From eb073d3253cf900528b8b8ee84bc075560fb239c Mon Sep 17 00:00:00 2001
From: Mathew Payne <2772944+GeekMasher@users.noreply.github.com>
Date: Wed, 1 Feb 2023 10:59:54 +0000
Subject: [PATCH] Update CMDi Audit query and tests

---
 python/CWE-078/CommandInjectionAudit.ql               |  2 +-
 .../CWE-078/audit/CommandInjectionAudit.expected      |  3 +++
 .../CWE-078/audit/CommandInjectionAudit.qlref         |  1 +
 tests/python-tests/CWE-078/audit/cmdi.py              | 11 +++++++++++
 tests/python-tests/CWE-078/audit/options              |  1 +
 5 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 tests/python-tests/CWE-078/audit/CommandInjectionAudit.expected
 create mode 100644 tests/python-tests/CWE-078/audit/CommandInjectionAudit.qlref
 create mode 100644 tests/python-tests/CWE-078/audit/cmdi.py
 create mode 100644 tests/python-tests/CWE-078/audit/options

diff --git a/python/CWE-078/CommandInjectionAudit.ql b/python/CWE-078/CommandInjectionAudit.ql
index 0ab3bfd9c78..7a05fe5fb57 100644
--- a/python/CWE-078/CommandInjectionAudit.ql
+++ b/python/CWE-078/CommandInjectionAudit.ql
@@ -21,5 +21,5 @@ import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.security.dataflow.CommandInjectionCustomizations
 
 from DataFlow::Node sink
-where sink instanceof CommandInjection::Sink
+where sink instanceof CommandInjection::Sink and sink.getScope().inSource()
 select sink, "Usage of command line"
diff --git a/tests/python-tests/CWE-078/audit/CommandInjectionAudit.expected b/tests/python-tests/CWE-078/audit/CommandInjectionAudit.expected
new file mode 100644
index 00000000000..bc338fdb96d
--- /dev/null
+++ b/tests/python-tests/CWE-078/audit/CommandInjectionAudit.expected
@@ -0,0 +1,3 @@
+| cmdi.py:7:17:7:17 | ControlFlowNode for i | Usage of command line |
+| cmdi.py:9:17:9:17 | ControlFlowNode for i | Usage of command line |
+| cmdi.py:11:17:11:30 | ControlFlowNode for Fstring | Usage of command line |
diff --git a/tests/python-tests/CWE-078/audit/CommandInjectionAudit.qlref b/tests/python-tests/CWE-078/audit/CommandInjectionAudit.qlref
new file mode 100644
index 00000000000..fc6942675a4
--- /dev/null
+++ b/tests/python-tests/CWE-078/audit/CommandInjectionAudit.qlref
@@ -0,0 +1 @@
+CWE-078/CommandInjectionAudit.ql
\ No newline at end of file
diff --git a/tests/python-tests/CWE-078/audit/cmdi.py b/tests/python-tests/CWE-078/audit/cmdi.py
new file mode 100644
index 00000000000..ab39e562980
--- /dev/null
+++ b/tests/python-tests/CWE-078/audit/cmdi.py
@@ -0,0 +1,11 @@
+import os
+import subprocess
+
+i = input("Enter command: ")
+
+# direct input
+subprocess.call(i, shell=True)
+# direct input, no shell
+subprocess.call(i)
+# format string
+subprocess.call(f"bash -c {i}", shell=True)
diff --git a/tests/python-tests/CWE-078/audit/options b/tests/python-tests/CWE-078/audit/options
new file mode 100644
index 00000000000..efa237f03c4
--- /dev/null
+++ b/tests/python-tests/CWE-078/audit/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=0