Skip to content

JS: add shell interpreted arrays as sinks for js/shell-command-constructed-from-input #5458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 25, 2021
Merged

JS: add shell interpreted arrays as sinks for js/shell-command-constructed-from-input #5458

merged 2 commits into from
Mar 25, 2021

Conversation

erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Mar 19, 2021
edited
Loading

Recognizes the sink in CVE-2020-28494

Evaluation looks fine.

@erik-krogh erik-krogh added Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish JS:changes-sources-or-sinks Changes taint sources/sinks for the JS analysis labels Mar 19, 2021
@github-actions github-actions bot added the JS label Mar 19, 2021
@erik-krogh erik-krogh removed the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Mar 19, 2021
@erik-krogh erik-krogh marked this pull request as ready for review March 19, 2021 17:10
@erik-krogh erik-krogh requested a review from a team as a code owner March 19, 2021 17:10
@erik-krogh erik-krogh added the no-change-note-required This PR does not need a change note label Mar 19, 2021
asgerf
asgerf reviewed Mar 23, 2021
View reviewed changes
.../ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll

override SystemCommandExecution getCommandExecution() { result = sys }

override DataFlow::Node getAlertLocation() { result = this }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we use this to make the alert appear at the actual spawn call instead of where the array is constructed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes we could.
But the alert message already includes a link to the spawn call.

I currently have the alert-location set to the location where the taint-tracking ends (or, close to in the case of string-concats).
I thought it could be confusing to have a path-query where the path doesn't end in the alert-location.

Changing the alert-location to the spawn call would just require changing sinkNode.getAlertLocation() to sinkNode.getCommandExecution() in the .ql file, and changing the message a bit.
But I think I prefer not doing that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok fair enough. It would have been nice for the path to end at the argument to spawn, but I can see that would require adding flow labels to do properly.

asgerf
asgerf previously approved these changes Mar 23, 2021
View reviewed changes
@erik-krogh erik-krogh mentioned this pull request Mar 24, 2021
Merged
@codeql-ci codeql-ci merged commit 0511e72 into github:main Mar 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgerf asgerf asgerf approved these changes

Assignees
No one assigned
Labels
JS:changes-sources-or-sinks Changes taint sources/sinks for the JS analysis JS no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@erik-krogh @asgerf @codeql-ci