Merge pull request diffblue#580 from diffblue/owen-jones-diffblue/command-injection

owen-jones-diffblue · web-flow · commit 1f5f1fcba90d · 2018-08-28T14:19:41.000+01:00
SEC-662: Added first test for command injection
diff --git a/regression/end_to_end/command_injection/build.xml b/regression/end_to_end/command_injection/build.xml
@@ -0,0 +1,17 @@
+<project name="Main" basedir="." default="compile">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}/src"/>
+  <property name="classes.dir"   value="${root.dir}/build"/>
+
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on" />
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+  </target>
+
+</project>
diff --git a/regression/end_to_end/command_injection/rules.json b/regression/end_to_end/command_injection/rules.json
@@ -0,0 +1,27 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+    [
+      {
+        "comment": "Obtaining tainted string.",
+        "class": "command_injection.Main",
+        "method": "make_tainted:(Ljava/lang/String;)Ljava/lang/String;",
+        "result": {
+          "location": "returns",
+          "taint": "command injection taint"
+        }
+      },
+      {
+        "comment": "Executing a tainted string.",
+        "class": "java.lang.Runtime",
+        "method": "exec:(Ljava/lang/String;)Ljava/lang/Process;",
+        "sinkTarget": {
+          "location": "arg1",
+          "taint": "command injection taint"
+        },
+        "message": "A tainted string was executed."
+      }
+    ]
+}
+
+
diff --git a/regression/end_to_end/command_injection/src/Main.java b/regression/end_to_end/command_injection/src/Main.java
@@ -0,0 +1,28 @@
+package command_injection;
+
+import java.io.IOException;
+import java.util.List;
+
+public class Main {
+
+    private static String make_tainted(String s) {
+        return s;
+    }
+
+    private static void test_exec(String string_from_attacker) {
+        try {
+            Process p = Runtime.getRuntime().exec(string_from_attacker);
+        }
+        catch (IOException e) {
+        }
+    }
+
+    public static void main(String[] args) {
+        if (args.length < 1)
+            return;
+
+        String string_from_attacker = make_tainted(args[0]);
+
+        test_exec(string_from_attacker);
+    }
+}
diff --git a/regression/end_to_end/command_injection/test_command_injection.py b/regression/end_to_end/command_injection/test_command_injection.py
@@ -0,0 +1,22 @@
+import fasteners
+import os
+import subprocess
+
+from regression.end_to_end.driver import run_security_analyser_pipeline
+import regression.utils as utils
+
+
+@fasteners.interprocess_locked(os.path.join(os.path.dirname(__file__), ".build_lock"))
+def test_command_injection(load_strategy):
+    with utils.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        subprocess.check_call(["ant"])
+    with run_security_analyser_pipeline(
+            "build",
+            "rules.json",
+            os.path.realpath(os.path.dirname(__file__)),
+            "command_injection.Main.main",
+            load_strategy,
+            extra_args=["--use-models-library"]) as traces:
+        assert traces.count_traces() == 1
+        assert traces.trace_exists(
+            "java::command_injection.Main.test_exec:(Ljava/lang/String;)V", 14)
