recognize colon in command-prefixes

erik-krogh · erik-krogh · commit 320879bc1e57 · 2020-09-07T13:12:38.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -85,7 +85,7 @@ module UnsafeShellCommandConstruction {
       this = root.getALeaf() and
       root = isExecutedAsShellCommand(DataFlow::TypeBackTracker::end(), sys) and
       exists(string prev | prev = this.getPreviousLeaf().getStringValue() |
-        prev.regexpMatch(".* ('|\")?[0-9a-zA-Z/]*")
+        prev.regexpMatch(".* ('|\")?[0-9a-zA-Z/:]*")
       )
     }
 
@@ -132,7 +132,7 @@ module UnsafeShellCommandConstruction {
       this = call.getFormatArgument(_) and
       call = isExecutedAsShellCommand(DataFlow::TypeBackTracker::end(), sys) and
       exists(string formatString | call.getFormatString().mayHaveStringValue(formatString) |
-        formatString.regexpMatch(".* ('|\")?[0-9a-zA-Z/]*%.*")
+        formatString.regexpMatch(".* ('|\")?[0-9a-zA-Z/:]*%.*")
       )
     }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
@@ -176,6 +176,10 @@ nodes
 | lib/lib.js:315:22:315:25 | name |
 | lib/lib.js:320:23:320:26 | name |
 | lib/lib.js:320:23:320:26 | name |
+| lib/lib.js:324:40:324:42 | arg |
+| lib/lib.js:324:40:324:42 | arg |
+| lib/lib.js:325:49:325:51 | arg |
+| lib/lib.js:325:49:325:51 | arg |
 edges
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
@@ -388,6 +392,10 @@ edges
 | lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name |
 | lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name |
 | lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name |
+| lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg |
+| lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg |
+| lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg |
+| lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg |
 #select
 | lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | $@ based on library input is later used in $@. | lib/lib2.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | $@ based on library input is later used in $@. | lib/lib2.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command |
@@ -441,3 +449,4 @@ edges
 | lib/lib.js:308:11:308:26 | "rm -rf " + name | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name | $@ based on library input is later used in $@. | lib/lib.js:308:11:308:26 | "rm -rf " + name | String concatenation | lib/lib.js:308:3:308:27 | cp.exec ... + name) | shell command |
 | lib/lib.js:315:10:315:25 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name | $@ based on library input is later used in $@. | lib/lib.js:315:10:315:25 | "rm -rf " + name | String concatenation | lib/lib.js:315:2:315:26 | cp.exec ... + name) | shell command |
 | lib/lib.js:320:11:320:26 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name | $@ based on library input is later used in $@. | lib/lib.js:320:11:320:26 | "rm -rf " + name | String concatenation | lib/lib.js:320:3:320:27 | cp.exec ... + name) | shell command |
+| lib/lib.js:325:12:325:51 | "MyWind ... " + arg | lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg | $@ based on library input is later used in $@. | lib/lib.js:325:12:325:51 | "MyWind ... " + arg | String concatenation | lib/lib.js:326:2:326:13 | cp.exec(cmd) | shell command |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -319,4 +319,9 @@ module.exports.typeofcheck = function (name) {
 	} else {
 		cp.exec("rm -rf " + name); // NOT OK
 	}
+}
+
+module.exports.typeofcheck = function (arg) {
+	var cmd = "MyWindowCommand | findstr /i /c:" + arg; // NOT OK
+	cp.exec(cmd); 
 }

Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ module UnsafeShellCommandConstruction {`
`85`	`85`	`this = root.getALeaf() and`
`86`	`86`	`root = isExecutedAsShellCommand(DataFlow::TypeBackTracker::end(), sys) and`
`87`	`87`	`exists(string prev \| prev = this.getPreviousLeaf().getStringValue() \|`
`88`		`- prev.regexpMatch(".* ('\|\")?[0-9a-zA-Z/]*")`
	`88`	`+ prev.regexpMatch(".* ('\|\")?[0-9a-zA-Z/:]*")`
`89`	`89`	`)`
`90`	`90`	`}`
`91`	`91`
`@@ -132,7 +132,7 @@ module UnsafeShellCommandConstruction {`
`132`	`132`	`this = call.getFormatArgument(_) and`
`133`	`133`	`call = isExecutedAsShellCommand(DataFlow::TypeBackTracker::end(), sys) and`
`134`	`134`	`exists(string formatString \| call.getFormatString().mayHaveStringValue(formatString) \|`
`135`		`- formatString.regexpMatch(".* ('\|\")?[0-9a-zA-Z/]%.")`
	`135`	`+ formatString.regexpMatch(".* ('\|\")?[0-9a-zA-Z/:]%.")`
`136`	`136`	`)`
`137`	`137`	`}`
`138`	`138`
Original file line number	Diff line number	Diff line change
`@@ -319,4 +319,9 @@ module.exports.typeofcheck = function (name) {`
`319`	`319`	`} else {`
`320`	`320`	`cp.exec("rm -rf " + name); // NOT OK`
`321`	`321`	`}`
	`322`	`+}`
	`323`	`+`
	`324`	`+module.exports.typeofcheck = function (arg) {`
	`325`	`+ var cmd = "MyWindowCommand \| findstr /i /c:" + arg; // NOT OK`
	`326`	`+ cp.exec(cmd);`
`322`	`327`	`}`