forked from github/codeql-action
-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbinary-planting.ql
45 lines (37 loc) · 1.52 KB
/
binary-planting.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
/**
* @name Exec call vulnerable to binary planting
* @description On Windows, executing a binary with an unqualified name will execute a binary in the working directory in preference to a binary on PATH.
* @kind path-problem
* @problem.severity error
* @id javascript/codeql-action/binary-planting
*/
import javascript
import DataFlow
import DataFlow::PathGraph
class SafeWhichBarrierGuardNode extends DataFlow::BarrierGuardNode, DataFlow::InvokeNode {
SafeWhichBarrierGuardNode() { getCalleeName() = "safeWhich" }
override predicate blocks(boolean outcome, Expr e) {
outcome = true and
e = getArgument(0).asExpr()
}
}
class BinaryPlantingConfiguration extends DataFlow::Configuration {
BinaryPlantingConfiguration() {
this = "BinaryPlantingConfiguration"
}
override predicate isSource(Node node) {
node.asExpr() instanceof StringLiteral and
not node.asExpr().(StringLiteral).getValue().matches("%/%") and
not node.getFile().getBaseName().matches("%.test.ts")
}
override predicate isSink(Node node) {
node instanceof SystemCommandExecution or
exists(InvokeExpr e | e.getCalleeName() = "ToolRunner" and e.getArgument(0) = node.asExpr())
}
override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) {
guard instanceof SafeWhichBarrierGuardNode
}
}
from BinaryPlantingConfiguration cfg, PathNode source, PathNode sink
where cfg.hasFlowPath(source, sink)
select source.getNode(), source, sink, "This exec call might be vulnerable to Windows binary planting vulnerabilities."