• Home
• io.joern
• querydb_2.13
• 1.1.1425
• source code
• ShellExec.scala

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

io.joern.scanners.php.ShellExec.scala Maven / Gradle / Ivy

package io.joern.scanners.php

import io.joern.console._
import io.joern.dataflowengineoss.language._
import io.joern.dataflowengineoss.queryengine.EngineContext
import io.joern.macros.QueryMacros._
import io.joern.scanners._
import io.shiftleft.codepropertygraph.generated.Operators
import io.shiftleft.semanticcpg.language._

object ShellExec extends QueryBundle {

  implicit val resolver: ICallResolver = NoResolve

  @q
  def shellExec()(implicit context: EngineContext): Query =
    Query.make(
      name = "shell-exec",
      author = Crew.niko,
      title = "Shell exec: A parameter is used in an insecure `shell-exec` call.",
      description = """
          |An attacker controlled parameter is used in an insecure `shell-exec` call.
          |
          |If the parameter is not validated and sanitized, this is a remote code execution.
          |""".stripMargin,
      score = 5,
      withStrRep({ cpg =>
        // $_REQUEST["foo"], $_GET["foo"], $_POST["foo"]
        // are identifier (at the moment)
        def source =
          cpg.call.name(Operators.assignment).argument.code(".*_(REQUEST|GET|POST).*")

        def sink = cpg.call.name("shell_exec").argument

        sink.reachableBy(source).l
      }),
      tags = List(QueryTags.remoteCodeExecution, QueryTags.default)
    )
}