-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathEnvPathInjectionMedium.ql
More file actions
32 lines (30 loc) · 1.16 KB
/
EnvPathInjectionMedium.ql
File metadata and controls
32 lines (30 loc) · 1.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
/**
* @name PATH environment variable built from user-controlled sources
* @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
* @kind path-problem
* @problem.severity error
* @security-severity 5.0
* @precision medium
* @id actions/envpath-injection/medium
* @tags actions
* security
* external/cwe/cwe-077
* external/cwe/cwe-020
*/
import actions
import codeql.actions.security.EnvPathInjectionQuery
import codeql.actions.dataflow.FlowSources
import EnvPathInjectionFlow::PathGraph
from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink
where
EnvPathInjectionFlow::flowPath(source, sink) and
inNonPrivilegedContext(sink.getNode().asExpr()) and
(
not source.getNode().(RemoteFlowSource).getSourceType() = "artifact"
or
source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
sink.getNode() instanceof EnvPathInjectionFromFileReadSink
)
select sink.getNode(), source, sink,
"Potential PATH environment variable injection in $@, which may be controlled by an external user.",
sink, sink.getNode().toString()