Move arg injection sinks to ShellScript class

Author: Alvaro Muñoz

ql/lib/codeql/actions/Ast.qll

@@ -354,6 +354,14 @@ class ShellScript extends ScalarValueImpl instanceof ShellScriptImpl {
 
   predicate getACmdReachingGitHubPathWrite(string cmd) { super.getACmdReachingGitHubPathWrite(cmd) }
 
+  predicate getAnEnvReachingArgumentInjectionSink(string var, string command, string argument) {
+    super.getAnEnvReachingArgumentInjectionSink(var, command, argument)
+  }
+
+  predicate getACmdReachingArgumentInjectionSink(string cmd, string command, string argument) {
+    super.getACmdReachingArgumentInjectionSink(cmd, command, argument)
+  }
+
   predicate fileToGitHubEnv(string path) { super.fileToGitHubEnv(path) }
 
   predicate fileToGitHubOutput(string path) { super.fileToGitHubOutput(path) }

ql/lib/codeql/actions/Bash.qll

@@ -133,7 +133,8 @@ class BashShellScript extends ShellScript {
         this.doStmtRestoreQuotedStrings(i, round, _, new)
       |
         new order by round
-      )
+      ) and
+    not result.indexOf("qstr:") > -1
   }
 
   private predicate doStmtRestoreCmdSubstitutions(int line, int round, string old, string new) {
@@ -155,7 +156,8 @@ class BashShellScript extends ShellScript {
         this.doStmtRestoreCmdSubstitutions(i, round, _, new)
       |
         new order by round
-      )
+      ) and
+    not result.indexOf("cmdsubs:") > -1
   }
 
   override string getAStmt() { result = this.getStmt(_) }
@@ -186,7 +188,8 @@ class BashShellScript extends ShellScript {
         this.doCmdRestoreQuotedStrings(i, round, _, new)
       |
         new order by round
-      )
+      ) and
+    not result.indexOf("qstr:") > -1
   }
 
   private predicate doCmdRestoreCmdSubstitutions(int line, int round, string old, string new) {
@@ -208,13 +211,16 @@ class BashShellScript extends ShellScript {
         this.doCmdRestoreCmdSubstitutions(i, round, _, new)
       |
         new order by round
-      )
+      ) and
+    not result.indexOf("cmdsubs:") > -1
   }
 
   string getACmd() { result = this.getCmd(_) }
 
   override string getCommand(int i) {
-    result = this.getCmd(i) and
+    // remove redirection
+    result =
+      this.getCmd(i).regexpReplaceAll("(>|>>|2>|2>>|<|<<<)\\s*[\\{\\}\\$\"'_\\-0-9a-zA-Z]+$", "") and
     // exclude variable declarations
     not result.regexpMatch("^[a-zA-Z0-9\\-_]+=") and
     // exclude the following keywords
@@ -286,6 +292,18 @@ class BashShellScript extends ShellScript {
     Bash::cmdReachingGitHubFileWrite(this, cmd, "GITHUB_PATH", _)
   }
 
+  override predicate getAnEnvReachingArgumentInjectionSink(
+    string var, string command, string argument
+  ) {
+    Bash::envReachingArgumentInjectionSink(this, var, command, argument)
+  }
+
+  override predicate getACmdReachingArgumentInjectionSink(
+    string cmd, string command, string argument
+  ) {
+    Bash::cmdReachingArgumentInjectionSink(this, cmd, command, argument)
+  }
+
   override predicate fileToGitHubEnv(string path) {
     Bash::fileToFileWrite(this, "GITHUB_ENV", path)
   }
@@ -633,6 +651,30 @@ module Bash {
     )
   }
 
+  predicate envReachingArgumentInjectionSink(
+    BashShellScript script, string source, string command, string argument
+  ) {
+    exists(string cmd, string regex, int command_group, int argument_group |
+      cmd = script.getACommand() and
+      argumentInjectionSinksDataModel(regex, command_group, argument_group) and
+      argument = cmd.regexpCapture(regex, argument_group) and
+      command = cmd.regexpCapture(regex, command_group) and
+      envReachingRunExpr(script, source, argument)
+    )
+  }
+
+  predicate cmdReachingArgumentInjectionSink(
+    BashShellScript script, string source, string command, string argument
+  ) {
+    exists(string cmd, string regex, int command_group, int argument_group |
+      cmd = script.getACommand() and
+      argumentInjectionSinksDataModel(regex, command_group, argument_group) and
+      argument = cmd.regexpCapture(regex, argument_group) and
+      command = cmd.regexpCapture(regex, command_group) and
+      cmdReachingRunExpr(script, source, argument)
+    )
+  }
+
   /**
    * Holds if a command output is used, directly or indirectly, in a Run's step expression.
    * Where the expression is a string captured from the Run's script.

ql/lib/codeql/actions/PowerShell.qll

@@ -42,6 +42,18 @@ class PowerShellScript extends ShellScript {
 
   override predicate getACmdReachingGitHubPathWrite(string cmd) { none() }
 
+  override predicate getAnEnvReachingArgumentInjectionSink(
+    string var, string command, string argument
+  ) {
+    none()
+  }
+
+  override predicate getACmdReachingArgumentInjectionSink(
+    string cmd, string command, string argument
+  ) {
+    none()
+  }
+
   override predicate fileToGitHubEnv(string path) { none() }
 
   override predicate fileToGitHubOutput(string path) { none() }

ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -227,6 +227,14 @@ class ShellScriptImpl extends ScalarValueImpl {
 
   abstract predicate getACmdReachingGitHubPathWrite(string cmd);
 
+  abstract predicate getAnEnvReachingArgumentInjectionSink(
+    string var, string command, string argument
+  );
+
+  abstract predicate getACmdReachingArgumentInjectionSink(
+    string cmd, string command, string argument
+  );
+
   abstract predicate fileToGitHubEnv(string path);
 
   abstract predicate fileToGitHubOutput(string path);

ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll

@@ -9,23 +9,6 @@ abstract class ArgumentInjectionSink extends DataFlow::Node {
   abstract string getCommand();
 }
 
-/**
- * Holds if an environment variable is used, directly or indirectly, as an argument to a dangerous command
- * in a Run step.
- * Where the command is a string captured from the Run's script.
- */
-bindingset[var]
-predicate envToArgInjSink(string var, Run run, string command) {
-  exists(string argument, string cmd, string regexp, int command_group, int argument_group |
-    run.getScript().getACommand() = cmd and
-    argumentInjectionSinksDataModel(regexp, command_group, argument_group) and
-    command = cmd.regexpCapture(regexp, command_group) and
-    argument = cmd.regexpCapture(regexp, argument_group) and
-    Bash::envReachingRunExpr(run.getScript(), var, argument) and
-    exists(run.getInScopeEnvVarExpr(var))
-  )
-}
-
 /**
  * Holds if a Run step declares an environment variable, uses it as the argument to a command vulnerable to argument injection.
  * e.g.
@@ -36,23 +19,16 @@ predicate envToArgInjSink(string var, Run run, string command) {
  */
 class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
   string command;
+  string argument;
 
   ArgumentInjectionFromEnvVarSink() {
     exists(Run run, string var |
-      envToArgInjSink(var, run, command) and
-      run.getScript() = this.asExpr() and
-      exists(run.getInScopeEnvVarExpr(var))
-    )
-    or
-    exists(
-      Run run, string cmd, string argument, string regexp, int argument_group, int command_group
-    |
-      run.getScript().getACommand() = cmd and
       run.getScript() = this.asExpr() and
-      argumentInjectionSinksDataModel(regexp, command_group, argument_group) and
-      argument = cmd.regexpCapture(regexp, argument_group) and
-      command = cmd.regexpCapture(regexp, command_group) and
-      argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*")
+      (
+        exists(run.getInScopeEnvVarExpr(var)) or
+        var = "GITHUB_HEAD_REF"
+      ) and
+      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, argument)
     )
   }
 
@@ -68,18 +44,13 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
  */
 class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink {
   string command;
+  string argument;
 
   ArgumentInjectionFromCommandSink() {
-    exists(
-      CommandSource source, Run run, string cmd, string argument, string regexp, int argument_group,
-      int command_group
-    |
+    exists(CommandSource source, Run run |
       run = source.getEnclosingRun() and
       this.asExpr() = run.getScript() and
-      cmd = run.getScript().getACommand() and
-      argumentInjectionSinksDataModel(regexp, command_group, argument_group) and
-      argument = cmd.regexpCapture(regexp, argument_group) and
-      command = cmd.regexpCapture(regexp, command_group)
+      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, argument)
     )
   }
 
@@ -103,14 +74,9 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource
     or
-    exists(
-      Run run, string argument, string cmd, string regexp, int command_group, int argument_group
-    |
+    exists(Run run |
       run.getScript() = source.asExpr() and
-      run.getScript().getACommand() = cmd and
-      argumentInjectionSinksDataModel(regexp, command_group, argument_group) and
-      argument = cmd.regexpCapture(regexp, argument_group) and
-      argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*")
+      run.getScript().getAnEnvReachingArgumentInjectionSink("GITHUB_HEAD_REF", _, _)
     )
   }
 
@@ -120,7 +86,7 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
     exists(Run run, string var |
       run.getInScopeEnvVarExpr(var) = pred.asExpr() and
       succ.asExpr() = run.getScript() and
-      envToArgInjSink(var, run, _)
+      run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
     )
   }
 }