forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCachePoisoningViaCodeInjection.ql
More file actions
31 lines (29 loc) · 1.15 KB
/
CachePoisoningViaCodeInjection.ql
File metadata and controls
31 lines (29 loc) · 1.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
/**
* @name Cache Poisoning via low-privileged code injection
* @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack.
* @kind path-problem
* @problem.severity error
* @precision high
* @security-severity 7.5
* @id actions/cache-poisoning/code-injection
* @tags actions
* security
* external/cwe/cwe-349
* external/cwe/cwe-094
*/
import actions
import codeql.actions.security.CodeInjectionQuery
import codeql.actions.security.CachePoisoningQuery
import CodeInjectionFlow::PathGraph
import codeql.actions.security.ControlChecks
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
where
CodeInjectionFlow::flowPath(source, sink) and
event = getRelevantCachePoisoningEventForSink(sink.getNode()) and
// the checkout is not controlled by an access check
not exists(ControlCheck check |
check.protects(source.getNode().asExpr(), event, "code-injection")
)
select sink.getNode(), source, sink,
"Unprivileged code injection in $@, which may lead to cache poisoning ($@).", sink,
sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()