-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathCodeInjectionMedium.ql
More file actions
33 lines (31 loc) · 1.2 KB
/
CodeInjectionMedium.ql
File metadata and controls
33 lines (31 loc) · 1.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
/**
* @name Code injection
* @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary
* code execution.
* @kind path-problem
* @problem.severity warning
* @security-severity 5.0
* @precision medium
* @id actions/code-injection/medium
* @tags actions
* security
* external/cwe/cwe-094
* external/cwe/cwe-095
* external/cwe/cwe-116
*/
import actions
import codeql.actions.security.CodeInjectionQuery
import CodeInjectionFlow::PathGraph
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
where
CodeInjectionFlow::flowPath(source, sink) and
inNonPrivilegedContext(sink.getNode().asExpr()) and
// exclude cases where the sink is a JS script and the expression uses toJson
not exists(UsesStep script |
script.getCallee() = "actions/github-script" and
script.getArgumentExpr("script") = sink.getNode().asExpr() and
exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
)
select sink.getNode(), source, sink,
"Potential code injection in $@, which may be controlled by an external user.", sink,
sink.getNode().asExpr().(Expression).getRawExpression()