Comments (6)
Rearranged my folder structure little bit
Done :) . Thanks
from codeql-java-queries.
Forgot to attach my draft queries . But am struggling to match "-p" in my expr :s
/**
- @name Potential Sensitive command-line argument constructed using string
- @kind problem
- @problem.severity warning
- @id java/command-line-sensitive-argument
- @tags security
- @precision high
- @security-severity 9.1
*/
import java
from MethodAccess mc, Expr arg , Variable var
where
(mc.getMethod().getName().toLowerCase().matches("exec") or
mc.getMethod().getName().toLowerCase().matches("command") or
mc.getMethod().getName().toLowerCase().matches("start"))
and
var.getAnAccess() = mc.getArgument(0) and var.getAnAssignedValue() = arg and arg.toString().matches("%-p\%")
select mc, "Potential Sensitive command-line argument constructed using string: ", arg.toString()
from codeql-java-queries.
Maybe the queries java/concatenated-command-line
and java/command-line-injection
and the library file CommandLineQuery.qll
from the github/codeql
repository can be helpful with this.
You would probably want to use CommandInjectionSink
from CommandLineQuery.qll
to handle detection of calls to exec
and similar, then you don't have to determine this yourself.
To track flow from your password
variable to the command execution you can use taint tracking, this is more powerful than having to manually check variable assignments and reads. You have to use taint tracking instead of data flow tracking because the string concatenation (... + " -p" + password + ...
) creates a new value and is therefore not considered data flow, see the documentation for more details.
For example your query could then look like this:
/**
* @kind problem
*/
import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.CommandLineQuery
from CompileTimeConstantExpr passwordOption, CommandInjectionSink sink
where
passwordOption.getStringValue().matches("%-p%") and
TaintTracking::localTaint(DataFlow::exprNode(passwordOption), sink)
select passwordOption, "This password option is used as command line argument $@", sink, "here"
Unless you explicitly want to check for the -p
parameter as command line argument, you could instead use SensitiveExpr
from SensitiveActions.qll
, that covers multiple names of variables or methods which might have a sensitive value, such as password
, passwd
, ...
/**
* @kind problem
*/
import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.CommandLineQuery
import semmle.code.java.security.SensitiveActions
from SensitiveExpr sensitiveExpr, CommandInjectionSink sink
where TaintTracking::localTaint(DataFlow::exprNode(sensitiveExpr), sink)
select sensitiveExpr, "This sensitive value is used as command line argument $@", sink, "here"
Also a tip regarding the code of your query, avoid checking the result of the toString()
predicate, to my knowledge that is just a human readable string representation without any guaranteed format.
I hope that helps. Though I think in the future if you ask on https://github.com/github/codeql (possibly as Discussion) or on Stack Overflow you might get better or a greater variety of answers.
from codeql-java-queries.
Hi Marcono,
Thanks much for your quick help and assistance and the explanation . Much grateful for your help and the tips
-Vignesh
from codeql-java-queries.
Hi Marcono,
Thanks much for your quick help and assistance and the explanation . Much grateful for your help and the tips
-Vignesh
from codeql-java-queries.
No problem, but if you are using this code for your own query SensitiveCommandlineArgument.ql
(especially if you copy the code without any changes), it would have been nice if you added a comment like the following to your code:
// Based on https://github.com/Marcono1234/codeql-java-queries/issues/15#issuecomment-1627404064
This also has the advantage that in case you or someone else wants to get more information about this again in the future, they can revisit my comment above.
No worries though, you can do with your code whatever you want to do regarding licensing; I won't raise any claims there or similar. It is just that writing that answer above also took me some time, so it would have been nice if that was recognized.
from codeql-java-queries.
Related Issues (3)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from codeql-java-queries.