-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathStoredCommandInjection.ql
More file actions
28 lines (25 loc) · 1.08 KB
/
StoredCommandInjection.ql
File metadata and controls
28 lines (25 loc) · 1.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
/**
* @name Uncontrolled command line from stored user input
* @description Using externally controlled strings in a command line may allow a malicious
* user to change the meaning of the command.
* @kind path-problem
* @problem.severity error
* @security-severity 9.8
* @precision medium
* @id cs/stored-command-line-injection
* @tags correctness
* security
* external/cwe/cwe-078
* external/cwe/cwe-088
*/
import csharp
import semmle.code.csharp.security.dataflow.flowsources.Stored
import semmle.code.csharp.security.dataflow.CommandInjectionQuery::CommandInjection
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
override predicate isSource(DataFlow::Node source) { source instanceof StoredFlowSource }
}
from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in a command.", source.getNode(),
"Stored user-provided value"