Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 17233a6

Browse files
asgerfasgerf
committed
JS: Port CommandInjection
1 parent ccd6d3d commit 17233a6

3 files changed

Lines changed: 181 additions & 311 deletions

File tree

javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll

Lines changed: 30 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -11,25 +11,41 @@ import javascript
1111
import CommandInjectionCustomizations::CommandInjection
1212
import IndirectCommandArgument
1313

14+
/**
15+
* Holds if `sink` is a data flow sink for command-injection vulnerabilities, and
16+
* the alert should be placed at the node `highlight`.
17+
*/
18+
predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) {
19+
sink instanceof Sink and highlight = sink
20+
or
21+
isIndirectCommandArgument(sink, highlight)
22+
}
23+
1424
/**
1525
* A taint-tracking configuration for reasoning about command-injection vulnerabilities.
1626
*/
17-
class Configuration extends TaintTracking::Configuration {
18-
Configuration() { this = "CommandInjection" }
27+
module CommandInjectionConfig implements DataFlow::ConfigSig {
28+
predicate isSource(DataFlow::Node source) { source instanceof Source }
29+
30+
predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
31+
32+
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
33+
}
34+
35+
/**
36+
* Taint-tracking for reasoning about command-injection vulnerabilities.
37+
*/
38+
module CommandInjectionFlow = TaintTracking::Global<CommandInjectionConfig>;
1939

20-
override predicate isSource(DataFlow::Node source) { source instanceof Source }
40+
/**
41+
* DEPRECATED. Use the `CommandInjectionFlow` module instead.
42+
*/
43+
deprecated class Configuration extends TaintTracking::Configuration {
44+
Configuration() { this = "CommandInjection" }
2145

22-
/**
23-
* Holds if `sink` is a data flow sink for command-injection vulnerabilities, and
24-
* the alert should be placed at the node `highlight`.
25-
*/
26-
predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) {
27-
sink instanceof Sink and highlight = sink
28-
or
29-
isIndirectCommandArgument(sink, highlight)
30-
}
46+
override predicate isSource(DataFlow::Node source) { CommandInjectionConfig::isSource(source) }
3147

32-
override predicate isSink(DataFlow::Node sink) { this.isSinkWithHighlight(sink, _) }
48+
override predicate isSink(DataFlow::Node sink) { CommandInjectionConfig::isSink(sink) }
3349

34-
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
50+
override predicate isSanitizer(DataFlow::Node node) { CommandInjectionConfig::isBarrier(node) }
3551
}

javascript/ql/src/Security/CWE-078/CommandInjection.ql

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -15,16 +15,16 @@
1515

1616
import javascript
1717
import semmle.javascript.security.dataflow.CommandInjectionQuery
18-
import DataFlow::PathGraph
18+
import CommandInjectionFlow::PathGraph
1919

2020
from
21-
Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight,
22-
Source sourceNode
21+
CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink,
22+
DataFlow::Node highlight, Source sourceNode
2323
where
24-
cfg.hasFlowPath(source, sink) and
24+
CommandInjectionFlow::flowPath(source, sink) and
2525
(
26-
if cfg.isSinkWithHighlight(sink.getNode(), _)
27-
then cfg.isSinkWithHighlight(sink.getNode(), highlight)
26+
if isSinkWithHighlight(sink.getNode(), _)
27+
then isSinkWithHighlight(sink.getNode(), highlight)
2828
else highlight = sink.getNode()
2929
) and
3030
sourceNode = source.getNode()

0 commit comments

Comments
 (0)