Skip to content

Commit de5470a

Browse files
owen-mcowen-mc
committed
Add MaD barriers for Shellwords.escape and shellescape
Note that this will only block flow for queries that use the kind `command-injection`.
1 parent b3681f7 commit de5470a

File tree

2 files changed

+6
-21
lines changed

2 files changed

+6
-21
lines changed

ruby/ql/lib/codeql/ruby/frameworks/stdlib/Shellwords.model.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,9 @@ extensions:
44
extensible: summaryModel
55
data:
66
- ['Shellwords!', 'Method[escape,shellescape]', 'Argument[0]', 'ReturnValue', 'taint']
7+
8+
- addsTo:
9+
pack: codeql/ruby-all
10+
extensible: barrierModel
11+
data:
12+
- ['Shellwords!', 'Method[escape,shellescape].ReturnValue', 'command-injection']

ruby/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected

Lines changed: 0 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,6 @@
44
| CommandInjection.rb:10:14:10:16 | cmd | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:10:14:10:16 | cmd | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
55
| CommandInjection.rb:11:17:11:22 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:11:17:11:22 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
66
| CommandInjection.rb:13:9:13:14 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:13:9:13:14 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
7-
| CommandInjection.rb:18:15:18:27 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:18:15:18:27 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
8-
| CommandInjection.rb:21:15:21:27 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:21:15:21:27 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
97
| CommandInjection.rb:30:19:30:24 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:30:19:30:24 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
108
| CommandInjection.rb:34:24:34:36 | "echo #{...}" | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:34:24:34:36 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
119
| CommandInjection.rb:35:39:35:51 | "grep #{...}" | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:35:39:35:51 | "grep #{...}" | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
@@ -24,19 +22,11 @@ edges
2422
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:10:14:10:16 | cmd | provenance | |
2523
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:11:17:11:22 | #{...} | provenance | |
2624
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:13:9:13:14 | #{...} | provenance | |
27-
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:17:40:17:42 | cmd | provenance | |
28-
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:20:45:20:47 | cmd | provenance | |
2925
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:30:19:30:24 | #{...} | provenance | |
3026
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:34:24:34:36 | "echo #{...}" | provenance | AdditionalTaintStep |
3127
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:35:39:35:51 | "grep #{...}" | provenance | AdditionalTaintStep |
3228
| CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:6:15:6:26 | ...[...] | provenance | |
3329
| CommandInjection.rb:6:15:6:26 | ...[...] | CommandInjection.rb:6:9:6:11 | cmd | provenance | |
34-
| CommandInjection.rb:17:9:17:18 | safe_cmd_1 | CommandInjection.rb:18:15:18:27 | #{...} | provenance | |
35-
| CommandInjection.rb:17:22:17:43 | call to escape | CommandInjection.rb:17:9:17:18 | safe_cmd_1 | provenance | |
36-
| CommandInjection.rb:17:40:17:42 | cmd | CommandInjection.rb:17:22:17:43 | call to escape | provenance | MaD:3 |
37-
| CommandInjection.rb:20:9:20:18 | safe_cmd_2 | CommandInjection.rb:21:15:21:27 | #{...} | provenance | |
38-
| CommandInjection.rb:20:22:20:48 | call to shellescape | CommandInjection.rb:20:9:20:18 | safe_cmd_2 | provenance | |
39-
| CommandInjection.rb:20:45:20:47 | cmd | CommandInjection.rb:20:22:20:48 | call to shellescape | provenance | MaD:3 |
4030
| CommandInjection.rb:47:9:47:11 | cmd | CommandInjection.rb:51:24:51:36 | "echo #{...}" | provenance | AdditionalTaintStep |
4131
| CommandInjection.rb:47:15:47:20 | call to params | CommandInjection.rb:47:15:47:26 | ...[...] | provenance | |
4232
| CommandInjection.rb:47:15:47:26 | ...[...] | CommandInjection.rb:47:9:47:11 | cmd | provenance | |
@@ -58,7 +48,6 @@ edges
5848
models
5949
| 1 | Sink: Terrapin::CommandLine!; Method[new].Argument[0]; command-injection |
6050
| 2 | Sink: Terrapin::CommandLine!; Method[new].Argument[1]; command-injection |
61-
| 3 | Summary: Shellwords!; Method[escape,shellescape]; Argument[0]; ReturnValue; taint |
6251
nodes
6352
| CommandInjection.rb:6:9:6:11 | cmd | semmle.label | cmd |
6453
| CommandInjection.rb:6:15:6:20 | call to params | semmle.label | call to params |
@@ -68,14 +57,6 @@ nodes
6857
| CommandInjection.rb:10:14:10:16 | cmd | semmle.label | cmd |
6958
| CommandInjection.rb:11:17:11:22 | #{...} | semmle.label | #{...} |
7059
| CommandInjection.rb:13:9:13:14 | #{...} | semmle.label | #{...} |
71-
| CommandInjection.rb:17:9:17:18 | safe_cmd_1 | semmle.label | safe_cmd_1 |
72-
| CommandInjection.rb:17:22:17:43 | call to escape | semmle.label | call to escape |
73-
| CommandInjection.rb:17:40:17:42 | cmd | semmle.label | cmd |
74-
| CommandInjection.rb:18:15:18:27 | #{...} | semmle.label | #{...} |
75-
| CommandInjection.rb:20:9:20:18 | safe_cmd_2 | semmle.label | safe_cmd_2 |
76-
| CommandInjection.rb:20:22:20:48 | call to shellescape | semmle.label | call to shellescape |
77-
| CommandInjection.rb:20:45:20:47 | cmd | semmle.label | cmd |
78-
| CommandInjection.rb:21:15:21:27 | #{...} | semmle.label | #{...} |
7960
| CommandInjection.rb:30:19:30:24 | #{...} | semmle.label | #{...} |
8061
| CommandInjection.rb:34:24:34:36 | "echo #{...}" | semmle.label | "echo #{...}" |
8162
| CommandInjection.rb:35:39:35:51 | "grep #{...}" | semmle.label | "grep #{...}" |
@@ -107,6 +88,4 @@ nodes
10788
| CommandInjection.rb:114:44:114:54 | ...[...] | semmle.label | ...[...] |
10889
subpaths
10990
testFailures
110-
| CommandInjection.rb:18:15:18:27 | #{...} | Unexpected result: Alert |
111-
| CommandInjection.rb:21:15:21:27 | #{...} | Unexpected result: Alert |
11291
| CommandInjection.rb:107:16:107:40 | "cat #{...}" | Unexpected result: Alert |

0 commit comments

Comments
 (0)