Skip to content

Commit b3681f7

Browse files
owen-mcowen-mc
committed
Model flow through Shellwords escape and shellescape
1 parent 6294c3b commit b3681f7

File tree

2 files changed

+27
-0
lines changed

2 files changed

+27
-0
lines changed

ruby/ql/lib/codeql/ruby/frameworks/stdlib/Shellwords.model.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/ruby-all
4+
extensible: summaryModel
5+
data:
6+
- ['Shellwords!', 'Method[escape,shellescape]', 'Argument[0]', 'ReturnValue', 'taint']

ruby/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@
44
| CommandInjection.rb:10:14:10:16 | cmd | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:10:14:10:16 | cmd | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
55
| CommandInjection.rb:11:17:11:22 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:11:17:11:22 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
66
| CommandInjection.rb:13:9:13:14 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:13:9:13:14 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
7+
| CommandInjection.rb:18:15:18:27 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:18:15:18:27 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
8+
| CommandInjection.rb:21:15:21:27 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:21:15:21:27 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
79
| CommandInjection.rb:30:19:30:24 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:30:19:30:24 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
810
| CommandInjection.rb:34:24:34:36 | "echo #{...}" | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:34:24:34:36 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
911
| CommandInjection.rb:35:39:35:51 | "grep #{...}" | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:35:39:35:51 | "grep #{...}" | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
@@ -22,11 +24,19 @@ edges
2224
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:10:14:10:16 | cmd | provenance | |
2325
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:11:17:11:22 | #{...} | provenance | |
2426
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:13:9:13:14 | #{...} | provenance | |
27+
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:17:40:17:42 | cmd | provenance | |
28+
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:20:45:20:47 | cmd | provenance | |
2529
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:30:19:30:24 | #{...} | provenance | |
2630
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:34:24:34:36 | "echo #{...}" | provenance | AdditionalTaintStep |
2731
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:35:39:35:51 | "grep #{...}" | provenance | AdditionalTaintStep |
2832
| CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:6:15:6:26 | ...[...] | provenance | |
2933
| CommandInjection.rb:6:15:6:26 | ...[...] | CommandInjection.rb:6:9:6:11 | cmd | provenance | |
34+
| CommandInjection.rb:17:9:17:18 | safe_cmd_1 | CommandInjection.rb:18:15:18:27 | #{...} | provenance | |
35+
| CommandInjection.rb:17:22:17:43 | call to escape | CommandInjection.rb:17:9:17:18 | safe_cmd_1 | provenance | |
36+
| CommandInjection.rb:17:40:17:42 | cmd | CommandInjection.rb:17:22:17:43 | call to escape | provenance | MaD:3 |
37+
| CommandInjection.rb:20:9:20:18 | safe_cmd_2 | CommandInjection.rb:21:15:21:27 | #{...} | provenance | |
38+
| CommandInjection.rb:20:22:20:48 | call to shellescape | CommandInjection.rb:20:9:20:18 | safe_cmd_2 | provenance | |
39+
| CommandInjection.rb:20:45:20:47 | cmd | CommandInjection.rb:20:22:20:48 | call to shellescape | provenance | MaD:3 |
3040
| CommandInjection.rb:47:9:47:11 | cmd | CommandInjection.rb:51:24:51:36 | "echo #{...}" | provenance | AdditionalTaintStep |
3141
| CommandInjection.rb:47:15:47:20 | call to params | CommandInjection.rb:47:15:47:26 | ...[...] | provenance | |
3242
| CommandInjection.rb:47:15:47:26 | ...[...] | CommandInjection.rb:47:9:47:11 | cmd | provenance | |
@@ -48,6 +58,7 @@ edges
4858
models
4959
| 1 | Sink: Terrapin::CommandLine!; Method[new].Argument[0]; command-injection |
5060
| 2 | Sink: Terrapin::CommandLine!; Method[new].Argument[1]; command-injection |
61+
| 3 | Summary: Shellwords!; Method[escape,shellescape]; Argument[0]; ReturnValue; taint |
5162
nodes
5263
| CommandInjection.rb:6:9:6:11 | cmd | semmle.label | cmd |
5364
| CommandInjection.rb:6:15:6:20 | call to params | semmle.label | call to params |
@@ -57,6 +68,14 @@ nodes
5768
| CommandInjection.rb:10:14:10:16 | cmd | semmle.label | cmd |
5869
| CommandInjection.rb:11:17:11:22 | #{...} | semmle.label | #{...} |
5970
| CommandInjection.rb:13:9:13:14 | #{...} | semmle.label | #{...} |
71+
| CommandInjection.rb:17:9:17:18 | safe_cmd_1 | semmle.label | safe_cmd_1 |
72+
| CommandInjection.rb:17:22:17:43 | call to escape | semmle.label | call to escape |
73+
| CommandInjection.rb:17:40:17:42 | cmd | semmle.label | cmd |
74+
| CommandInjection.rb:18:15:18:27 | #{...} | semmle.label | #{...} |
75+
| CommandInjection.rb:20:9:20:18 | safe_cmd_2 | semmle.label | safe_cmd_2 |
76+
| CommandInjection.rb:20:22:20:48 | call to shellescape | semmle.label | call to shellescape |
77+
| CommandInjection.rb:20:45:20:47 | cmd | semmle.label | cmd |
78+
| CommandInjection.rb:21:15:21:27 | #{...} | semmle.label | #{...} |
6079
| CommandInjection.rb:30:19:30:24 | #{...} | semmle.label | #{...} |
6180
| CommandInjection.rb:34:24:34:36 | "echo #{...}" | semmle.label | "echo #{...}" |
6281
| CommandInjection.rb:35:39:35:51 | "grep #{...}" | semmle.label | "grep #{...}" |
@@ -88,4 +107,6 @@ nodes
88107
| CommandInjection.rb:114:44:114:54 | ...[...] | semmle.label | ...[...] |
89108
subpaths
90109
testFailures
110+
| CommandInjection.rb:18:15:18:27 | #{...} | Unexpected result: Alert |
111+
| CommandInjection.rb:21:15:21:27 | #{...} | Unexpected result: Alert |
91112
| CommandInjection.rb:107:16:107:40 | "cat #{...}" | Unexpected result: Alert |

0 commit comments

Comments
 (0)