-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathUncontrolledProcessOperation.ql
More file actions
38 lines (34 loc) · 1.31 KB
/
UncontrolledProcessOperation.ql
File metadata and controls
38 lines (34 loc) · 1.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
/**
* @name Uncontrolled process operation
* @description Using externally controlled strings in a process
* operation can allow an attacker to execute malicious
* commands.
* @kind path-problem
* @problem.severity warning
* @security-severity 8.2
* @precision medium
* @id cpp/uncontrolled-process-operation
* @tags security
* external/cwe/cwe-114
*/
import cpp
import semmle.code.cpp.security.Security
import semmle.code.cpp.security.TaintTracking
import TaintedWithPath
predicate isProcessOperationExplanation(Expr arg, string processOperation) {
exists(int processOperationArg, FunctionCall call |
isProcessOperationArgument(processOperation, processOperationArg) and
call.getTarget().getName() = processOperation and
call.getArgument(processOperationArg) = arg
)
}
class Configuration extends TaintTrackingConfiguration {
override predicate isSink(Element arg) { isProcessOperationExplanation(arg, _) }
}
from string processOperation, Expr arg, Expr source, PathNode sourceNode, PathNode sinkNode
where
isProcessOperationExplanation(arg, processOperation) and
taintedWithPath(source, arg, sourceNode, sinkNode)
select arg, sourceNode, sinkNode,
"The value of this argument may come from $@ and is being passed to " + processOperation + ".",
source, source.toString()