-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Expand file tree
/
Copy pathExecTainted.ql
More file actions
36 lines (33 loc) · 1.24 KB
/
ExecTainted.ql
File metadata and controls
36 lines (33 loc) · 1.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
/**
* @name Uncontrolled command line (experimental sinks)
* @description Using externally controlled strings in a command line is vulnerable to malicious
* changes in the strings (includes experimental sinks).
* @kind path-problem
* @problem.severity error
* @precision high
* @id java/command-line-injection-experimental
* @tags security
* experimental
* external/cwe/cwe-078
* external/cwe/cwe-088
*/
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.security.CommandLineQuery
import InputToArgumentToExecFlow::PathGraph
private import semmle.code.java.dataflow.ExternalFlow
overlay[local?]
deprecated private class ActivateModels extends ActiveExperimentalModels {
ActivateModels() { this = "jsch-os-injection" }
}
// This is a clone of query `java/command-line-injection` that also includes experimental sinks.
deprecated query predicate problems(
Expr execArg, InputToArgumentToExecFlow::PathNode source,
InputToArgumentToExecFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
string message2
) {
execIsTainted(source, sink, execArg) and
message1 = "This command line depends on a $@." and
sourceNode = source.getNode() and
message2 = "user-provided value"
}