Merge pull request #4460 from max-schaefer/js/unsafe-shell-command-construction-infeasible-paths

codeql-ci · web-flow · commit 1d9b0ce05914 · 2020-10-16T05:05:29.000-07:00
Approved by asgerf
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
@@ -31,5 +31,15 @@ module UnsafeShellCommandConstruction {
       guard instanceof PathExistsSanitizerGuard or
       guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
     }
+
+    // override to require that there is a path without unmatched return steps
+    override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
+      super.hasFlowPath(source, sink) and
+      exists(DataFlow::MidPathNode mid |
+        source.getASuccessor*() = mid and
+        sink = mid.getASuccessor() and
+        mid.getPathSummary().hasReturn() = false
+      )
+    }
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
@@ -180,6 +180,17 @@ nodes
 | lib/lib.js:324:40:324:42 | arg |
 | lib/lib.js:325:49:325:51 | arg |
 | lib/lib.js:325:49:325:51 | arg |
+| lib/lib.js:329:13:329:13 | x |
+| lib/lib.js:329:13:329:13 | x |
+| lib/lib.js:330:9:330:9 | x |
+| lib/lib.js:336:22:336:31 | id("test") |
+| lib/lib.js:336:22:336:31 | id("test") |
+| lib/lib.js:339:39:339:39 | n |
+| lib/lib.js:339:39:339:39 | n |
+| lib/lib.js:340:22:340:26 | id(n) |
+| lib/lib.js:340:22:340:26 | id(n) |
+| lib/lib.js:340:22:340:26 | id(n) |
+| lib/lib.js:340:25:340:25 | n |
 edges
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
@@ -396,6 +407,16 @@ edges
 | lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg |
 | lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg |
 | lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg |
+| lib/lib.js:329:13:329:13 | x | lib/lib.js:330:9:330:9 | x |
+| lib/lib.js:329:13:329:13 | x | lib/lib.js:330:9:330:9 | x |
+| lib/lib.js:330:9:330:9 | x | lib/lib.js:336:22:336:31 | id("test") |
+| lib/lib.js:330:9:330:9 | x | lib/lib.js:336:22:336:31 | id("test") |
+| lib/lib.js:330:9:330:9 | x | lib/lib.js:340:22:340:26 | id(n) |
+| lib/lib.js:330:9:330:9 | x | lib/lib.js:340:22:340:26 | id(n) |
+| lib/lib.js:339:39:339:39 | n | lib/lib.js:340:25:340:25 | n |
+| lib/lib.js:339:39:339:39 | n | lib/lib.js:340:25:340:25 | n |
+| lib/lib.js:340:25:340:25 | n | lib/lib.js:340:22:340:26 | id(n) |
+| lib/lib.js:340:25:340:25 | n | lib/lib.js:340:22:340:26 | id(n) |
 #select
 | lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | $@ based on library input is later used in $@. | lib/lib2.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | $@ based on library input is later used in $@. | lib/lib2.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command |
@@ -450,3 +471,4 @@ edges
 | lib/lib.js:315:10:315:25 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name | $@ based on library input is later used in $@. | lib/lib.js:315:10:315:25 | "rm -rf " + name | String concatenation | lib/lib.js:315:2:315:26 | cp.exec ... + name) | shell command |
 | lib/lib.js:320:11:320:26 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name | $@ based on library input is later used in $@. | lib/lib.js:320:11:320:26 | "rm -rf " + name | String concatenation | lib/lib.js:320:3:320:27 | cp.exec ... + name) | shell command |
 | lib/lib.js:325:12:325:51 | "MyWind ... " + arg | lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg | $@ based on library input is later used in $@. | lib/lib.js:325:12:325:51 | "MyWind ... " + arg | String concatenation | lib/lib.js:326:2:326:13 | cp.exec(cmd) | shell command |
+| lib/lib.js:340:10:340:26 | "rm -rf " + id(n) | lib/lib.js:339:39:339:39 | n | lib/lib.js:340:22:340:26 | id(n) | $@ based on library input is later used in $@. | lib/lib.js:340:10:340:26 | "rm -rf " + id(n) | String concatenation | lib/lib.js:340:2:340:27 | cp.exec ...  id(n)) | shell command |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -324,4 +324,18 @@ module.exports.typeofcheck = function (name) {
 module.exports.typeofcheck = function (arg) {
 	var cmd = "MyWindowCommand | findstr /i /c:" + arg; // NOT OK
 	cp.exec(cmd); 
-}
+}
+
+function id(x) {
+	return x;
+}
+
+module.exports.id = id;
+
+module.exports.unproblematic = function() {
+	cp.exec("rm -rf " + id("test")); // OK
+};
+
+module.exports.problematic = function(n) {
+	cp.exec("rm -rf " + id(n)); // NOT OK
+};

Original file line number	Diff line number	Diff line change
`@@ -31,5 +31,15 @@ module UnsafeShellCommandConstruction {`
`31`	`31`	`guard instanceof PathExistsSanitizerGuard or`
`32`	`32`	`guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer`
`33`	`33`	`}`
	`34`	`+`
	`35`	`+ // override to require that there is a path without unmatched return steps`
	`36`	`+ override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {`
	`37`	`+ super.hasFlowPath(source, sink) and`
	`38`	`+ exists(DataFlow::MidPathNode mid \|`
	`39`	`+ source.getASuccessor*() = mid and`
	`40`	`+ sink = mid.getASuccessor() and`
	`41`	`+ mid.getPathSummary().hasReturn() = false`
	`42`	`+ )`
	`43`	`+ }`
`34`	`44`	`}`
`35`	`45`	`}`