Fix CWE-078 queries

Alvaro Muñoz · Alvaro Muñoz · commit 22979fa1b05e · 2024-06-07T10:44:53.000+02:00
diff --git a/java/src/security/CWE-078/CommandInjectionRuntimeExec.ql b/java/src/security/CWE-078/CommandInjectionRuntimeExec.ql
@@ -29,6 +29,6 @@ from FlowGraph::PathNode source, FlowGraph::PathNode sink
 where
   Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
   Flow2::flowPath(source.asPathNode2(), sink.asPathNode2())
-select sink, source, sink,
+select sink.getNode(), source, sink,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
   source, source.toString(), source.getNode(), source.toString()
diff --git a/java/src/security/CWE-078/CommandInjectionRuntimeExecLocal.ql b/java/src/security/CWE-078/CommandInjectionRuntimeExecLocal.ql
@@ -30,6 +30,6 @@ from FlowGraph::PathNode source, FlowGraph::PathNode sink
 where
   Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
   Flow2::flowPath(source.asPathNode2(), sink.asPathNode2())
-select sink, source, sink,
+select sink.getNode(), source, sink,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
   source, source.toString(), source.getNode(), source.toString()
diff --git a/java/src/security/CWE-078/CommandInjectionRuntimeExecTest.ql b/java/src/security/CWE-078/CommandInjectionRuntimeExecTest.ql
@@ -1,7 +1,7 @@
 /**
  * @name Command Injection into Runtime.exec() with dangerous command
  * @description Testing query. High sensitvity and precision version of java/command-line-injection, designed to find more cases of command injection in rare cases that the default query does not find
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @security-severity 6.1
  * @precision high
@@ -22,6 +22,8 @@ module Flow = TaintTracking::Global<RuntimeExec::RuntimeExecConfiguration>;
 
 module Flow2 = TaintTracking::Global<ExecTaint::ExecTaintConfiguration>;
 
+import Flow2::PathGraph
+
 from
   Flow::PathNode sourceExec, Flow::PathNode sinkExec, Flow2::PathNode sourceTaint,
   Flow2::PathNode sinkTaint, MethodCall call
@@ -37,6 +39,6 @@ where
     Flow2::flowPath(sourceTaint, sinkTaint) and
     sinkTaint.getNode().asExpr() = call.getAnArgument()
   )
-select sinkExec,
+select sinkTaint.getNode(), sourceTaint, sinkTaint,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  sourceExec, sourceExec.toString(), sourceExec, sourceExec.toString()
+  sourceTaint, sourceTaint.toString(), sourceTaint, sourceTaint.toString()
diff --git a/java/src/security/CWE-078/CommandInjectionRuntimeExecTestPath.ql b/java/src/security/CWE-078/CommandInjectionRuntimeExecTestPath.ql
@@ -22,6 +22,8 @@ module Flow = TaintTracking::Global<RuntimeExec::RuntimeExecConfiguration>;
 
 module Flow2 = TaintTracking::Global<ExecTaint::ExecTaintConfiguration>;
 
+import Flow2::PathGraph
+
 from
   Flow::PathNode sourceExec, Flow::PathNode sinkExec, Flow2::PathNode sourceTaint,
   Flow2::PathNode sinkTaint, MethodCall call
@@ -37,6 +39,6 @@ where
     Flow2::flowPath(sourceTaint, sinkTaint) and
     sinkTaint.getNode().asExpr() = call.getArgument(0)
   )
-select sinkExec,
+select sinkTaint.getNode(), sourceTaint, sinkTaint,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  sourceExec, sourceExec.toString(), sourceExec, sourceExec.toString()
+  sourceTaint, sourceTaint.toString(), sourceTaint, sourceTaint.toString()
diff --git a/java/test/security/CWE-078/CommandInjectionRuntimeExec.expected b/java/test/security/CWE-078/CommandInjectionRuntimeExec.expected
@@ -1,3 +1,56 @@
-| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:22:39:22:51 | commandArray1 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:51:21:59 | "/bin/sh" : String | "/bin/sh" : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:51:21:59 | "/bin/sh" : String | "/bin/sh" : String |
-| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:30:39:30:51 | commandArray2 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:26:32:26:40 | "/bin/sh" : String | "/bin/sh" : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:26:32:26:40 | "/bin/sh" : String | "/bin/sh" : String |
-| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:40 | toArray(...) | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:35:48:35:56 | "/bin/sh" : String | "/bin/sh" : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:35:48:35:56 | "/bin/sh" : String | "/bin/sh" : String |
+edges
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:62:21:68 | ...[...] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:71:21:77 | ...[...] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:80:21:86 | ...[...] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:27:32:27:38 | ...[...] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:28:32:28:38 | ...[...] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:29:32:29:38 | ...[...] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:48:36:54 | ...[...] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:57:36:63 | ...[...] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:66:36:72 | ...[...] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:38:21:87 | {...} : String[] [[]] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:22:39:22:51 | commandArray1 | provenance |  Sink:MaD:42664 |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:62:21:68 | ...[...] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:38:21:87 | {...} : String[] [[]] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:71:21:77 | ...[...] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:38:21:87 | {...} : String[] [[]] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:80:21:86 | ...[...] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:38:21:87 | {...} : String[] [[]] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:27:13:27:25 | commandArray2 [post update] : String[] [[]] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:30:39:30:51 | commandArray2 | provenance |  Sink:MaD:42664 |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:27:32:27:38 | ...[...] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:27:13:27:25 | commandArray2 [post update] : String[] [[]] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:28:13:28:25 | commandArray2 [post update] : String[] [[]] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:30:39:30:51 | commandArray2 | provenance |  Sink:MaD:42664 |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:28:32:28:38 | ...[...] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:28:13:28:25 | commandArray2 [post update] : String[] [[]] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:29:13:29:25 | commandArray2 [post update] : String[] [[]] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:30:39:30:51 | commandArray2 | provenance |  Sink:MaD:42664 |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:29:32:29:38 | ...[...] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:29:13:29:25 | commandArray2 [post update] : String[] [[]] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:17 | concat(...) : Stream [<element>] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:40 | toArray(...) : String[] [[]] : String | provenance | MaD:44347 |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:40 | toArray(...) : String[] [[]] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:40 | toArray(...) | provenance |  Sink:MaD:42664 |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:21:36:74 | stream(...) : Stream [<element>] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:17 | concat(...) : Stream [<element>] : String | provenance | MaD:44282 |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:35:36:73 | new String[] : String[] [[]] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:21:36:74 | stream(...) : Stream [<element>] : String | provenance | MaD:43716 |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:35:36:73 | {...} : String[] [[]] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:35:36:73 | new String[] : String[] [[]] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:48:36:54 | ...[...] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:35:36:73 | {...} : String[] [[]] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:57:36:63 | ...[...] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:35:36:73 | {...} : String[] [[]] : String | provenance |  |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:66:36:72 | ...[...] : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:35:36:73 | {...} : String[] [[]] : String | provenance |  |
+nodes
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | semmle.label | args : String[] |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:38:21:87 | {...} : String[] [[]] : String | semmle.label | {...} : String[] [[]] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:62:21:68 | ...[...] : String | semmle.label | ...[...] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:71:21:77 | ...[...] : String | semmle.label | ...[...] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:80:21:86 | ...[...] : String | semmle.label | ...[...] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:22:39:22:51 | commandArray1 | semmle.label | commandArray1 |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:27:13:27:25 | commandArray2 [post update] : String[] [[]] : String | semmle.label | commandArray2 [post update] : String[] [[]] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:27:32:27:38 | ...[...] : String | semmle.label | ...[...] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:28:13:28:25 | commandArray2 [post update] : String[] [[]] : String | semmle.label | commandArray2 [post update] : String[] [[]] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:28:32:28:38 | ...[...] : String | semmle.label | ...[...] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:29:13:29:25 | commandArray2 [post update] : String[] [[]] : String | semmle.label | commandArray2 [post update] : String[] [[]] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:29:32:29:38 | ...[...] : String | semmle.label | ...[...] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:30:39:30:51 | commandArray2 | semmle.label | commandArray2 |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:17 | concat(...) : Stream [<element>] : String | semmle.label | concat(...) : Stream [<element>] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:40 | toArray(...) | semmle.label | toArray(...) |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:40 | toArray(...) : String[] [[]] : String | semmle.label | toArray(...) : String[] [[]] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:21:36:74 | stream(...) : Stream [<element>] : String | semmle.label | stream(...) : Stream [<element>] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:35:36:73 | new String[] : String[] [[]] : String | semmle.label | new String[] : String[] [[]] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:35:36:73 | {...} : String[] [[]] : String | semmle.label | {...} : String[] [[]] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:48:36:54 | ...[...] : String | semmle.label | ...[...] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:57:36:63 | ...[...] : String | semmle.label | ...[...] : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:36:66:36:72 | ...[...] : String | semmle.label | ...[...] : String |
+subpaths
+#select
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:22:39:22:51 | commandArray1 | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:22:39:22:51 | commandArray1 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | args : String[] |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:30:39:30:51 | commandArray2 | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:30:39:30:51 | commandArray2 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | args : String[] |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:40 | toArray(...) | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:40 | toArray(...) | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | args : String[] | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args : String[] | args : String[] |
diff --git a/java/test/security/CWE-078/CommandInjectionRuntimeExecPath.expected b/java/test/security/CWE-078/CommandInjectionRuntimeExecPath.expected
