Merge pull request #5746 from owen-mc/java/refactor-exec-tainted

owen-mc · web-flow · commit fea9f5f431eb · 2021-04-22T10:14:28.000+01:00
Make ExecTainted easier to extend
diff --git a/java/ql/src/semmle/code/java/JDK.qll b/java/ql/src/semmle/code/java/JDK.qll
@@ -3,6 +3,7 @@
  */
 
 import Member
+import semmle.code.java.security.ExternalProcess
 
 // --- Standard types ---
 /** The class `java.lang.Object`. */
@@ -176,24 +177,37 @@ class TypeFile extends Class {
 }
 
 // --- Standard methods ---
+/**
+ * Any constructor of class `java.lang.ProcessBuilder`.
+ */
+class ProcessBuilderConstructor extends Constructor, ExecCallable {
+  ProcessBuilderConstructor() { this.getDeclaringType() instanceof TypeProcessBuilder }
+
+  override int getAnExecutedArgument() { result = 0 }
+}
+
 /**
  * Any of the methods named `command` on class `java.lang.ProcessBuilder`.
  */
-class MethodProcessBuilderCommand extends Method {
+class MethodProcessBuilderCommand extends Method, ExecCallable {
   MethodProcessBuilderCommand() {
     hasName("command") and
     getDeclaringType() instanceof TypeProcessBuilder
   }
+
+  override int getAnExecutedArgument() { result = 0 }
 }
 
 /**
  * Any method named `exec` on class `java.lang.Runtime`.
  */
-class MethodRuntimeExec extends Method {
+class MethodRuntimeExec extends Method, ExecCallable {
   MethodRuntimeExec() {
     hasName("exec") and
     getDeclaringType() instanceof TypeRuntime
   }
+
+  override int getAnExecutedArgument() { result = 0 }
 }
 
 /**
diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll b/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll
@@ -1,20 +1,28 @@
 /* Definitions related to the Apache Commons Exec library. */
 import semmle.code.java.Type
+import semmle.code.java.security.ExternalProcess
 
-library class TypeCommandLine extends Class {
+/** The class `org.apache.commons.exec.CommandLine`. */
+private class TypeCommandLine extends Class {
   TypeCommandLine() { hasQualifiedName("org.apache.commons.exec", "CommandLine") }
 }
 
-library class MethodCommandLineParse extends Method {
+/** The `parse()` method of the class `org.apache.commons.exec.CommandLine`. */
+private class MethodCommandLineParse extends Method, ExecCallable {
   MethodCommandLineParse() {
     getDeclaringType() instanceof TypeCommandLine and
     hasName("parse")
   }
+
+  override int getAnExecutedArgument() { result = 0 }
 }
 
-library class MethodCommandLineAddArguments extends Method {
+/** The `addArguments()` method of the class `org.apache.commons.exec.CommandLine`. */
+private class MethodCommandLineAddArguments extends Method, ExecCallable {
   MethodCommandLineAddArguments() {
     getDeclaringType() instanceof TypeCommandLine and
     hasName("addArguments")
   }
+
+  override int getAnExecutedArgument() { result = 0 }
 }
diff --git a/java/ql/src/semmle/code/java/security/ExternalProcess.qll b/java/ql/src/semmle/code/java/security/ExternalProcess.qll
@@ -1,7 +1,20 @@
 /* Definitions related to external processes. */
 import semmle.code.java.Member
-import semmle.code.java.JDK
-import semmle.code.java.frameworks.apache.Exec
+
+private module Instances {
+  private import semmle.code.java.JDK
+  private import semmle.code.java.frameworks.apache.Exec
+}
+
+/**
+ * A callable that executes a command.
+ */
+abstract class ExecCallable extends Callable {
+  /**
+   * Gets the index of an argument that will be part of the command that is executed.
+   */
+  abstract int getAnExecutedArgument();
+}
 
 /**
  * An expression used as an argument to a call that executes an external command. For calls to
@@ -10,21 +23,10 @@ import semmle.code.java.frameworks.apache.Exec
  */
 class ArgumentToExec extends Expr {
   ArgumentToExec() {
-    exists(MethodAccess execCall, Method method |
-      execCall.getArgument(0) = this and
-      method = execCall.getMethod() and
-      (
-        method instanceof MethodRuntimeExec or
-        method instanceof MethodProcessBuilderCommand or
-        method instanceof MethodCommandLineParse or
-        method instanceof MethodCommandLineAddArguments
-      )
-    )
-    or
-    exists(ConstructorCall expr, Constructor cons |
-      expr.getConstructor() = cons and
-      cons.getDeclaringType().hasQualifiedName("java.lang", "ProcessBuilder") and
-      expr.getArgument(0) = this
+    exists(Call execCall, ExecCallable execCallable, int i |
+      execCall.getArgument(pragma[only_bind_into](i)) = this and
+      execCallable = execCall.getCallee() and
+      i = execCallable.getAnExecutedArgument()
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,20 +1,28 @@`
`1`	`1`	`/* Definitions related to the Apache Commons Exec library. */`
`2`	`2`	`import semmle.code.java.Type`
	`3`	`+import semmle.code.java.security.ExternalProcess`
`3`	`4`
`4`		`-library class TypeCommandLine extends Class {`
	`5`	+/** The class `org.apache.commons.exec.CommandLine`. */
	`6`	`+private class TypeCommandLine extends Class {`
`5`	`7`	`TypeCommandLine() { hasQualifiedName("org.apache.commons.exec", "CommandLine") }`
`6`	`8`	`}`
`7`	`9`
`8`		`-library class MethodCommandLineParse extends Method {`
	`10`	+/** The `parse()` method of the class `org.apache.commons.exec.CommandLine`. */
	`11`	`+private class MethodCommandLineParse extends Method, ExecCallable {`
`9`	`12`	`MethodCommandLineParse() {`
`10`	`13`	`getDeclaringType() instanceof TypeCommandLine and`
`11`	`14`	`hasName("parse")`
`12`	`15`	`}`
	`16`	`+`
	`17`	`+ override int getAnExecutedArgument() { result = 0 }`
`13`	`18`	`}`
`14`	`19`
`15`		`-library class MethodCommandLineAddArguments extends Method {`
	`20`	+/** The `addArguments()` method of the class `org.apache.commons.exec.CommandLine`. */
	`21`	`+private class MethodCommandLineAddArguments extends Method, ExecCallable {`
`16`	`22`	`MethodCommandLineAddArguments() {`
`17`	`23`	`getDeclaringType() instanceof TypeCommandLine and`
`18`	`24`	`hasName("addArguments")`
`19`	`25`	`}`
	`26`	`+`
	`27`	`+ override int getAnExecutedArgument() { result = 0 }`
`20`	`28`	`}`