:9:17:9:22 | #{...} | semmle.label | #{...} |
13-
| CommandInjection.rb:11:9:11:14 | #{...} | semmle.label | #{...} |
12+
| CommandInjection.rb:6:15:6:20 | call to params : | semmle.label | call to params : |
13+
| CommandInjection.rb:7:10:7:15 | #{...} | semmle.label | #{...} |
14+
| CommandInjection.rb:8:16:8:18 | cmd | semmle.label | cmd |
15+
| CommandInjection.rb:9:14:9:16 | cmd | semmle.label | cmd |
16+
| CommandInjection.rb:10:17:10:22 | #{...} | semmle.label | #{...} |
17+
| CommandInjection.rb:12:9:12:14 | #{...} | semmle.label | #{...} |
18+
| CommandInjection.rb:25:19:25:24 | #{...} | semmle.label | #{...} |
19+
| CommandInjection.rb:29:24:29:36 | "echo #{...}" | semmle.label | "echo #{...}" |
20+
| CommandInjection.rb:30:39:30:51 | "grep #{...}" | semmle.label | "grep #{...}" |
21+
| CommandInjection.rb:41:15:41:20 | call to params : | semmle.label | call to params : |
22+
| CommandInjection.rb:45:24:45:36 | "echo #{...}" | semmle.label | "echo #{...}" |
1423
#select
15-
| CommandInjection.rb:6:10:6:15 | #{...} | CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:6:10:6:15 | #{...} | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
16-
| CommandInjection.rb:7:16:7:18 | cmd | CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:7:16:7:18 | cmd | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
17-
| CommandInjection.rb:8:14:8:16 | cmd | CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:8:14:8:16 | cmd | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
18-
| CommandInjection.rb:9:17:9:22 | #{...} | CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:9:17:9:22 | #{...} | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
19-
| CommandInjection.rb:11:9:11:14 | #{...} | CommandInjection.rb:5:15:5:20 | call to params : | CommandInjection.rb:11:9:11:14 | #{...} | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
24+
| CommandInjection.rb:7:10:7:15 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:7:10:7:15 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
25+
| CommandInjection.rb:8:16:8:18 | cmd | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:8:16:8:18 | cmd | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
26+
| CommandInjection.rb:9:14:9:16 | cmd | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:9:14:9:16 | cmd | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
27+
| CommandInjection.rb:10:17:10:22 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:10:17:10:22 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
28+
| CommandInjection.rb:12:9:12:14 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:12:9:12:14 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
29+
| CommandInjection.rb:25:19:25:24 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:25:19:25:24 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
30+
| CommandInjection.rb:29:24:29:36 | "echo #{...}" | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:29:24:29:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
31+
| CommandInjection.rb:30:39:30:51 | "grep #{...}" | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:30:39:30:51 | "grep #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
32+
| CommandInjection.rb:45:24:45:36 | "echo #{...}" | CommandInjection.rb:41:15:41:20 | call to params : | CommandInjection.rb:45:24:45:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:41:15:41:20 | call to params | a user-provided value |

ql/test/query-tests/security/cwe-078/CommandInjection.rb

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
require "shellwords"
2+
require "open3"
23

34
class UsersController < ActionController::Base
45
def create
@@ -20,7 +21,13 @@ def create
2021

2122
if %w(foo bar).include? cmd
2223
`echo #{cmd}`
24+
else
25+
`echo #{cmd}`
2326
end
27+
28+
# Open3 methods
29+
Open3.capture2("echo #{cmd}")
30+
Open3.pipeline("cat foo.txt", "grep #{cmd}")
2431
end
2532

2633
def show
@@ -29,4 +36,12 @@ def show
2936
exec("ls")
3037
%x(ls)
3138
end
39+
40+
def index
41+
cmd = params[:key]
42+
if %w(foo bar).include? cmd
43+
`echo #{cmd}`
44+
end
45+
Open3.capture2("echo #{cmd}")
46+
end
3247
end

0 commit comments

Comments
 (0)