Merge pull request github#11288 from pwntester/new_sudo_like_argument

owen-mc · web-flow · commit 2ed8d5d798af · 2022-12-07T10:20:49.000Z
Golang: add `rsync` as a program capable of arbitrary shell command execution
diff --git a/go/ql/lib/change-notes/2022-11-17-rsync-argument-injection.md b/go/ql/lib/change-notes/2022-11-17-rsync-argument-injection.md
@@ -0,0 +1,4 @@
+---
+ category: minorAnalysis
+---
+ * `rsync` has been added to the list of commands which may evaluate its parameters as a shell command.
diff --git a/go/ql/lib/semmle/go/frameworks/SystemCommandExecutors.qll b/go/ql/lib/semmle/go/frameworks/SystemCommandExecutors.qll
@@ -20,7 +20,9 @@ private class ShellOrSudoExecution extends SystemCommandExecution::Range, DataFl
 
   override DataFlow::Node getCommandName() { result = this.getAnArgument() }
 
-  override predicate doubleDashIsSanitizing() { shellCommand.getStringValue().matches("%git") }
+  override predicate doubleDashIsSanitizing() {
+    shellCommand.getStringValue().matches("%" + ["git", "rsync"])
+  }
 }
 
 private class SystemCommandExecutors extends SystemCommandExecution::Range, DataFlow::CallNode {
@@ -126,7 +128,7 @@ private string getASudoCommand() {
       "fakeroot", "fakeroot-sysv", "su", "fakeroot-tcp", "fstab-decode", "jrunscript", "nohup",
       "parallel", "find", "pkexec", "sg", "sem", "runcon", "sudoedit", "runuser", "stdbuf",
       "system", "timeout", "xargs", "time", "awk", "gawk", "mawk", "nawk", "doas", "git", "access",
-      "vsys", "userv", "sus", "super"
+      "vsys", "userv", "sus", "super", "rsync"
     ]
 }
 
diff --git a/go/ql/test/query-tests/Security/CWE-078/ArgumentInjection.go b/go/ql/test/query-tests/Security/CWE-078/ArgumentInjection.go
@@ -0,0 +1,12 @@
+package main
+
+import (
+	"net/http"
+	"os/exec"
+)
+
+func handler2(req *http.Request) {
+	path := req.URL.Query()["path"][0]
+	cmd := exec.Command("rsync", path, "/tmp")
+	cmd.Run()
+}
diff --git a/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -1,4 +1,5 @@
 edges
+| ArgumentInjection.go:9:10:9:16 | selection of URL : pointer type | ArgumentInjection.go:10:31:10:34 | path |
 | CommandInjection.go:9:13:9:19 | selection of URL : pointer type | CommandInjection.go:10:22:10:28 | cmdName |
 | GitSubcommands.go:10:13:10:19 | selection of URL : pointer type | GitSubcommands.go:12:31:12:37 | tainted |
 | GitSubcommands.go:10:13:10:19 | selection of URL : pointer type | GitSubcommands.go:13:31:13:37 | tainted |
@@ -25,6 +26,8 @@ edges
 | SanitizingDoubleDash.go:105:15:105:37 | slice literal [array] : string | SanitizingDoubleDash.go:106:24:106:31 | arrayLit |
 | SanitizingDoubleDash.go:105:30:105:36 | tainted : string | SanitizingDoubleDash.go:105:15:105:37 | slice literal [array] : string |
 nodes
+| ArgumentInjection.go:9:10:9:16 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
+| ArgumentInjection.go:10:31:10:34 | path | semmle.label | path |
 | CommandInjection.go:9:13:9:19 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
 | CommandInjection.go:10:22:10:28 | cmdName | semmle.label | cmdName |
 | GitSubcommands.go:10:13:10:19 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
@@ -55,6 +58,7 @@ nodes
 | SanitizingDoubleDash.go:152:24:152:30 | tainted | semmle.label | tainted |
 subpaths
 #select
+| ArgumentInjection.go:10:31:10:34 | path | ArgumentInjection.go:9:10:9:16 | selection of URL : pointer type | ArgumentInjection.go:10:31:10:34 | path | This command depends on a $@. | ArgumentInjection.go:9:10:9:16 | selection of URL | user-provided value |
 | CommandInjection.go:10:22:10:28 | cmdName | CommandInjection.go:9:13:9:19 | selection of URL : pointer type | CommandInjection.go:10:22:10:28 | cmdName | This command depends on a $@. | CommandInjection.go:9:13:9:19 | selection of URL | user-provided value |
 | GitSubcommands.go:12:31:12:37 | tainted | GitSubcommands.go:10:13:10:19 | selection of URL : pointer type | GitSubcommands.go:12:31:12:37 | tainted | This command depends on a $@. | GitSubcommands.go:10:13:10:19 | selection of URL | user-provided value |
 | GitSubcommands.go:13:31:13:37 | tainted | GitSubcommands.go:10:13:10:19 | selection of URL : pointer type | GitSubcommands.go:13:31:13:37 | tainted | This command depends on a $@. | GitSubcommands.go:10:13:10:19 | selection of URL | user-provided value |

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 + category: minorAnalysis
 +---
 + * `rsync` has been added to the list of commands which may evaluate its parameters as a shell command.
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,9 @@ private class ShellOrSudoExecution extends SystemCommandExecution::Range, DataFl`
`20`	`20`
`21`	`21`	`override DataFlow::Node getCommandName() { result = this.getAnArgument() }`
`22`	`22`
`23`		`- override predicate doubleDashIsSanitizing() { shellCommand.getStringValue().matches("%git") }`
	`23`	`+ override predicate doubleDashIsSanitizing() {`
	`24`	`+ shellCommand.getStringValue().matches("%" + ["git", "rsync"])`
	`25`	`+ }`
`24`	`26`	`}`
`25`	`27`
`26`	`28`	`private class SystemCommandExecutors extends SystemCommandExecution::Range, DataFlow::CallNode {`
`@@ -126,7 +128,7 @@ private string getASudoCommand() {`
`126`	`128`	`"fakeroot", "fakeroot-sysv", "su", "fakeroot-tcp", "fstab-decode", "jrunscript", "nohup",`
`127`	`129`	`"parallel", "find", "pkexec", "sg", "sem", "runcon", "sudoedit", "runuser", "stdbuf",`
`128`	`130`	`"system", "timeout", "xargs", "time", "awk", "gawk", "mawk", "nawk", "doas", "git", "access",`
`129`		`- "vsys", "userv", "sus", "super"`
	`131`	`+ "vsys", "userv", "sus", "super", "rsync"`
`130`	`132`	`]`
`131`	`133`	`}`
`132`	`134`