Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
codeql-action/queries/binary-planting.ql
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * @name Exec call vulnerable to binary planting | |
| * @description On Windows, executing a binary with an unqualified name will execute a binary in the working directory in preference to a binary on PATH. | |
| * @kind path-problem | |
| * @problem.severity error | |
| * @id javascript/codeql-action/binary-planting | |
| */ | |
| import javascript | |
| import DataFlow | |
| import DataFlow::PathGraph | |
| class SafeWhichBarrierGuardNode extends DataFlow::BarrierGuardNode, DataFlow::InvokeNode { | |
| SafeWhichBarrierGuardNode() { getCalleeName() = "safeWhich" } | |
| override predicate blocks(boolean outcome, Expr e) { | |
| outcome = true and | |
| e = getArgument(0).asExpr() | |
| } | |
| } | |
| class BinaryPlantingConfiguration extends DataFlow::Configuration { | |
| BinaryPlantingConfiguration() { | |
| this = "BinaryPlantingConfiguration" | |
| } | |
| override predicate isSource(Node node) { | |
| node.asExpr() instanceof StringLiteral and | |
| not node.asExpr().(StringLiteral).getValue().matches("%/%") and | |
| not node.getFile().getBaseName().matches("%.test.ts") | |
| } | |
| override predicate isSink(Node node) { | |
| node instanceof SystemCommandExecution or | |
| exists(InvokeExpr e | e.getCalleeName() = "ToolRunner" and e.getArgument(0) = node.asExpr()) | |
| } | |
| override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) { | |
| guard instanceof SafeWhichBarrierGuardNode | |
| } | |
| } | |
| from BinaryPlantingConfiguration cfg, PathNode source, PathNode sink | |
| where cfg.hasFlowPath(source, sink) | |
| select source.getNode(), source, sink, "This exec call might be vulnerable to Windows binary planting vulnerabilities." |