Merge pull request #87 from microsoft/powershell-port-injection-query

MathiasVP · web-flow · commit 435ee53054a9 · 2024-09-03T18:39:07.000+01:00
PS: Port `powershell/command-injection` from the internal repo
diff --git a/powershell/ql/src/experimental/CommandInjection.ql b/powershell/ql/src/experimental/CommandInjection.ql
@@ -0,0 +1,74 @@
+/**
+ * @name Command Injection
+ * @description Variable expression executed as command
+ * @kind problem
+ * @id powershell/tainted-command
+ * @problem.severity warning
+ * @precision low
+ * @tags security
+ */
+
+import powershell
+
+predicate containsScope(VarAccess outer, VarAccess inner) {
+  outer.getUserPath() = inner.getUserPath() and
+  outer != inner
+}
+
+predicate constantTernaryExpression(ConditionalExpr ternary) {
+  onlyConstantExpressions(ternary.getIfTrue()) and onlyConstantExpressions(ternary.getIfFalse())
+}
+
+predicate constantBinaryExpression(BinaryExpr binary) {
+  onlyConstantExpressions(binary.getLeft()) and onlyConstantExpressions(binary.getRight())
+}
+
+predicate onlyConstantExpressions(Expr expr){
+  expr instanceof StringConstExpression or constantBinaryExpression(expr) or constantTernaryExpression(expr)
+}
+
+VarAccess getNonConstantVariableAssignment(VarAccess varexpr) {
+  (
+    exists(AssignStmt assignment |
+      not onlyConstantExpressions(assignment.getRightHandSide().(CmdExpr).getExpr()) and
+      result = assignment.getLeftHandSide()
+    )
+  ) and
+  containsScope(result, varexpr)
+}
+
+VarAccess getParameterWithVariableScope(VarAccess varexpr) {
+  exists(Parameter parameter |
+    result = parameter.getName() and
+    containsScope(result, varexpr)
+  )
+}
+
+Expr getAllSubExpressions(Expr expr)
+{
+  result = expr or
+  result = getAllSubExpressions(expr.(ArrayLiteral).getAnElement()) or
+  result = getAllSubExpressions(expr.(ArrayExpr).getStatementBlock().getAStatement().(Pipeline).getAComponent().(CmdExpr).getExpr())
+}
+
+Expr dangerousCommandElement(Cmd command)
+{
+  (
+    command.getKind() = 28 or
+    command.getName() = "Invoke-Expression"
+  ) and
+  result = getAllSubExpressions(command.getAnElement())
+}
+
+from Expr commandarg, VarAccess unknownDeclaration
+where
+  exists(Cmd command |
+    (
+      unknownDeclaration = getNonConstantVariableAssignment(commandarg) or
+      unknownDeclaration = getParameterWithVariableScope(commandarg)
+    )
+    and
+    commandarg = dangerousCommandElement(command)
+  )
+select commandarg.(VarAccess).getLocation(), "Unsafe flow to command argument from $@.",
+  unknownDeclaration, unknownDeclaration.getUserPath()
diff --git a/powershell/ql/src/qlpack.yml b/powershell/ql/src/qlpack.yml
@@ -0,0 +1,11 @@
+name: microsoft-sdl/powershell-queries
+version: 0.0.1
+groups:
+  - powershell
+  - microsoft-all
+  - queries
+extractor: powershell
+dependencies:
+  microsoft-sdl/powershell-all: ${workspace}
+  codeql/suite-helpers: ${workspace}
+warnOnImplicitThis: true
