Merge pull request github#12879 from atorralba/atorralba/java/command-injection-mad-sinks

Java: Convert all command injection sinks to MaD format

Author: atorralba

java/ql/lib/change-notes/2023-04-19-deprecated-execcallable.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The `ExecCallable` class in `ExternalProcess.qll` has been deprecated.

java/ql/lib/ext/experimental/com.jcraft.jsch.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: experimentalSinkModel
+    data: 
+      - ["com.jcraft.jsch", "ChannelExec", True, "setCommand", "", "", "Argument[0]", "command-injection", "manual", "jsch-os-injection"]

java/ql/lib/ext/java.lang.model.yml

@@ -8,30 +8,30 @@ extensions:
       - ["java.lang", "ClassLoader", True, "getSystemResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.lang", "ClassLoader", True, "getSystemResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.lang", "Module", True, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["java.lang", "ProcessBuilder", False, "command", "(List)", "", "Argument[0]", "command-injection", "manual"]
+      - ["java.lang", "ProcessBuilder", False, "command", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "ProcessBuilder", False, "directory", "(File)", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(List)", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String[],String[])", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String[],String[],File)", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String[],String[],File)", "", "Argument[2]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String,String[])", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[2]", "command-injection", "ai-manual"]
       # These are potential vulnerabilities, but not for command-injection. No query for this kind of vulnerability currently exists.
       # - ["java.lang", "Runtime", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
       # - ["java.lang", "Runtime", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
-      # These are modeled in plain CodeQL. TODO: migrate them.
-      # - ["java.lang", "ProcessBuilder", False, "command", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "ProcessBuilder", False, "directory", "(File)", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(List)", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String,String[])", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String[],String[])", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[2]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String[],String[],File)", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String[],String[],File)", "", "Argument[2]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
       - ["java.lang", "String", False, "matches", "(String)", "", "Argument[0]", "regex-use[f-1]", "manual"]
       - ["java.lang", "String", False, "replaceAll", "(String,String)", "", "Argument[0]", "regex-use[-1]", "manual"]
       - ["java.lang", "String", False, "replaceFirst", "(String,String)", "", "Argument[0]", "regex-use[-1]", "manual"]
       - ["java.lang", "String", False, "split", "(String)", "", "Argument[0]", "regex-use[-1]", "manual"]
       - ["java.lang", "String", False, "split", "(String,int)", "", "Argument[0]", "regex-use[-1]", "manual"]
-      # These are modeled in plain CodeQL. TODO: migrate them.
-      # - ["java.lang", "System", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] # This is actually injecting a library.
-      # - ["java.lang", "System", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] # This is actually injecting a library.
+      # These are potential vulnerabilities, but not for command-injection. No query for this kind of vulnerability currently exists.
+      # - ["java.lang", "System", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
+      # - ["java.lang", "System", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
       - ["java.lang", "System$Logger", True, "log", "(Level,Object)", "", "Argument[1]", "log-injection", "manual"]
       - ["java.lang", "System$Logger", True, "log", "(Level,ResourceBundle,String,Object[])", "", "Argument[2..3]", "log-injection", "manual"]
       - ["java.lang", "System$Logger", True, "log", "(Level,ResourceBundle,String,Throwable)", "", "Argument[2]", "log-injection", "manual"]

java/ql/lib/ext/org.apache.commons.exec.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.commons.exec", "CommandLine", True, "parse", "(String)", "", "Argument[0]", "command-injection", "manual"]
+      - ["org.apache.commons.exec", "CommandLine", True, "parse", "(String,Map)", "", "Argument[0]", "command-injection", "manual"]
+      - ["org.apache.commons.exec", "CommandLine", True, "addArguments", "(String)", "", "Argument[0]", "command-injection", "manual"]
+      - ["org.apache.commons.exec", "CommandLine", True, "addArguments", "(String,boolean)", "", "Argument[0]", "command-injection", "manual"]
+      - ["org.apache.commons.exec", "CommandLine", True, "addArguments", "(String[])", "", "Argument[0]", "command-injection", "manual"]
+      - ["org.apache.commons.exec", "CommandLine", True, "addArguments", "(String[],boolean)", "", "Argument[0]", "command-injection", "manual"]

java/ql/lib/semmle/code/java/JDK.qll

@@ -199,18 +199,18 @@ class TypeFile extends Class {
 
 // --- Standard methods ---
 /**
- * Any constructor of class `java.lang.ProcessBuilder`.
+ * DEPRECATED: Any constructor of class `java.lang.ProcessBuilder`.
  */
-class ProcessBuilderConstructor extends Constructor, ExecCallable {
+deprecated class ProcessBuilderConstructor extends Constructor, ExecCallable {
   ProcessBuilderConstructor() { this.getDeclaringType() instanceof TypeProcessBuilder }
 
   override int getAnExecutedArgument() { result = 0 }
 }
 
 /**
- * Any of the methods named `command` on class `java.lang.ProcessBuilder`.
+ * DEPRECATED: Any of the methods named `command` on class `java.lang.ProcessBuilder`.
  */
-class MethodProcessBuilderCommand extends Method, ExecCallable {
+deprecated class MethodProcessBuilderCommand extends Method, ExecCallable {
   MethodProcessBuilderCommand() {
     this.hasName("command") and
     this.getDeclaringType() instanceof TypeProcessBuilder
@@ -220,9 +220,9 @@ class MethodProcessBuilderCommand extends Method, ExecCallable {
 }
 
 /**
- * Any method named `exec` on class `java.lang.Runtime`.
+ * DEPRECATED: Any method named `exec` on class `java.lang.Runtime`.
  */
-class MethodRuntimeExec extends Method, ExecCallable {
+deprecated class MethodRuntimeExec extends Method, ExecCallable {
   MethodRuntimeExec() {
     this.hasName("exec") and
     this.getDeclaringType() instanceof TypeRuntime

java/ql/lib/semmle/code/java/frameworks/apache/Exec.qll

@@ -10,8 +10,8 @@
 import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
-private import semmle.code.java.security.ExternalProcess
 private import semmle.code.java.security.CommandArguments
+private import semmle.code.java.security.ExternalProcess
 
 /** A sink for command injection vulnerabilities. */
 abstract class CommandInjectionSink extends DataFlow::Node { }
@@ -33,9 +33,7 @@ class CommandInjectionAdditionalTaintStep extends Unit {
 }
 
 private class DefaultCommandInjectionSink extends CommandInjectionSink {
-  DefaultCommandInjectionSink() {
-    this.asExpr() instanceof ArgumentToExec or sinkNode(this, "command-injection")
-  }
+  DefaultCommandInjectionSink() { sinkNode(this, "command-injection") }
 }
 
 private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer {
@@ -100,7 +98,7 @@ predicate execIsTainted(
   RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
 ) {
   RemoteUserInputToArgumentToExecFlow::flowPath(source, sink) and
-  sink.getNode().asExpr() = execArg
+  argumentToExec(execArg, sink.getNode())
 }
 
 /**
@@ -112,7 +110,7 @@ predicate execIsTainted(
  */
 deprecated predicate execTainted(DataFlow::PathNode source, DataFlow::PathNode sink, Expr execArg) {
   exists(RemoteUserInputToArgumentToExecFlowConfig conf |
-    conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = execArg
+    conf.hasFlowPath(source, sink) and argumentToExec(execArg, sink.getNode())
   )
 }
 

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -1,16 +1,13 @@
 /** Definitions related to external processes. */
 
 import semmle.code.java.Member
-
-private module Instances {
-  private import semmle.code.java.JDK
-  private import semmle.code.java.frameworks.apache.Exec
-}
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.security.CommandLineQuery
 
 /**
- * A callable that executes a command.
+ * DEPRECATED: A callable that executes a command.
  */
-abstract class ExecCallable extends Callable {
+abstract deprecated class ExecCallable extends Callable {
   /**
    * Gets the index of an argument that will be part of the command that is executed.
    */
@@ -23,13 +20,19 @@ abstract class ExecCallable extends Callable {
  * to be executed.
  */
 class ArgumentToExec extends Expr {
-  ArgumentToExec() {
-    exists(Call execCall, ExecCallable execCallable, int i |
-      execCall.getArgument(pragma[only_bind_into](i)) = this and
-      execCallable = execCall.getCallee() and
-      i = execCallable.getAnExecutedArgument()
-    )
-  }
+  ArgumentToExec() { argumentToExec(this, _) }
+}
+
+/**
+ * Holds if `e` is an expression used as an argument to a call that executes an external command.
+ * For calls to varargs method calls, this only includes the first argument, which will be the command
+ * to be executed.
+ */
+predicate argumentToExec(Expr e, CommandInjectionSink s) {
+  s.asExpr() = e
+  or
+  e.(Argument).isNthVararg(0) and
+  s.(DataFlow::ImplicitVarargsArray).getCall() = e.(Argument).getCall()
 }
 
 /**

java/ql/lib/semmle/code/java/security/ExternalProcess.qll

@@ -14,11 +14,14 @@
 
 import java
 import semmle.code.java.security.CommandLineQuery
+import semmle.code.java.security.ExternalProcess
 import LocalUserInputToArgumentToExecFlow::PathGraph
 
 from
   LocalUserInputToArgumentToExecFlow::PathNode source,
-  LocalUserInputToArgumentToExecFlow::PathNode sink
-where LocalUserInputToArgumentToExecFlow::flowPath(source, sink)
-select sink.getNode().asExpr(), source, sink, "This command line depends on a $@.",
-  source.getNode(), "user-provided value"
+  LocalUserInputToArgumentToExecFlow::PathNode sink, Expr e
+where
+  LocalUserInputToArgumentToExecFlow::flowPath(source, sink) and
+  argumentToExec(e, sink.getNode())
+select e, source, sink, "This command line depends on a $@.", source.getNode(),
+  "user-provided value"

java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql

@@ -14,6 +14,7 @@
 
 import java
 import semmle.code.java.security.CommandLineQuery
+import semmle.code.java.security.ExternalProcess
 
 /**
  * Strings that are known to be sane by some simple local analysis. Such strings