Skip to content

Commit aff299e

Browse files
egregius313egregius313
committed
Add ExecTaintedLocal
1 parent b39d508 commit aff299e

File tree

3 files changed

+30
-1
lines changed

3 files changed

+30
-1
lines changed

java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,4 +6,5 @@ category: minorAnalysis
66
* Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
77
* Added the `XssLocalQuery.qll` library to provide the `XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow.
88
* Added the `ExternallyControlledFormatStringLocalQuery.qll` library to provide the `ExternallyControlledFormatStringLocalFlow` taint-tracking module to reason about format string vulnerabilities caused by local data flow.
9-
* Added the `InsecureCookieQuery.qll` library to provide the `SecureCookieFlow` taint-tracking module to reason about insecure cookie vulnerabilities.
9+
* Added the `InsecureCookieQuery.qll` library to provide the `SecureCookieFlow` taint-tracking module to reason about insecure cookie vulnerabilities.
10+
* Added the `ExecTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToExecFlow` taint-tracking module to reason about command injection vulnerabilities caused by local data flow.

java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
/** Provides a taint-tracking configuration to reason about use of externally controlled strings for command injection vulnerabilities. */
2+
3+
import java
4+
private import semmle.code.java.dataflow.FlowSources
5+
private import semmle.code.java.security.ExternalProcess
6+
private import semmle.code.java.security.CommandArguments
7+
8+
/** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */
9+
module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
10+
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
11+
12+
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
13+
14+
predicate isBarrier(DataFlow::Node node) {
15+
node.getType() instanceof PrimitiveType
16+
or
17+
node.getType() instanceof BoxedType
18+
or
19+
isSafeCommandArgument(node.asExpr())
20+
}
21+
}
22+
23+
/**
24+
* Taint-tracking flow for use of externally controlled strings to make command line commands.
25+
*/
26+
module LocalUserInputToArgumentToExecFlow =
27+
TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;

java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
* external/cwe/cwe-088
1313
*/
1414

15+
import java
1516
import semmle.code.java.security.CommandLineQuery
1617
import LocalUserInputToArgumentToExecFlow::PathGraph
1718

0 commit comments

Comments
 (0)