|
| 1 | +/** |
| 2 | + * @name Exec call vulnerable to binary planting |
| 3 | + * @description On Windows, executing a binary with an unqualified name will execute a binary in the working directory in preference to a binary on PATH. |
| 4 | + * @kind path-problem |
| 5 | + * @problem.severity error |
| 6 | + * @id javascript/codeql-action/binary-planting |
| 7 | + */ |
| 8 | + |
| 9 | +import javascript |
| 10 | +import DataFlow |
| 11 | +import DataFlow::PathGraph |
| 12 | + |
| 13 | +class SafeWhichBarrierGuardNode extends DataFlow::BarrierGuardNode, DataFlow::InvokeNode { |
| 14 | + SafeWhichBarrierGuardNode() { getCalleeName() = "safeWhich" } |
| 15 | + |
| 16 | + override predicate blocks(boolean outcome, Expr e) { |
| 17 | + outcome = true and |
| 18 | + e = getArgument(0).asExpr() |
| 19 | + } |
| 20 | +} |
| 21 | + |
| 22 | +class BinaryPlantingConfiguration extends DataFlow::Configuration { |
| 23 | + BinaryPlantingConfiguration() { |
| 24 | + this = "BinaryPlantingConfiguration" |
| 25 | + } |
| 26 | + |
| 27 | + override predicate isSource(Node node) { |
| 28 | + node.asExpr() instanceof StringLiteral and |
| 29 | + not node.asExpr().(StringLiteral).getValue().matches("%/%") and |
| 30 | + not node.getFile().getBaseName().matches("%.test.ts") |
| 31 | + } |
| 32 | + |
| 33 | + override predicate isSink(Node node) { |
| 34 | + node instanceof SystemCommandExecution or |
| 35 | + exists(InvokeExpr e | e.getCalleeName() = "ToolRunner" and e.getArgument(0) = node.asExpr()) |
| 36 | + } |
| 37 | + |
| 38 | + override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) { |
| 39 | + guard instanceof SafeWhichBarrierGuardNode |
| 40 | + } |
| 41 | +} |
| 42 | + |
| 43 | +from BinaryPlantingConfiguration cfg, PathNode source, PathNode sink |
| 44 | +where cfg.hasFlowPath(source, sink) |
| 45 | +select source.getNode(), source, sink, "This exec call might be vulnerable to Windows binary planting vulnerabilities." |
0 commit comments