feat: Update CMDi Queries and tests

Author: GeekMasher

java/src/security/CWE-078/CommandInjectionRuntimeExec.ql

@@ -20,15 +20,21 @@ module Flow = TaintTracking::Global<RuntimeExec::RuntimeExecConfiguration>;
 
 module Flow2 = TaintTracking::Global<ExecTaint::ExecTaintConfiguration>;
 
-module FlowGraph =
-  DataFlow::MergePathGraph<Flow::PathNode, Flow2::PathNode, Flow::PathGraph, Flow2::PathGraph>;
-
-import FlowGraph::PathGraph
-
-from FlowGraph::PathNode source, FlowGraph::PathNode sink
+from
+  Flow::PathNode sourceExec, Flow::PathNode sinkExec, Flow2::PathNode sourceTaint,
+  Flow2::PathNode sinkTaint, MethodCall call
 where
-  Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
-  Flow2::flowPath(source.asPathNode2(), sink.asPathNode2())
-select sink, source, sink,
+  call.getMethod() instanceof RuntimeExecMethod and
+  (
+    // this is a command-accepting call to exec, e.g. exec("/bin/sh", ...)
+    Flow::flowPath(sourceExec, sinkExec) and
+    sinkExec.getNode().asExpr() = call.getArgument(0)
+  ) and
+  (
+    // it is tainted by untrusted user input
+    Flow2::flowPath(sourceTaint, sinkTaint) and
+    sinkTaint.getNode().asExpr() = call.getAnArgument()
+  )
+select sinkExec, sourceExec, sinkExec,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  source, source.toString(), source.getNode(), source.toString()
+  sourceTaint, sourceTaint.toString(), sourceExec.getNode(), sourceExec.toString()

java/src/security/CWE-078/CommandInjectionRuntimeExecLocal.ql

@@ -21,15 +21,21 @@ module Flow = TaintTracking::Global<RuntimeExec::RuntimeExecConfiguration>;
 
 module Flow2 = TaintTracking::Global<ExecTaint::ExecTaintConfiguration>;
 
-module FlowGraph =
-  DataFlow::MergePathGraph<Flow::PathNode, Flow2::PathNode, Flow::PathGraph, Flow2::PathGraph>;
-
-import FlowGraph::PathGraph
-
-from FlowGraph::PathNode source, FlowGraph::PathNode sink
+from
+  Flow::PathNode sourceExec, Flow::PathNode sinkExec, Flow2::PathNode sourceTaint,
+  Flow2::PathNode sinkTaint, MethodCall call
 where
-  Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
-  Flow2::flowPath(source.asPathNode2(), sink.asPathNode2())
-select sink, source, sink,
+  call.getMethod() instanceof RuntimeExecMethod and
+  (
+    // this is a command-accepting call to exec, e.g. exec("/bin/sh", ...)
+    Flow::flowPath(sourceExec, sinkExec) and
+    sinkExec.getNode().asExpr() = call.getArgument(0)
+  ) and
+  (
+    // it is tainted by untrusted user input
+    Flow2::flowPath(sourceTaint, sinkTaint) and
+    sinkTaint.getNode().asExpr() = call.getAnArgument()
+  )
+select sinkExec, sourceExec, sinkExec,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  source, source.toString(), source.getNode(), source.toString()
+  sourceTaint, sourceTaint.toString(), sourceExec.getNode(), sourceExec.toString()

java/src/security/CWE-078/CommandInjectionRuntimeExecTest.ql

@@ -22,13 +22,21 @@ module Flow = TaintTracking::Global<RuntimeExec::RuntimeExecConfiguration>;
 
 module Flow2 = TaintTracking::Global<ExecTaint::ExecTaintConfiguration>;
 
-module FlowGraph =
-  DataFlow::MergePathGraph<Flow::PathNode, Flow2::PathNode, Flow::PathGraph, Flow2::PathGraph>;
-
-from FlowGraph::PathNode source, FlowGraph::PathNode sink
+from
+  Flow::PathNode sourceExec, Flow::PathNode sinkExec, Flow2::PathNode sourceTaint,
+  Flow2::PathNode sinkTaint, MethodCall call
 where
-  Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
-  Flow2::flowPath(source.asPathNode2(), sink.asPathNode2())
-select sink,
+  call.getMethod() instanceof RuntimeExecMethod and
+  (
+    // this is a command-accepting call to exec, e.g. exec("/bin/sh", ...)
+    Flow::flowPath(sourceExec, sinkExec) and
+    sinkExec.getNode().asExpr() = call.getArgument(0)
+  ) and
+  (
+    // it is tainted by untrusted user input
+    Flow2::flowPath(sourceTaint, sinkTaint) and
+    sinkTaint.getNode().asExpr() = call.getAnArgument()
+  )
+select sinkExec,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  source, source.toString(), source, source.toString()
+  sourceExec, sourceExec.toString(), sourceExec, sourceExec.toString()

java/src/security/CWE-078/CommandInjectionRuntimeExecTestPath.ql

@@ -22,15 +22,21 @@ module Flow = TaintTracking::Global<RuntimeExec::RuntimeExecConfiguration>;
 
 module Flow2 = TaintTracking::Global<ExecTaint::ExecTaintConfiguration>;
 
-module FlowGraph =
-  DataFlow::MergePathGraph<Flow::PathNode, Flow2::PathNode, Flow::PathGraph, Flow2::PathGraph>;
-
-import FlowGraph::PathGraph
-
-from FlowGraph::PathNode source, FlowGraph::PathNode sink
+from
+  Flow::PathNode sourceExec, Flow::PathNode sinkExec, Flow2::PathNode sourceTaint,
+  Flow2::PathNode sinkTaint, MethodCall call
 where
-  Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
-  Flow2::flowPath(source.asPathNode2(), sink.asPathNode2())
-select sink, source, sink,
+  call.getMethod() instanceof RuntimeExecMethod and
+  (
+    // this is a command-accepting call to exec, e.g. exec("/bin/sh", ...)
+    Flow::flowPath(sourceExec, sinkExec) and
+    sinkExec.getNode().asExpr() = call.getArgument(0)
+  ) and
+  (
+    // it is tainted by untrusted user input
+    Flow2::flowPath(sourceTaint, sinkTaint) and
+    sinkTaint.getNode().asExpr() = call.getArgument(0)
+  )
+select sinkExec,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  source, source.toString(), source.getNode(), source.toString()
+  sourceExec, sourceExec.toString(), sourceExec, sourceExec.toString()

java/test/security/CWE-078/CommandInjectionRuntimeExec.expected

@@ -1,3 +1,3 @@
-| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:22:39:22:51 | commandArray1 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:51:21:59 | "/bin/sh" | "/bin/sh" | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args | args |
-| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:30:39:30:51 | commandArray2 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:26:32:26:40 | "/bin/sh" | "/bin/sh" | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args | args |
-| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:40 | toArray(...) | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:35:48:35:56 | "/bin/sh" | "/bin/sh" | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:16:29:16:41 | args | args |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:22:39:22:51 | commandArray1 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:51:21:59 | "/bin/sh" : String | "/bin/sh" : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:51:21:59 | "/bin/sh" : String | "/bin/sh" : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:30:39:30:51 | commandArray2 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:26:32:26:40 | "/bin/sh" : String | "/bin/sh" : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:26:32:26:40 | "/bin/sh" : String | "/bin/sh" : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:40 | toArray(...) | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:35:48:35:56 | "/bin/sh" : String | "/bin/sh" : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:35:48:35:56 | "/bin/sh" : String | "/bin/sh" : String |

java/test/security/CWE-078/CommandInjectionRuntimeExecPath.expected

@@ -0,0 +1,3 @@
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:22:39:22:51 | commandArray1 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:51:21:59 | "/bin/sh" : String | "/bin/sh" : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:21:51:21:59 | "/bin/sh" : String | "/bin/sh" : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:30:39:30:51 | commandArray2 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:26:32:26:40 | "/bin/sh" : String | "/bin/sh" : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:26:32:26:40 | "/bin/sh" : String | "/bin/sh" : String |
+| src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:34:17:37:40 | toArray(...) | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:35:48:35:56 | "/bin/sh" : String | "/bin/sh" : String | src/main/java/com/github/githubsecuritylab/command_injection_test/Main.java:35:48:35:56 | "/bin/sh" : String | "/bin/sh" : String |

java/test/security/CWE-078/CommandInjectionRuntimeExecPath.qlref

@@ -0,0 +1 @@
+security/CWE-078/CommandInjectionRuntimeExecTestPath.ql