Merge pull request #2240 from max-schaefer/js/indirect-command-argument-data-flow

semmle-qlci · web-flow · commit e8e2f7bb20a8 · 2019-11-01T11:00:22.000Z
Approved by esbena
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll b/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll
@@ -10,7 +10,7 @@ import javascript
  * That is, either `shell` is a Unix shell (`sh` or similar) and
  * `arg` is `"-c"`, or `shell` is `cmd.exe` and `arg` is `"/c"`.
  */
-private predicate shellCmd(ConstantString shell, string arg) {
+private predicate shellCmd(Expr shell, string arg) {
   exists(string s | s = shell.getStringValue() |
     (s = "sh" or s = "bash" or s = "/bin/sh" or s = "/bin/bash") and
     arg = "-c"
@@ -23,25 +23,29 @@ private predicate shellCmd(ConstantString shell, string arg) {
 }
 
 /**
- * Data flow configuration for tracking string literals that look like they
- * may refer to an operating-system shell, and array literals that may end up being
- * interpreted as argument lists for system commands.
+ * Gets a data-flow node whose value ends up being interpreted as the command argument in `sys`
+ * after a flow summarized by `t`.
  */
-private class ArgumentListTracking extends DataFlow::Configuration {
-  ArgumentListTracking() { this = "ArgumentListTracking" }
-
-  override predicate isSource(DataFlow::Node nd) {
-    nd instanceof DataFlow::ArrayCreationNode
-    or
-    exists(ConstantString shell | shellCmd(shell, _) | nd = DataFlow::valueNode(shell))
-  }
+private DataFlow::Node commandArgument(SystemCommandExecution sys, DataFlow::TypeBackTracker t) {
+  t.start() and
+  result = sys.getACommandArgument()
+  or
+  exists(DataFlow::TypeBackTracker t2 |
+    t = t2.smallstep(result, commandArgument(sys, t2))
+  )
+}
 
-  override predicate isSink(DataFlow::Node nd) {
-    exists(SystemCommandExecution sys |
-      nd = sys.getACommandArgument() or
-      nd = sys.getArgumentList()
-    )
-  }
+/**
+ * Gets a data-flow node whose value ends up being interpreted as the argument list in `sys`
+ * after a flow summarized by `t`.
+ */
+private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::TypeBackTracker t) {
+  t.start() and
+  result = sys.getArgumentList().getALocalSource()
+  or
+  exists(DataFlow::TypeBackTracker t2 |
+    result = argumentList(sys, t2).backtrack(t2, t)
+  )
 }
 
 /**
@@ -60,11 +64,11 @@ private class ArgumentListTracking extends DataFlow::Configuration {
  */
 predicate isIndirectCommandArgument(DataFlow::Node source, SystemCommandExecution sys) {
   exists(
-    ArgumentListTracking cfg, DataFlow::ArrayCreationNode args, ConstantString shell, string dashC
+    DataFlow::ArrayCreationNode args, DataFlow::Node shell, string dashC
   |
-    shellCmd(shell, dashC) and
-    cfg.hasFlow(DataFlow::valueNode(shell), sys.getACommandArgument()) and
-    cfg.hasFlow(args, sys.getArgumentList()) and
+    shellCmd(shell.asExpr(), dashC) and
+    shell = commandArgument(sys, DataFlow::TypeBackTracker::end()) and
+    args = argumentList(sys, DataFlow::TypeBackTracker::end()) and
     args.getAPropertyWrite().getRhs().mayHaveStringValue(dashC) and
     source = args.getAPropertyWrite().getRhs()
   )
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -22,48 +22,12 @@ nodes
 | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
 | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
 | child_process-test.js:25:21:25:23 | cmd |
-| child_process-test.js:36:7:36:20 | sh |
-| child_process-test.js:36:12:36:20 | 'cmd.exe' |
-| child_process-test.js:36:12:36:20 | 'cmd.exe' |
-| child_process-test.js:38:7:38:20 | sh |
-| child_process-test.js:38:12:38:20 | '/bin/sh' |
-| child_process-test.js:38:12:38:20 | '/bin/sh' |
-| child_process-test.js:39:14:39:15 | sh |
-| child_process-test.js:39:14:39:15 | sh |
-| child_process-test.js:39:18:39:30 | [ flag, cmd ] |
-| child_process-test.js:39:18:39:30 | [ flag, cmd ] |
-| child_process-test.js:39:18:39:30 | [ flag, cmd ] |
 | child_process-test.js:39:26:39:28 | cmd |
 | child_process-test.js:39:26:39:28 | cmd |
-| child_process-test.js:41:9:41:17 | args |
-| child_process-test.js:41:16:41:17 | [] |
-| child_process-test.js:41:16:41:17 | [] |
 | child_process-test.js:43:15:43:17 | cmd |
 | child_process-test.js:43:15:43:17 | cmd |
-| child_process-test.js:44:17:44:27 | "/bin/bash" |
-| child_process-test.js:44:17:44:27 | "/bin/bash" |
-| child_process-test.js:44:17:44:27 | "/bin/bash" |
-| child_process-test.js:44:30:44:33 | args |
-| child_process-test.js:44:30:44:33 | args |
-| child_process-test.js:46:9:46:12 | "sh" |
-| child_process-test.js:46:9:46:12 | "sh" |
-| child_process-test.js:46:15:46:18 | args |
-| child_process-test.js:48:9:48:17 | args |
-| child_process-test.js:48:16:48:17 | [] |
-| child_process-test.js:48:16:48:17 | [] |
 | child_process-test.js:50:15:50:17 | cmd |
 | child_process-test.js:50:15:50:17 | cmd |
-| child_process-test.js:51:17:51:32 | `/bin` + "/bash" |
-| child_process-test.js:51:17:51:32 | `/bin` + "/bash" |
-| child_process-test.js:51:17:51:32 | `/bin` + "/bash" |
-| child_process-test.js:51:35:51:38 | args |
-| child_process-test.js:51:35:51:38 | args |
-| child_process-test.js:55:14:55:16 | cmd |
-| child_process-test.js:55:19:55:22 | args |
-| child_process-test.js:56:12:56:14 | cmd |
-| child_process-test.js:56:12:56:14 | cmd |
-| child_process-test.js:56:17:56:20 | args |
-| child_process-test.js:56:17:56:20 | args |
 | execSeries.js:3:20:3:22 | arr |
 | execSeries.js:6:14:6:16 | arr |
 | execSeries.js:6:14:6:21 | arr[i++] |
@@ -114,9 +78,6 @@ nodes
 | third-party-command-injection.js:5:20:5:26 | command |
 | third-party-command-injection.js:6:21:6:27 | command |
 | third-party-command-injection.js:6:21:6:27 | command |
-| tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] |
-| tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] |
-| tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] |
 edges
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:17:13:17:15 | cmd |
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:17:13:17:15 | cmd |
@@ -146,33 +107,6 @@ edges
 | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) |
 | child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
 | child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
-| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:14:39:15 | sh |
-| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:14:39:15 | sh |
-| child_process-test.js:36:12:36:20 | 'cmd.exe' | child_process-test.js:36:7:36:20 | sh |
-| child_process-test.js:36:12:36:20 | 'cmd.exe' | child_process-test.js:36:7:36:20 | sh |
-| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:14:39:15 | sh |
-| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:14:39:15 | sh |
-| child_process-test.js:38:12:38:20 | '/bin/sh' | child_process-test.js:38:7:38:20 | sh |
-| child_process-test.js:38:12:38:20 | '/bin/sh' | child_process-test.js:38:7:38:20 | sh |
-| child_process-test.js:39:18:39:30 | [ flag, cmd ] | child_process-test.js:39:18:39:30 | [ flag, cmd ] |
-| child_process-test.js:41:9:41:17 | args | child_process-test.js:44:30:44:33 | args |
-| child_process-test.js:41:9:41:17 | args | child_process-test.js:44:30:44:33 | args |
-| child_process-test.js:41:9:41:17 | args | child_process-test.js:46:15:46:18 | args |
-| child_process-test.js:41:16:41:17 | [] | child_process-test.js:41:9:41:17 | args |
-| child_process-test.js:41:16:41:17 | [] | child_process-test.js:41:9:41:17 | args |
-| child_process-test.js:44:17:44:27 | "/bin/bash" | child_process-test.js:44:17:44:27 | "/bin/bash" |
-| child_process-test.js:46:9:46:12 | "sh" | child_process-test.js:55:14:55:16 | cmd |
-| child_process-test.js:46:9:46:12 | "sh" | child_process-test.js:55:14:55:16 | cmd |
-| child_process-test.js:46:15:46:18 | args | child_process-test.js:55:19:55:22 | args |
-| child_process-test.js:48:9:48:17 | args | child_process-test.js:51:35:51:38 | args |
-| child_process-test.js:48:9:48:17 | args | child_process-test.js:51:35:51:38 | args |
-| child_process-test.js:48:16:48:17 | [] | child_process-test.js:48:9:48:17 | args |
-| child_process-test.js:48:16:48:17 | [] | child_process-test.js:48:9:48:17 | args |
-| child_process-test.js:51:17:51:32 | `/bin` + "/bash" | child_process-test.js:51:17:51:32 | `/bin` + "/bash" |
-| child_process-test.js:55:14:55:16 | cmd | child_process-test.js:56:12:56:14 | cmd |
-| child_process-test.js:55:14:55:16 | cmd | child_process-test.js:56:12:56:14 | cmd |
-| child_process-test.js:55:19:55:22 | args | child_process-test.js:56:17:56:20 | args |
-| child_process-test.js:55:19:55:22 | args | child_process-test.js:56:17:56:20 | args |
 | execSeries.js:3:20:3:22 | arr | execSeries.js:6:14:6:16 | arr |
 | execSeries.js:6:14:6:16 | arr | execSeries.js:6:14:6:21 | arr[i++] |
 | execSeries.js:6:14:6:21 | arr[i++] | execSeries.js:14:24:14:30 | command |
@@ -222,7 +156,6 @@ edges
 | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command |
 | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command |
 | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command |
-| tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] | tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] |
 #select
 | child_process-test.js:17:13:17:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:17:13:17:15 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:18:17:18:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:18:17:18:19 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected
@@ -1,40 +1,4 @@
 nodes
-| child_process-test.js:36:7:36:20 | sh |
-| child_process-test.js:36:12:36:20 | 'cmd.exe' |
-| child_process-test.js:36:12:36:20 | 'cmd.exe' |
-| child_process-test.js:38:7:38:20 | sh |
-| child_process-test.js:38:12:38:20 | '/bin/sh' |
-| child_process-test.js:38:12:38:20 | '/bin/sh' |
-| child_process-test.js:39:14:39:15 | sh |
-| child_process-test.js:39:14:39:15 | sh |
-| child_process-test.js:39:18:39:30 | [ flag, cmd ] |
-| child_process-test.js:39:18:39:30 | [ flag, cmd ] |
-| child_process-test.js:39:18:39:30 | [ flag, cmd ] |
-| child_process-test.js:41:9:41:17 | args |
-| child_process-test.js:41:16:41:17 | [] |
-| child_process-test.js:41:16:41:17 | [] |
-| child_process-test.js:44:17:44:27 | "/bin/bash" |
-| child_process-test.js:44:17:44:27 | "/bin/bash" |
-| child_process-test.js:44:17:44:27 | "/bin/bash" |
-| child_process-test.js:44:30:44:33 | args |
-| child_process-test.js:44:30:44:33 | args |
-| child_process-test.js:46:9:46:12 | "sh" |
-| child_process-test.js:46:9:46:12 | "sh" |
-| child_process-test.js:46:15:46:18 | args |
-| child_process-test.js:48:9:48:17 | args |
-| child_process-test.js:48:16:48:17 | [] |
-| child_process-test.js:48:16:48:17 | [] |
-| child_process-test.js:51:17:51:32 | `/bin` + "/bash" |
-| child_process-test.js:51:17:51:32 | `/bin` + "/bash" |
-| child_process-test.js:51:17:51:32 | `/bin` + "/bash" |
-| child_process-test.js:51:35:51:38 | args |
-| child_process-test.js:51:35:51:38 | args |
-| child_process-test.js:55:14:55:16 | cmd |
-| child_process-test.js:55:19:55:22 | args |
-| child_process-test.js:56:12:56:14 | cmd |
-| child_process-test.js:56:12:56:14 | cmd |
-| child_process-test.js:56:17:56:20 | args |
-| child_process-test.js:56:17:56:20 | args |
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
@@ -84,37 +48,7 @@ nodes
 | command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` |
 | command-line-parameter-command-injection.js:27:32:27:35 | args |
 | command-line-parameter-command-injection.js:27:32:27:45 | args.join(' ') |
-| tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] |
-| tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] |
-| tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] |
 edges
-| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:14:39:15 | sh |
-| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:14:39:15 | sh |
-| child_process-test.js:36:12:36:20 | 'cmd.exe' | child_process-test.js:36:7:36:20 | sh |
-| child_process-test.js:36:12:36:20 | 'cmd.exe' | child_process-test.js:36:7:36:20 | sh |
-| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:14:39:15 | sh |
-| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:14:39:15 | sh |
-| child_process-test.js:38:12:38:20 | '/bin/sh' | child_process-test.js:38:7:38:20 | sh |
-| child_process-test.js:38:12:38:20 | '/bin/sh' | child_process-test.js:38:7:38:20 | sh |
-| child_process-test.js:39:18:39:30 | [ flag, cmd ] | child_process-test.js:39:18:39:30 | [ flag, cmd ] |
-| child_process-test.js:41:9:41:17 | args | child_process-test.js:44:30:44:33 | args |
-| child_process-test.js:41:9:41:17 | args | child_process-test.js:44:30:44:33 | args |
-| child_process-test.js:41:9:41:17 | args | child_process-test.js:46:15:46:18 | args |
-| child_process-test.js:41:16:41:17 | [] | child_process-test.js:41:9:41:17 | args |
-| child_process-test.js:41:16:41:17 | [] | child_process-test.js:41:9:41:17 | args |
-| child_process-test.js:44:17:44:27 | "/bin/bash" | child_process-test.js:44:17:44:27 | "/bin/bash" |
-| child_process-test.js:46:9:46:12 | "sh" | child_process-test.js:55:14:55:16 | cmd |
-| child_process-test.js:46:9:46:12 | "sh" | child_process-test.js:55:14:55:16 | cmd |
-| child_process-test.js:46:15:46:18 | args | child_process-test.js:55:19:55:22 | args |
-| child_process-test.js:48:9:48:17 | args | child_process-test.js:51:35:51:38 | args |
-| child_process-test.js:48:9:48:17 | args | child_process-test.js:51:35:51:38 | args |
-| child_process-test.js:48:16:48:17 | [] | child_process-test.js:48:9:48:17 | args |
-| child_process-test.js:48:16:48:17 | [] | child_process-test.js:48:9:48:17 | args |
-| child_process-test.js:51:17:51:32 | `/bin` + "/bash" | child_process-test.js:51:17:51:32 | `/bin` + "/bash" |
-| child_process-test.js:55:14:55:16 | cmd | child_process-test.js:56:12:56:14 | cmd |
-| child_process-test.js:55:14:55:16 | cmd | child_process-test.js:56:12:56:14 | cmd |
-| child_process-test.js:55:19:55:22 | args | child_process-test.js:56:17:56:20 | args |
-| child_process-test.js:55:19:55:22 | args | child_process-test.js:56:17:56:20 | args |
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
 | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] |
 | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] |
@@ -159,7 +93,6 @@ edges
 | command-line-parameter-command-injection.js:27:32:27:35 | args | command-line-parameter-command-injection.js:27:32:27:45 | args.join(' ') |
 | command-line-parameter-command-injection.js:27:32:27:45 | args.join(' ') | command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` |
 | command-line-parameter-command-injection.js:27:32:27:45 | args.join(' ') | command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` |
-| tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] | tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] |
 #select
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument |
 | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment.expected b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment.expected
