Merge pull request #34 from GitHubSecurityLab/pwntester-patch-3

Alvaro Muñoz · web-flow · commit a183c218798b · 2023-12-14T10:25:07.000+01:00
Update CommandInjection.ql
diff --git a/go/src/security/CWE-078/CommandInjection.ql b/go/src/security/CWE-078/CommandInjection.ql
@@ -13,35 +13,27 @@
 
 import go
 import semmle.go.security.CommandInjection
-import semmle.go.security.CommandInjectionCustomizations::CommandInjection
+import DataFlow::PathGraph
+import semmle.go.security.FlowSources
 
 //Override CommandInjection::Configuration to use the in-use sources
-class InUseAsSource extends Source instanceof UntrustedFlowSource {
-  InUseAsSource() {
+class InUseCommandInjectionConfiguration extends CommandInjection::Configuration {
+  override predicate isSource(DataFlow::Node node) {
     exists(UntrustedFlowSource source, Function function, DataFlow::CallNode callNode |
-      source.asExpr() = this.asExpr() and
+      source.asExpr() = node.asExpr() and
+
       source.(DataFlow::ExprNode).asExpr().getEnclosingFunction() = function.getFuncDecl() and
       (
         // function is called directly
         callNode.getACallee() = function.getFuncDecl()
-        or
+
         // function is passed to another function to be called
-        callNode.getCall().getAnArgument().(Ident).refersTo(function) //NEW with 2.13.2: or c.getASyntacticArgument().asExpr().(Ident).refersTo(f)
-      )
+        or callNode.getCall().getAnArgument().(Ident).refersTo(function) //NEW with 2.13.2: or c.getASyntacticArgument().asExpr().(Ident).refersTo(f)
+      )      
     )
   }
 }
 
-module Flow =
-  DataFlow::MergePathGraph<CommandInjection::Flow::PathNode,
-    CommandInjection::DoubleDashSanitizingFlow::PathNode, CommandInjection::Flow::PathGraph,
-    CommandInjection::DoubleDashSanitizingFlow::PathGraph>;
-
-import Flow::PathGraph
-
-from Flow::PathNode source, Flow::PathNode sink
-where
-  CommandInjection::Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
-  CommandInjection::DoubleDashSanitizingFlow::flowPath(source.asPathNode2(), sink.asPathNode2())
-select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(),
-  "user-provided value"
+ from InUseCommandInjectionConfiguration cfg, CommandInjection::DoubleDashSanitizingConfiguration cfg2, DataFlow::PathNode source, DataFlow::PathNode sink
+ where (cfg.hasFlowPath(source, sink) or cfg2.hasFlowPath(source, sink))
+ select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(), "user-provided value"
