Skip to content

Commit b482b36

Browse files
egregius313egregius313
committed
Initial ProcessBuilder support
1 parent ad32b81 commit b482b36

1 file changed

Lines changed: 21 additions & 10 deletions

File tree

java/ql/src/Security/CWE/CWE-078/ExecTaintedEnvironment.ql

Lines changed: 21 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ import java
1414
import semmle.code.java.dataflow.TaintTracking
1515
import semmle.code.java.dataflow.DataFlow
1616
import semmle.code.java.dataflow.FlowSources
17+
import semmle.code.java.dataflow.ExternalFlow
1718

1819
class ExecMethod extends Method {
1920
ExecMethod() {
@@ -22,21 +23,31 @@ class ExecMethod extends Method {
2223
}
2324
}
2425

25-
module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
26-
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
26+
module ProcessBuilderEnvironmentFlow implements DataFlow::ConfigSig {
27+
predicate isSource(DataFlow::Node source) {
28+
source.getType().(RefType).hasQualifiedName("java.lang", "ProcessBuilder")
29+
}
2730

2831
predicate isSink(DataFlow::Node sink) {
29-
exists(MethodAccess ma |
30-
ma.getMethod() instanceof ExecMethod and sink.asExpr() = ma.getArgument(1)
32+
exists(MethodAccess ma | ma.getQualifier() = sink.asExpr() |
33+
ma.getMethod().hasName("environment")
3134
)
3235
}
3336
}
3437

35-
module ExecTaintedEnvironmentFlow = TaintTracking::Global<ExecTaintedEnvironmentConfig>;
38+
module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
39+
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
3640

37-
import ExecTaintedEnvironmentFlow::PathGraph
41+
predicate isSink(DataFlow::Node sink) { sinkNode(sink, "environment-injection") }
42+
}
43+
44+
module ExecTaintedEnvironmentFlow = TaintTracking::Global<ExecTaintedEnvironmentConfig>;
3845

39-
from ExecTaintedEnvironmentFlow::PathNode source, ExecTaintedEnvironmentFlow::PathNode sink
40-
where ExecTaintedEnvironmentFlow::flowPath(source, sink)
41-
select sink.getNode(), sink, source, "This command will be executed in a $@.", sink.getNode(),
42-
"tainted environment"
46+
from Flow::PathNode source, Flow::PathNode sink, string label
47+
where
48+
ExecTaintedCommandFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and label = "argument"
49+
or
50+
ExecTaintedEnvironmentFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
51+
label = "environment"
52+
select sink.getNode(), sink, source, "This command will be execute with a tainted $@.",
53+
sink.getNode(), label

0 commit comments

Comments
 (0)