JS: second-order-command-injection #11013
Conversation
|
QHelp previews: javascript/ql/src/Security/CWE-078/SecondOrderCommandInjection.qhelpSecond order command injectionSome shell commands, like RecommendationSanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands. ExampleThe following example shows code that executes const express = require("express");
const app = express();
const cp = require("child_process");
app.get("/ls-remote", (req, res) => {
const remote = req.query.remote;
cp.execFile("git", ["ls-remote", remote]); // NOT OK
});The problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command. const express = require("express");
const app = express();
const cp = require("child_process");
app.get("/ls-remote", (req, res) => {
const remote = req.query.remote;
if (!(remote.startsWith("git@") || remote.startsWith("https://"))) {
throw new Error("Invalid remote: " + remote);
}
cp.execFile("git", ["ls-remote", remote]); // OK
});References
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
...ipt/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionCustomizations.qll
Fixed
Show fixed
Hide fixed
...ipt/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionCustomizations.qll
Fixed
Show fixed
Hide fixed
...ipt/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionCustomizations.qll
Fixed
Show fixed
Hide fixed
| --- | ||
| * Added a new query, `js/second-order-command-line-injection`, to detect shell | ||
| commands that may execute arbitrary code when the user has control over | ||
| the arguments to a command-line program. |
There was a problem hiding this comment.
I'd add something about which command names are currently recognized by the query, for example
This currently flags up unsafe invocations of
gitandhg.
javascript/ql/src/Security/CWE-078/SecondOrderCommandInjection.qhelp
Outdated
Show resolved
Hide resolved
javascript/ql/src/Security/CWE-078/SecondOrderCommandInjection.ql
Outdated
Show resolved
Hide resolved
javascript/ql/src/Security/CWE-078/SecondOrderCommandInjection.qhelp
Outdated
Show resolved
Hide resolved
Co-authored-by: Asger F <asgerf@github.com>
|
Lets get some eyes from the doc team. |
erik-krogh
added
ready-for-doc-review
|
👋 Docs first responder here! I've put this on our review board for a writer to review |
There was a problem hiding this comment.
@erik-krogh - this LGTM from a Docs perspective ✨
I've made a comment about improving the query description and adding a missing whitespace in the References section. The rest is very minor. Feel free to ignore any comment you don't agree with.
| @@ -0,0 +1,25 @@ | |||
| /** | |||
| * @name Second order command injection | |||
| * @description Some shell programs allow arbitrary command execution via their command line arguments. | |||
There was a problem hiding this comment.
Could we rewrite this so it follows the preferred syntax for a query description which is "Syntax X causes behavior Y." ?
I think it would be clearer to users if we went straight to the point.
There was a problem hiding this comment.
I've rewritten it to: Using user controlled data as arguments to some commands, such as git clone, can allow arbitrary commands to be executed.
| <references> | ||
| <li>Max Justicz: <a href="https://justi.cz/security/2021/04/20/cocoapods-rce.html">Hacking 3,000,000 apps at once through CocoaPods</a>.</li> | ||
| <li>Git: <a href="https://git-scm.com/docs/git-ls-remote/2.22.0#Documentation/git-ls-remote.txt---upload-packltexecgt">Git - git-ls-remote Documentation</a>.</li> | ||
| <li>OWASP:<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.</li> |
There was a problem hiding this comment.
Missing witespace
| <li>OWASP:<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.</li> | |
| <li>OWASP: <a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.</li> |
| <overview> | ||
| <p> | ||
| Some shell commands, like <code>git ls-remote</code>, can execute | ||
| arbitrary commands if a user provides a malicious URL that can start with |
There was a problem hiding this comment.
Should we simplify here, or isn't it accurate to say this:
| arbitrary commands if a user provides a malicious URL that can start with | |
| arbitrary commands if a user provides a malicious URL that starts with |
javascript/ql/src/Security/CWE-078/SecondOrderCommandInjection.ql
Outdated
Show resolved
Hide resolved
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
erik-krogh
removed
the
ready-for-doc-review
CVE-2022-25900: FN (dynamically chosen
gitcmd).CVE-2022-24437: TP/TN
CVE-2022-25865: TP/TN
CVE-2022-24066: FN (we don't recognize the source due to very dynamic initialization, and we don't recognize the sink due to some dynamic command construction).
CVE-2022-1440: FN (this is more for
js/shell-command-constructed-from-input, but they roll their own shell sanitization, which it doens't track through).CVE-2022-25766: FN (dynamic construction of the arguments, so we don't recognize the
gitinvocation).CVE-2022-24433: FN (same project as CVE-2022-24066).
This blog post is a nice introduction to the vulnerability: https://justi.cz/security/2021/04/20/cocoapods-rce.html
The sinks for this query are arguments to e.g.
cp.execFile("git", ["clone", <sink>]).But also functions that just forwards their arguments to a shell executions, because I've seen that pattern in a few CVEs.
E.g.
Evaluation was uneventful.