Skip to content

JS: add joined paths as a sink to js/shell-command-constructed-from-input #5606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 7, 2021
Merged

JS: add joined paths as a sink to js/shell-command-constructed-from-input #5606

merged 3 commits into from
Apr 7, 2021

Conversation

erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Apr 6, 2021
edited
Loading

@erik-krogh erik-krogh added the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Apr 6, 2021
@github-actions github-actions bot added the JS label Apr 6, 2021
@erik-krogh erik-krogh marked this pull request as ready for review April 6, 2021 13:07
@erik-krogh erik-krogh requested a review from a team as a code owner April 6, 2021 13:07
@erik-krogh erik-krogh removed the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Apr 6, 2021
esbena
esbena reviewed Apr 7, 2021
View reviewed changes
.../ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll Outdated
joinCall = isExecutedAsShellCommand(DataFlow::TypeBackTracker::end(), sys)
}

override string getSinkType() { result = "Uncontrolled path" }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor issue:
I agree with the intent, but I think this string results in a confusing error message.
I fear the user will treat this as a false positive from js/path-injection since it is not clear from the message that the problem with the path is that it may be treated as more than just a file path.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The full alert message with the current implementation is:
"Uncontrolled path based on library input is later used in shell command."

I agree that the mix of paths and shellscript terminology can be confusing, but I don't have a better idea right now.

Maybe calling it a "Path concatenation" could work better?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe calling it a "Path concatenation" could work better?

Agreed. That also mirrors the "String concatenation" sink type above.

@erik-krogh erik-krogh added JS:changes-sources-or-sinks Changes taint sources/sinks for the JS analysis no-change-note-required This PR does not need a change note labels Apr 7, 2021
esbena
esbena previously approved these changes Apr 7, 2021
View reviewed changes
@codeql-ci codeql-ci merged commit 073a43c into github:main Apr 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@esbena esbena esbena approved these changes

Assignees
No one assigned
Labels
JS:changes-sources-or-sinks Changes taint sources/sinks for the JS analysis JS no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@erik-krogh @esbena @codeql-ci