add unary type-tracking predicates

erik-krogh · erik-krogh · commit 8e316d2f05cd · 2020-02-10T12:51:09.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll b/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll
@@ -33,6 +33,13 @@ private DataFlow::Node commandArgument(SystemCommandExecution sys, DataFlow::Typ
   exists(DataFlow::TypeBackTracker t2 | t = t2.smallstep(result, commandArgument(sys, t2)))
 }
 
+/**
+ * Gets a data-flow node whose value ends up being interpreted as the command argument in `sys`. 
+ */
+private DataFlow::Node commandArgument(SystemCommandExecution sys) {
+  result = commandArgument(sys, DataFlow::TypeBackTracker::end())
+}
+
 /**
  * Gets a data-flow node whose value ends up being interpreted as the argument list in `sys`
  * after a flow summarized by `t`.
@@ -51,6 +58,13 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::
   )
 }
 
+/**
+ * Gets a data-flow node whose value ends up being interpreted as the argument list in `sys`. 
+ */
+private DataFlow::SourceNode argumentList(SystemCommandExecution sys) {
+  result = argumentList(sys, DataFlow::TypeBackTracker::end())
+}
+
 /**
  * Holds if `source` contributes to the arguments of an indirect command execution `sys`.
  *
@@ -73,13 +87,13 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::
 predicate isIndirectCommandArgument(DataFlow::Node source, SystemCommandExecution sys) {
   exists(DataFlow::ArrayCreationNode args, DataFlow::Node shell, string dashC |
     shellCmd(shell.asExpr(), dashC) and
-    shell = commandArgument(sys, DataFlow::TypeBackTracker::end()) and
+    shell = commandArgument(sys) and
     args.getAPropertyWrite().getRhs().mayHaveStringValue(dashC) and
-    args = argumentList(sys, DataFlow::TypeBackTracker::end()) and
+    args = argumentList(sys) and
     (
-      source = argumentList(sys, DataFlow::TypeBackTracker::end())
+      source = argumentList(sys)
       or
-      source = argumentList(sys, DataFlow::TypeBackTracker::end()).getAPropertyWrite().getRhs()
+      source = argumentList(sys).getAPropertyWrite().getRhs()
     )
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,13 @@ private DataFlow::Node commandArgument(SystemCommandExecution sys, DataFlow::Typ`
`33`	`33`	`exists(DataFlow::TypeBackTracker t2 \| t = t2.smallstep(result, commandArgument(sys, t2)))`
`34`	`34`	`}`
`35`	`35`
	`36`	`+/**`
	`37`	+ * Gets a data-flow node whose value ends up being interpreted as the command argument in `sys`.
	`38`	`+ */`
	`39`	`+private DataFlow::Node commandArgument(SystemCommandExecution sys) {`
	`40`	`+ result = commandArgument(sys, DataFlow::TypeBackTracker::end())`
	`41`	`+}`
	`42`	`+`
`36`	`43`	`/**`
`37`	`44`	* Gets a data-flow node whose value ends up being interpreted as the argument list in `sys`
`38`	`45`	* after a flow summarized by `t`.
`@@ -51,6 +58,13 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::`
`51`	`58`	`)`
`52`	`59`	`}`
`53`	`60`
	`61`	`+/**`
	`62`	+ * Gets a data-flow node whose value ends up being interpreted as the argument list in `sys`.
	`63`	`+ */`
	`64`	`+private DataFlow::SourceNode argumentList(SystemCommandExecution sys) {`
	`65`	`+ result = argumentList(sys, DataFlow::TypeBackTracker::end())`
	`66`	`+}`
	`67`	`+`
`54`	`68`	`/**`
`55`	`69`	* Holds if `source` contributes to the arguments of an indirect command execution `sys`.
`56`	`70`	`*`
`@@ -73,13 +87,13 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::`
`73`	`87`	`predicate isIndirectCommandArgument(DataFlow::Node source, SystemCommandExecution sys) {`
`74`	`88`	`exists(DataFlow::ArrayCreationNode args, DataFlow::Node shell, string dashC \|`
`75`	`89`	`shellCmd(shell.asExpr(), dashC) and`
`76`		`- shell = commandArgument(sys, DataFlow::TypeBackTracker::end()) and`
	`90`	`+ shell = commandArgument(sys) and`
`77`	`91`	`args.getAPropertyWrite().getRhs().mayHaveStringValue(dashC) and`
`78`		`- args = argumentList(sys, DataFlow::TypeBackTracker::end()) and`
	`92`	`+ args = argumentList(sys) and`
`79`	`93`	`(`
`80`		`- source = argumentList(sys, DataFlow::TypeBackTracker::end())`
	`94`	`+ source = argumentList(sys)`
`81`	`95`	`or`
`82`		`- source = argumentList(sys, DataFlow::TypeBackTracker::end()).getAPropertyWrite().getRhs()`
	`96`	`+ source = argumentList(sys).getAPropertyWrite().getRhs()`
`83`	`97`	`)`
`84`	`98`	`)`
`85`	`99`	`}`