Formatting

atorralba · atorralba · commit b5d08ade59d3 · 2023-08-01T09:35:25.000+02:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
@@ -17,10 +17,9 @@ import ExecUserFlow::PathGraph
 class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 from
-  ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink,
-  MethodAccess call, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd
-where
-  callIsTaintedByUserInputAndDangerousCommand(call, source, sink, sourceCmd, sinkCmd)
+  ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, MethodAccess call,
+  DataFlow::Node sourceCmd, DataFlow::Node sinkCmd
+where callIsTaintedByUserInputAndDangerousCommand(call, source, sink, sourceCmd, sinkCmd)
 select sink, source, sink,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
   sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll
@@ -89,9 +89,7 @@ deprecated class ExecTaintConfiguration2 extends TaintTracking::Configuration {
 }
 
 module ExecUserFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source instanceof Source
-  }
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
 
   predicate isSink(DataFlow::Node sink) {
     exists(RuntimeExecMethod method, MethodAccess call |
@@ -155,7 +153,10 @@ class UnSafeExecutable extends string {
   }
 }
 
-predicate callIsTaintedByUserInputAndDangerousCommand(MethodAccess call, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd) {
+predicate callIsTaintedByUserInputAndDangerousCommand(
+  MethodAccess call, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink,
+  DataFlow::Node sourceCmd, DataFlow::Node sinkCmd
+) {
   call.getMethod() instanceof RuntimeExecMethod and
   // this is a command-accepting call to exec, e.g. rt.exec(new String[]{"/bin/sh", ...})
   (
@@ -167,4 +168,4 @@ predicate callIsTaintedByUserInputAndDangerousCommand(MethodAccess call, ExecUse
     ExecUserFlow::flowPath(source, sink) and
     sink.getNode().asExpr() = call.getArgument(0)
   )
-}
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
@@ -18,10 +18,9 @@ import ExecUserFlow::PathGraph
 class LocalSource extends Source instanceof LocalUserInput { }
 
 from
-  ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink,
-  MethodAccess call, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd
-where
-  callIsTaintedByUserInputAndDangerousCommand(call, source, sink, sourceCmd, sinkCmd)
+  ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, MethodAccess call,
+  DataFlow::Node sourceCmd, DataFlow::Node sinkCmd
+where callIsTaintedByUserInputAndDangerousCommand(call, source, sink, sourceCmd, sinkCmd)
 select sink, source, sink,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
   sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()

Original file line number	Diff line number	Diff line change
`@@ -89,9 +89,7 @@ deprecated class ExecTaintConfiguration2 extends TaintTracking::Configuration {`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`module ExecUserFlowConfig implements DataFlow::ConfigSig {`
`92`		`- predicate isSource(DataFlow::Node source) {`
`93`		`- source instanceof Source`
`94`		`- }`
	`92`	`+ predicate isSource(DataFlow::Node source) { source instanceof Source }`
`95`	`93`
`96`	`94`	`predicate isSink(DataFlow::Node sink) {`
`97`	`95`	`exists(RuntimeExecMethod method, MethodAccess call \|`
`@@ -155,7 +153,10 @@ class UnSafeExecutable extends string {`
`155`	`153`	`}`
`156`	`154`	`}`
`157`	`155`
`158`		`-predicate callIsTaintedByUserInputAndDangerousCommand(MethodAccess call, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd) {`
	`156`	`+predicate callIsTaintedByUserInputAndDangerousCommand(`
	`157`	`+ MethodAccess call, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink,`
	`158`	`+ DataFlow::Node sourceCmd, DataFlow::Node sinkCmd`
	`159`	`+) {`
`159`	`160`	`call.getMethod() instanceof RuntimeExecMethod and`
`160`	`161`	`// this is a command-accepting call to exec, e.g. rt.exec(new String[]{"/bin/sh", ...})`
`161`	`162`	`(`
`@@ -167,4 +168,4 @@ predicate callIsTaintedByUserInputAndDangerousCommand(MethodAccess call, ExecUse`
`167`	`168`	`ExecUserFlow::flowPath(source, sink) and`
`168`	`169`	`sink.getNode().asExpr() = call.getArgument(0)`
`169`	`170`	`)`
`170`		`-}`
	`171`	`+}`