Split queries

Author: Alvaro Muñoz

ql/src/Security/CWE-078/CommandInjection.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Command built from user-controlled sources
+ * @description Building a system command from user-controlled sources is vulnerable to insertion of
+ *              malicious code by the user.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id actions/command-injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-078
+ */
+
+import actions
+import codeql.actions.TaintTracking
+import codeql.actions.dataflow.FlowSources
+import codeql.actions.dataflow.ExternalFlow
+
+private class CommandInjectionSink extends DataFlow::Node {
+  CommandInjectionSink() { externallyDefinedSink(this, "command-injection") }
+}
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+}
+
+module MyFlow = TaintTracking::Global<MyConfig>;
+
+import MyFlow::PathGraph
+
+from MyFlow::PathNode source, MyFlow::PathNode sink
+where MyFlow::flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  sink.getNode().asExpr().(Expression).getRawExpression()

ql/src/Security/CWE-078/CriticalCommandInjection.ql

@@ -0,0 +1,44 @@
+/**
+ * @name Command built from user-controlled sources
+ * @description Building a system command from user-controlled sources is vulnerable to insertion of
+ *              malicious code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9
+ * @precision high
+ * @id actions/command-injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-078
+ */
+
+import actions
+import codeql.actions.TaintTracking
+import codeql.actions.dataflow.FlowSources
+import codeql.actions.dataflow.ExternalFlow
+
+private class CommandInjectionSink extends DataFlow::Node {
+  CommandInjectionSink() { externallyDefinedSink(this, "command-injection") }
+}
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+}
+
+module MyFlow = TaintTracking::Global<MyConfig>;
+
+import MyFlow::PathGraph
+
+from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w
+where
+  MyFlow::flowPath(source, sink) and
+  w = source.getNode().asExpr().getEnclosingWorkflow() and
+  (
+    w instanceof ReusableWorkflow or
+    w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
+  )
+select sink.getNode(), source, sink,
+  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  sink.getNode().asExpr().(Expression).getRawExpression()

ql/src/Security/CWE-094/CodeInjection.ql

@@ -0,0 +1,40 @@
+/**
+ * @name Code injection
+ * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary
+ *              code execution.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id actions/code-injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-116
+ */
+
+import actions
+import codeql.actions.TaintTracking
+import codeql.actions.dataflow.FlowSources
+import codeql.actions.dataflow.ExternalFlow
+
+private class CodeInjectionSink extends DataFlow::Node {
+  CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") }
+}
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
+}
+
+module MyFlow = TaintTracking::Global<MyConfig>;
+
+import MyFlow::PathGraph
+
+from MyFlow::PathNode source, MyFlow::PathNode sink
+where MyFlow::flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  sink.getNode().asExpr().(Expression).getRawExpression()

ql/src/Security/CWE-094/CriticalCodeInjection.ql

@@ -0,0 +1,46 @@
+/**
+ * @name Code injection
+ * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary
+ *              code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9
+ * @precision high
+ * @id actions/code-injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-116
+ */
+
+import actions
+import codeql.actions.TaintTracking
+import codeql.actions.dataflow.FlowSources
+import codeql.actions.dataflow.ExternalFlow
+
+private class CodeInjectionSink extends DataFlow::Node {
+  CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") }
+}
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
+}
+
+module MyFlow = TaintTracking::Global<MyConfig>;
+
+import MyFlow::PathGraph
+
+from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w
+where
+  MyFlow::flowPath(source, sink) and
+  w = source.getNode().asExpr().getEnclosingWorkflow() and
+  (
+    w instanceof ReusableWorkflow or
+    w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
+  )
+select sink.getNode(), source, sink,
+  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  sink.getNode().asExpr().(Expression).getRawExpression()

ql/src/Security/CWE-094/ExpressionInjection.ql

@@ -21,8 +21,7 @@ import codeql.actions.dataflow.ExternalFlow
 private class ExpressionInjectionSink extends DataFlow::Node {
   ExpressionInjectionSink() {
     exists(Run e | e.getAnScriptExpr() = this.asExpr()) or
-    externallyDefinedSink(this,
-      ["expression-injection", "command-injection", "request-forgery", "code-injection"])
+    externallyDefinedSink(this, "expression-injection")
   }
 }
 

ql/src/Security/CWE-918/RequestForgery.ql

@@ -0,0 +1,37 @@
+/**
+ * @name Uncontrolled data used in network request
+ * @description Sending network requests with user-controlled data allows for request forgery attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.1
+ * @precision high
+ * @id actions/request-forgery
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-918
+ */
+
+import actions
+import codeql.actions.TaintTracking
+import codeql.actions.dataflow.FlowSources
+import codeql.actions.dataflow.ExternalFlow
+
+private class RequestForgerySink extends DataFlow::Node {
+  RequestForgerySink() { externallyDefinedSink(this, "request-forgery") }
+}
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+}
+
+module MyFlow = TaintTracking::Global<MyConfig>;
+
+import MyFlow::PathGraph
+
+from MyFlow::PathNode source, MyFlow::PathNode sink
+where MyFlow::flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  sink.getNode().asExpr().(Expression).getRawExpression()