Find calls to ProcessBuilder and it's value equals to X

[CaledoniaProject]

I'm using this java source code to test codeql: Foo.txt
And I need to find all calls to ProcessBuilder whose argument is an array and the first two items equals to "bash" and "-c".

So I created this query:

import java

from Callable callable, Call call, Array array
where
  callable.hasName("ProcessBuilder") and
  callable.getDeclaringType().hasQualifiedName("java.lang", "ProcessBuilder") and
  call.getCallee() = callable and
  call.getArgument(0) = array and
  array.getAMember() = "bash"
select call.getFile() as file, call.getEnclosingCallable() as method, call

I'm not sure how to match the string value? It looks like there's no such method in codeql.

[Marcono1234]

If you want to match the constructor of ProcessBuilder, it might be a bit clearer to explicitly use CodeQL's Constructor class instead of Callable (you can also omit the hasName check then), or directly use ClassInstanceExpr, which represents Java's new ....

The class Array is an array type, such as int[], not the creation of an array. You are probably looking for ArrayCreationExpr, and more specifically for its getInit() predicate, and ArrayInit.getInit(int).

To match string literals in Java code, you can use StringLiteral. However, often it is more useful to use CompileTimeConstantExpr.getStringValue(), which, in addition to string literals, also covers reads of constant variables and string concatenation.

If the arguments in Java code would be directly provided to the varargs ProcessBuilder constructor (e.g. new ProcessBuilder("bash", "-c", ...)), you could use getArgument(0) and getArgument(1) to match them. However, for your example you would have to check for data flow from an array creation to the constructor call.

The following CodeQL query would probably cover your use case, however it neither covers Java code directly providing the arguments to the varargs ProcessBuilder constructor, nor does it cover any other means of starting a process.

/**
 * ...
 *
 * @kind path-problem
 */

import java
import semmle.code.java.dataflow.DataFlow
import DataFlow::PathGraph

// Define a custom data flow configuration
class BashCommandConfig extends DataFlow::Configuration {
  BashCommandConfig() { this = "BashCommandConfig" }

  override predicate isSource(DataFlow::Node source) {
    // Source is the creation of an array
    exists(ArrayCreationExpr commandArrayCreation, ArrayInit arrayInit |
      commandArrayCreation = source.asExpr() and
      arrayInit = commandArrayCreation.getInit() and
      // Check the specified command arguments
      arrayInit.getInit(0).(CompileTimeConstantExpr).getStringValue() = "bash" and
      arrayInit.getInit(1).(CompileTimeConstantExpr).getStringValue() = "-c"
    )
  }

  override predicate isSink(DataFlow::Node sink) {
    // Sink is an argument to the ProcessBuilder constructor
    exists(ClassInstanceExpr newProcessBuilderCall |
      newProcessBuilderCall.getConstructedType().hasQualifiedName("java.lang", "ProcessBuilder") and
      // Match the correct overload
      newProcessBuilderCall.getConstructor().hasStringSignature("ProcessBuilder(String[])") and
      newProcessBuilderCall.getArgument(0) = sink.asExpr()
    )
  }
}

from BashCommandConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Flow from bash command creation to execution"

This uses a path query to visualize how the data flows from the array creation to the constructor call. Path queries can be especially useful when flow goes through multiple methods. With a regular query you could only report the start and end of the flow, which might make it difficult to comprehend the flow path.

Note that CodeQL already has queries for untrusted user input used as process argument (see java/ql/src/Security/CWE/CWE-078); maybe that already suffices for your use case, or you could reuse parts of it for your query.

[CaledoniaProject]

This worked for the case. I'm just trying to use codeql on this vulnerability: https://securitylab.github.com/advisories/GHSL-2021-085-apache-storm/ where the source may not be defined in codeql.