[DIFF-INFORMED] Actions: CommandInjection

d10c · d10c · commit f1b995a73689 · 2025-08-15T11:11:03.000+02:00
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql#L24 https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql#L28
diff --git a/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll
@@ -3,11 +3,20 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
+import codeql.actions.security.ControlChecks
 
 private class CommandInjectionSink extends DataFlow::Node {
   CommandInjectionSink() { madSink(this, "command-injection") }
 }
 
+/** Get the relevant event for the sink in CommandInjectionCritical.ql. */
+Event getRelevantEventInPrivilegedContext(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check |
+    check.protects(sink.asExpr(), result, ["command-injection", "code-injection"])
+  )
+}
+
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate a system command.
@@ -16,6 +25,16 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantEventInPrivilegedContext(sink).getLocation()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
diff --git a/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql b/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
@@ -21,10 +21,7 @@ import codeql.actions.security.ControlChecks
 from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Event event
 where
   CommandInjectionFlow::flowPath(source, sink) and
-  inPrivilegedContext(sink.getNode().asExpr(), event) and
-  not exists(ControlCheck check |
-    check.protects(sink.getNode().asExpr(), event, ["command-injection", "code-injection"])
-  )
+  event = getRelevantEventInPrivilegedContext(sink.getNode())
 select sink.getNode(), source, sink,
   "Potential command injection in $@, which may be controlled by an external user ($@).", sink,
   sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()
