test new queries

codeql/addipamconfig-to-exec.ql

@@ -0,0 +1,51 @@
+/**
+ * @name Command Injection From CNS ipam add result / CNS multitenancy ipam add result
+ * @description Flow exists from CNS ipam add result / CNS multitenancy ipam add result (untrusted) to exec command
+ * @kind path-problem
+ * @problem.severity warning
+ * @id go/cmd-inject-ipam-add-result
+ * @tags security
+ */
+
+// Detect inputs from CNS add ipam result / CNS multitenancy ipam add result to command injection
+// 1 linux, 2 windows
+import go
+
+private class Sink extends DataFlow2::Node {
+  Sink() {
+    exists(DataFlow::CallNode c |
+      c.getTarget().hasQualifiedName("os/exec", "CommandContext") and
+      (c.getArgument(2) = this or c.getArgument(1) = this)
+      or
+      c.getTarget().hasQualifiedName("os/exec", "Command") and
+      (c.getArgument(0) = this or c.getArgument(1) = this)
+    )
+  }
+}
+
+private class Source extends DataFlow2::Node {
+  Source() {
+    exists(DataFlow::CallNode c, Method m |
+      //m.hasQualifiedName("github.com/Azure/azure-container-networking/cni/network", "NetPlugin",
+      //  "addIpamInvoker") or // this is maybe not necessary since we call GetAllNetworkContainers right next to this = duplicated results
+      m.hasQualifiedName("github.com/Azure/azure-container-networking/cni/network", "Multitenancy",
+        "GetAllNetworkContainers") and
+      c = m.getACall() and
+      c.getResult(0) = this
+    )
+  }
+}
+
+module MyConfiguration implements DataFlow::ConfigSig {
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+}
+
+module Flow = TaintTracking::Global<MyConfiguration>;
+
+import Flow::PathGraph
+
+from Flow::PathNode source, Flow::PathNode sink
+where Flow::flowPath(source, sink)
+select sink.getNode(), source, sink, "potential command injection"

codeql/cni-args-to-exec.ql

@@ -0,0 +1,57 @@
+/**
+ * @name Command Injection From CNI Args
+ * @description Flow exists from CNI Args (untrusted) to exec command
+ * @kind path-problem
+ * @problem.severity warning
+ * @id go/cmd-inject-cni
+ * @tags security
+ */
+
+// Detect inputs from CNI ARGS to command injection
+// 2 windows, 1 linux
+import go
+
+private class Sink extends DataFlow2::Node {
+  Sink() {
+    exists(DataFlow::CallNode c |
+      c.getTarget().hasQualifiedName("os/exec", "CommandContext") and
+      (c.getArgument(2) = this or c.getArgument(1) = this)
+      or
+      c.getTarget().hasQualifiedName("os/exec", "Command") and
+      (c.getArgument(0) = this or c.getArgument(1) = this)
+    )
+  }
+}
+
+private class Source extends DataFlow2::Node {
+  Source() {
+    exists(DataFlow::CallNode c, Method m |
+      (
+        m.hasQualifiedName("github.com/Azure/azure-container-networking/cni/network", "NetPlugin",
+          "Add") or
+        m.hasQualifiedName("github.com/Azure/azure-container-networking/cni/network", "NetPlugin",
+          "Delete") or
+        m.hasQualifiedName("github.com/Azure/azure-container-networking/cni/network", "NetPlugin",
+          "Update") or
+        m.hasQualifiedName("github.com/Azure/azure-container-networking/cni/network", "NetPlugin",
+          "Get")
+      ) and
+      c = m.getACall() and
+      c.getArgument(0) = this
+    )
+  }
+}
+
+module MyConfiguration implements DataFlow::ConfigSig {
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+}
+
+module Flow = TaintTracking::Global<MyConfiguration>;
+
+import Flow::PathGraph
+
+from Flow::PathNode source, Flow::PathNode sink
+where Flow::flowPath(source, sink)
+select sink.getNode(), source, sink, "potential command injection"

codeql/cns-invoker-to-exec.ql

@@ -0,0 +1,57 @@
+/**
+ * @name Command Injection From CNS Invoker
+ * @description Flow exists from CNS Invoker (untrusted) to exec command
+ * @kind path-problem
+ * @problem.severity warning
+ * @id go/cmd-inject-cns-invoker
+ * @tags security
+ */
+
+// Detect inputs from CNS Invoker to command injection
+// Does not detect flow to outside the enclosed method (which is why we analyze addIpamInvoker's results too)
+import go
+
+private class Sink extends DataFlow2::Node {
+  Sink() {
+    exists(DataFlow::CallNode c |
+      c.getTarget().hasQualifiedName("os/exec", "CommandContext") and
+      (c.getArgument(2) = this or c.getArgument(1) = this)
+      or
+      c.getTarget().hasQualifiedName("os/exec", "Command") and
+      (c.getArgument(0) = this or c.getArgument(1) = this)
+    )
+  }
+}
+
+private class Source extends DataFlow2::Node {
+  Source() {
+    exists(DataFlow::CallNode c, Method m |
+      (
+        m.hasQualifiedName("github.com/Azure/azure-container-networking/cns/client", "Client",
+          "RequestIPs") or
+        m.hasQualifiedName("github.com/Azure/azure-container-networking/cns/client", "Client",
+          "RequestIPAddress") or
+        m.hasQualifiedName("github.com/Azure/azure-container-networking/cns/client", "Client",
+          "GetNetworkContainer") or
+        m.hasQualifiedName("github.com/Azure/azure-container-networking/cns/client", "Client",
+          "GetAllNetworkContainers")
+      ) and
+      c = m.getACall() and
+      c.getResult(0) = this
+    )
+  }
+}
+
+module MyConfiguration implements DataFlow::ConfigSig {
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+}
+
+module Flow = TaintTracking::Global<MyConfiguration>;
+
+import Flow::PathGraph
+
+from Flow::PathNode source, Flow::PathNode sink
+where Flow::flowPath(source, sink)
+select sink.getNode(), source, sink, "potential command injection"