mirror of
https://github.com/github/codeql-action.git
synced 2025-12-06 07:48:17 +08:00
46 lines
1.5 KiB
Plaintext
46 lines
1.5 KiB
Plaintext
/**
|
|
* @name Exec call vulnerable to binary planting
|
|
* @description On Windows, executing a binary with an unqualified name will execute a binary in the working directory in preference to a binary on PATH.
|
|
* @kind path-problem
|
|
* @problem.severity error
|
|
* @id javascript/codeql-action/binary-planting
|
|
*/
|
|
|
|
import javascript
|
|
import DataFlow
|
|
import DataFlow::PathGraph
|
|
|
|
class WhichBarrierGuardNode extends DataFlow::BarrierGuardNode, DataFlow::InvokeNode {
|
|
WhichBarrierGuardNode() { getCalleeName() = "which" }
|
|
|
|
override predicate blocks(boolean outcome, Expr e) {
|
|
outcome = true and
|
|
e = getArgument(0).asExpr()
|
|
}
|
|
}
|
|
|
|
class BinaryPlantingConfiguration extends DataFlow::Configuration {
|
|
BinaryPlantingConfiguration() {
|
|
this = "BinaryPlantingConfiguration"
|
|
}
|
|
|
|
override predicate isSource(Node node) {
|
|
node.asExpr() instanceof StringLiteral and
|
|
not node.asExpr().(StringLiteral).getValue().matches("%/%") and
|
|
not node.getFile().getBaseName().matches("%.test.ts")
|
|
}
|
|
|
|
override predicate isSink(Node node) {
|
|
node instanceof SystemCommandExecution or
|
|
exists(InvokeExpr e | e.getCalleeName() = "ToolRunner" and e.getArgument(0) = node.asExpr())
|
|
}
|
|
|
|
override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) {
|
|
guard instanceof WhichBarrierGuardNode
|
|
}
|
|
}
|
|
|
|
from BinaryPlantingConfiguration cfg, PathNode source, PathNode sink
|
|
where cfg.hasFlowPath(source, sink)
|
|
select source.getNode(), source, sink, "This exec call might be vulnerable to Windows binary planting vulnerabilities."
|