Merge branch 'main' into securingdev-java-cwe-326-update-dataflow

Author: GeekMasher

java/CWE-094/CVE-2021-44228.ql

@@ -21,26 +21,22 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.Concepts
 import semmle.python.dataflow.new.BarrierGuards
 import semmle.python.ApiGraphs
-import DataFlow::PathGraph
 import github.LocalSources
 private import semmle.python.security.dataflow.CommandInjectionCustomizations
 
-/**
- * This configuration is used to find local command injection vulnerabilities.
- */
-class CommandInjectionConfiguration extends TaintTracking::Configuration {
-  CommandInjectionConfiguration() { this = "LocalCommandInjectionConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof LocalSources::Range }
+private module CommandInjectionConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof LocalSources::Range }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjection::Sink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjection::Sink }
 
-  override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof CommandInjection::Sanitizer
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjection::Sanitizer }
 }
 
-from CommandInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+module CommandInjectionFlows = TaintTracking::Global<CommandInjectionConfiguration>;
+
+import CommandInjectionFlows::PathGraph
+
+from CommandInjectionFlows::PathNode source, CommandInjectionFlows::PathNode sink
+where CommandInjectionFlows::flowPath(source, sink)
 select sink.getNode(), source, sink, "This command depends on $@.", source.getNode(),
   "a user-provided value"

python/CWE-078/CommandInjectionLocal.ql

@@ -22,24 +22,22 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.Concepts
 import semmle.python.dataflow.new.RemoteFlowSources
 import semmle.python.dataflow.new.BarrierGuards
-import DataFlow::PathGraph
 import github.LocalSources
 private import semmle.python.security.dataflow.CodeInjectionCustomizations
 
-/**
- * A taint-tracking configuration for detecting code injection vulnerabilities.
- */
-class CodeInjectionConfiguration extends TaintTracking::Configuration {
-  CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof LocalSources::Range }
+private module CodeInjectionConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof LocalSources::Range }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjection::Sink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjection::Sink }
 
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof CodeInjection::Sanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof CodeInjection::Sanitizer }
 }
 
-from CodeInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
-  source.getNode(), "A user-provided value"
+module CodeInjectionFlows = TaintTracking::Global<CodeInjectionConfiguration>;
+
+import CodeInjectionFlows::PathGraph
+
+from CodeInjectionFlows::PathNode source, CodeInjectionFlows::PathNode sink
+where CodeInjectionFlows::flowPath(source, sink)
+select sink.getNode(), source, sink, "This $@ is written to a log file.", source.getNode(),
+  "potentially sensitive information"

python/CWE-094/CodeInjectionLocal.ql

@@ -0,0 +1,16 @@
+edges
+| codei.py:3:5:3:28 | ControlFlowNode for input() | codei.py:6:6:6:6 | ControlFlowNode for i |
+| codei.py:9:6:9:29 | ControlFlowNode for Subscript | codei.py:10:6:10:7 | ControlFlowNode for e1 |
+| codei.py:12:6:12:33 | ControlFlowNode for Attribute() | codei.py:13:6:13:7 | ControlFlowNode for e2 |
+nodes
+| codei.py:3:5:3:28 | ControlFlowNode for input() | semmle.label | ControlFlowNode for input() |
+| codei.py:6:6:6:6 | ControlFlowNode for i | semmle.label | ControlFlowNode for i |
+| codei.py:9:6:9:29 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| codei.py:10:6:10:7 | ControlFlowNode for e1 | semmle.label | ControlFlowNode for e1 |
+| codei.py:12:6:12:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| codei.py:13:6:13:7 | ControlFlowNode for e2 | semmle.label | ControlFlowNode for e2 |
+subpaths
+#select
+| codei.py:6:6:6:6 | ControlFlowNode for i | codei.py:3:5:3:28 | ControlFlowNode for input() | codei.py:6:6:6:6 | ControlFlowNode for i | This $@ is written to a log file. | codei.py:3:5:3:28 | ControlFlowNode for input() | potentially sensitive information |
+| codei.py:10:6:10:7 | ControlFlowNode for e1 | codei.py:9:6:9:29 | ControlFlowNode for Subscript | codei.py:10:6:10:7 | ControlFlowNode for e1 | This $@ is written to a log file. | codei.py:9:6:9:29 | ControlFlowNode for Subscript | potentially sensitive information |
+| codei.py:13:6:13:7 | ControlFlowNode for e2 | codei.py:12:6:12:33 | ControlFlowNode for Attribute() | codei.py:13:6:13:7 | ControlFlowNode for e2 | This $@ is written to a log file. | codei.py:12:6:12:33 | ControlFlowNode for Attribute() | potentially sensitive information |

tests/python-tests/CWE-094/local/CodeInjectionLocal.expected

@@ -0,0 +1 @@
+CWE-094/CodeInjectionLocal.ql

tests/python-tests/CWE-094/local/CodeInjectionLocal.qlref

@@ -0,0 +1,13 @@
+import os
+
+i = input("Enter command: ")
+
+# direct input
+exec(i)
+
+# Env variable
+e1 = os.environ["LOCAL_DATA"]
+exec(e1)
+
+e2 = os.environ.get("LOCAL_DATA")
+exec(e2)

tests/python-tests/CWE-094/local/codei.py

@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=0