Add ExecTaintedLocal

egregius313 · egregius313 · commit 12dcabe371c0 · 2023-04-04T11:17:58.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll b/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll
@@ -0,0 +1,27 @@
+/** Provides a taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */
+
+import java
+private import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.ExternalProcess
+private import semmle.code.java.security.CommandArguments
+
+/** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */
+module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
+
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType
+    or
+    node.getType() instanceof BoxedType
+    or
+    isSafeCommandArgument(node.asExpr())
+  }
+}
+
+/**
+ * Taint-tracking flow for use of externally controlled strings to make command line commands.
+ */
+module LocalUserInputToArgumentToExecFlow =
+  TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
@@ -12,28 +12,8 @@
  *       external/cwe/cwe-088
  */
 
-import semmle.code.java.Expr
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.ExternalProcess
-import semmle.code.java.security.CommandArguments
-
-module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
-
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
-
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType
-    or
-    node.getType() instanceof BoxedType
-    or
-    isSafeCommandArgument(node.asExpr())
-  }
-}
-
-module LocalUserInputToArgumentToExecFlow =
-  TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;
-
+import java
+import semmle.code.java.security.ExecTaintedLocalQuery
 import LocalUserInputToArgumentToExecFlow::PathGraph
 
 from
