feat(java): Update CommandInjectionRuntimeExec queries

Author: GeekMasher

java/src/security/CWE-078/CommandInjectionRuntimeExec.ql

@@ -32,24 +32,3 @@ where
 select sink, source, sink,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
   source, source.toString(), source.getNode(), source.toString()
-//
-//
-// from
-//   DataFlow::PathNode source, DataFlow::PathNode sink, ExecTaintConfiguration2 conf,
-//   MethodAccess call, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd,
-//   ExecTaintConfiguration confCmd
-// where
-//   call.getMethod() instanceof RuntimeExecMethod and
-//   // this is a command-accepting call to exec, e.g. rt.exec(new String[]{"/bin/sh", ...})
-//   (
-//     confCmd.hasFlow(sourceCmd, sinkCmd) and
-//     sinkCmd.asExpr() = call.getArgument(0)
-//   ) and
-//   // it is tainted by untrusted user input
-//   (
-//     conf.hasFlow(source.getNode(), sink.getNode()) and
-//     sink.getNode().asExpr() = call.getArgument(0)
-//   )
-// select sink, source, sink,
-//   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-//   sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()

java/src/security/CWE-078/CommandInjectionRuntimeExecLocal.ql

@@ -11,28 +11,25 @@
  *       external/cwe/cwe-078
  */
 
-import DataFlow::PathGraph
 import ghsl.CommandInjectionRuntimeExec
 
 class LocalSource extends Source {
   LocalSource() { this instanceof LocalUserInput }
 }
 
-from
-  DataFlow::PathNode source, DataFlow::PathNode sink, ExecTaintConfiguration2 conf, MethodCall call,
-  DataFlow::Node sourceCmd, DataFlow::Node sinkCmd, ExecTaintConfiguration confCmd
+module Flow = TaintTracking::Global<RuntimeExec::RuntimeExecConfiguration>;
+
+module Flow2 = TaintTracking::Global<ExecTaint::ExecTaintConfiguration>;
+
+module FlowGraph =
+  DataFlow::MergePathGraph<Flow::PathNode, Flow2::PathNode, Flow::PathGraph, Flow2::PathGraph>;
+
+import FlowGraph::PathGraph
+
+from FlowGraph::PathNode source, FlowGraph::PathNode sink
 where
-  call.getMethod() instanceof RuntimeExecMethod and
-  // this is a command-accepting call to exec, e.g. rt.exec(new String[]{"/bin/sh", ...})
-  (
-    confCmd.hasFlow(sourceCmd, sinkCmd) and
-    sinkCmd.asExpr() = call.getArgument(0)
-  ) and
-  // it is tainted by untrusted user input
-  (
-    conf.hasFlow(source.getNode(), sink.getNode()) and
-    sink.getNode().asExpr() = call.getArgument(0)
-  )
+  Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
+  Flow2::flowPath(source.asPathNode2(), sink.asPathNode2())
 select sink, source, sink,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
+  source, source.toString(), source.getNode(), source.toString()

java/src/security/CWE-078/CommandInjectionRuntimeExecTest.ql

@@ -18,21 +18,17 @@ class DataSource extends Source {
   DataSource() { this instanceof RemoteFlowSource or this instanceof LocalUserInput }
 }
 
-from
-  DataFlow::Node source, DataFlow::Node sink, ExecTaintConfiguration2 conf, MethodCall call,
-  int index, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd, ExecTaintConfiguration confCmd
+module Flow = TaintTracking::Global<RuntimeExec::RuntimeExecConfiguration>;
+
+module Flow2 = TaintTracking::Global<ExecTaint::ExecTaintConfiguration>;
+
+module FlowGraph =
+  DataFlow::MergePathGraph<Flow::PathNode, Flow2::PathNode, Flow::PathGraph, Flow2::PathGraph>;
+
+from FlowGraph::PathNode source, FlowGraph::PathNode sink
 where
-  call.getMethod() instanceof RuntimeExecMethod and
-  // this is a command-accepting call to exec, e.g. exec("/bin/sh", ...)
-  (
-    confCmd.hasFlow(sourceCmd, sinkCmd) and
-    sinkCmd.asExpr() = call.getArgument(0)
-  ) and
-  // it is tainted by untrusted user input
-  (
-    conf.hasFlow(source, sink) and
-    sink.asExpr() = call.getArgument(index)
-  )
+  Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
+  Flow2::flowPath(source.asPathNode2(), sink.asPathNode2())
 select sink,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  sourceCmd, sourceCmd.toString(), source, source.toString()
+  source, source.toString(), source, source.toString()

java/src/security/CWE-078/CommandInjectionRuntimeExecTestPath.ql

@@ -12,28 +12,25 @@
  *       external/cwe/cwe-078
  */
 
-import DataFlow::PathGraph
 import ghsl.CommandInjectionRuntimeExec
 
 class DataSource extends Source {
   DataSource() { this instanceof RemoteFlowSource or this instanceof LocalUserInput }
 }
 
-from
-  DataFlow::PathNode source, DataFlow::PathNode sink, ExecTaintConfiguration2 conf, MethodCall call,
-  DataFlow::Node sourceCmd, DataFlow::Node sinkCmd, ExecTaintConfiguration confCmd
+module Flow = TaintTracking::Global<RuntimeExec::RuntimeExecConfiguration>;
+
+module Flow2 = TaintTracking::Global<ExecTaint::ExecTaintConfiguration>;
+
+module FlowGraph =
+  DataFlow::MergePathGraph<Flow::PathNode, Flow2::PathNode, Flow::PathGraph, Flow2::PathGraph>;
+
+import FlowGraph::PathGraph
+
+from FlowGraph::PathNode source, FlowGraph::PathNode sink
 where
-  call.getMethod() instanceof RuntimeExecMethod and
-  // this is a command-accepting call to exec, e.g. rt.exec(new String[]{"/bin/sh", ...})
-  (
-    confCmd.hasFlow(sourceCmd, sinkCmd) and
-    sinkCmd.asExpr() = call.getArgument(0)
-  ) and
-  // it is tainted by untrusted user input
-  (
-    conf.hasFlow(source.getNode(), sink.getNode()) and
-    sink.getNode().asExpr() = call.getArgument(0)
-  )
+  Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
+  Flow2::flowPath(source.asPathNode2(), sink.asPathNode2())
 select sink, source, sink,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
+  source, source.toString(), source.getNode(), source.toString()