-
Notifications
You must be signed in to change notification settings - Fork 1.5k
/
ExecUnescaped.ql
52 lines (48 loc) · 1.61 KB
/
ExecUnescaped.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
/**
* @name Building a command line with string concatenation
* @description Using concatenated strings in a command line is vulnerable to malicious
* insertion of special characters in the strings.
* @kind problem
* @problem.severity error
* @security-severity 9.8
* @precision high
* @id java/concatenated-command-line
* @tags security
* external/cwe/cwe-078
* external/cwe/cwe-088
*/
import java
import semmle.code.java.security.CommandLineQuery
import semmle.code.java.security.ExternalProcess
/**
* Strings that are known to be sane by some simple local analysis. Such strings
* do not need to be escaped, because the programmer can predict what the string
* has in it.
*/
predicate saneString(Expr expr) {
expr instanceof StringLiteral
or
expr instanceof NullLiteral
or
exists(Variable var | var.getAnAccess() = expr and exists(var.getAnAssignedValue()) |
forall(Expr other | var.getAnAssignedValue() = other | saneString(other))
)
}
predicate builtFromUncontrolledConcat(Expr expr) {
exists(AddExpr concatExpr | concatExpr = expr |
builtFromUncontrolledConcat(concatExpr.getAnOperand())
)
or
exists(AddExpr concatExpr | concatExpr = expr |
exists(Expr arg | arg = concatExpr.getAnOperand() | not saneString(arg))
)
or
exists(Expr other | builtFromUncontrolledConcat(other) |
exists(Variable var | var.getAnAssignedValue() = other and var.getAnAccess() = expr)
)
}
from StringArgumentToExec argument
where
builtFromUncontrolledConcat(argument) and
not execIsTainted(_, _, argument)
select argument, "Command line is built with string concatenation."