Potential Errors command-line-injection Related to CWE-78 in dynamic_model_factory.cc

[Close-Recover]

Dear developers,

When we use CodeQL (GitHub's own static code analysis tool) to analyze the project, it has reported an error from code that may cause breakdown. And we found that this potential error tend to exist in the project for a relatively long time. In this issue we will provide the error form a single file modules/dreamview/backend/common/sim_control_manager/core/dynamic model factory.cc, including its name, location and analysis steps (code data flow). Hopefully it will get your attention, and we are looking forward to further communication.

System information

• OS Platform and Distribution: Linux Ubuntu 18.04
• Apollo installed from: source
• Apollo version: 9.0, but it appears in a much earlier version like v8.0. At that time it was in modules/dreamview/backend/sim_control_manager/core/dynamic_model_factory.cc
• Output of apollo.sh config if on master branch: no output can be given because the analysis was run just after standard installation

Steps to reproduce the issue:

• Prepare everything by following the guidance of official docs before running './apollo.sh build'
• Then use CodeQL create database command to establish database and set '--command = './apollo.sh build'', it looks like: codeql database create new-database --language=<language> --command='./apollo.sh build'
• Please note that the process needs a clean build and may take a long time to finish. Using clean command and parallelization techniques based on your hardware environment may help you make it faster

Supporting materials (screenshots, command lines, code/script snippets):

• Because of the limit of GitHub, we cannot attach the original file directly. You can contact us by email to obtain it: [email protected]
• Here is its information that was reported as the most important, they are focused on command-line-injection, using user-supplied data in an OS command, without neutralizing special elements, can make code vulnerable to command injection, which is related to CWE-78. The <number:number> pattern means the specific location of code (e.g. read output argument novatel.c 2001:13, 'fread output argument' is code, '2001:13' is detailed location) in code file and it helps you to detect code data flow in program:

This argument to an OS command is derived from user input (an environment variable), dangerously concatenated into call to operator+, and then passed to system(__command): *call to getenv environment.h 31:21 *GetEnv environment.h 29:20 call to GetEnv dynamic_model_factory.cc 48:16 operator= output argument dynamic_model_factory.cc 48:3 *this [post update] [home_path_] dynamic_model_factory.cc 48:3 *this [home_path_] dynamic_model_factory.cc 49:31 *home_path_ :1 *__lhs basic_string.h 5888:60 *operator+ basic_string.h 5888:5 call to operator+ dynamic_model_factory.cc 49:42 operator= output argument dynamic_model_factory.cc 49:3 *this [post update] [dynamic_model_local_path_] dynamic_model_factory.cc 49:3 call to DynamicModelFactory [dynamic_model_local_path_] dynamic_model_factory.h 43:3 **instance [dynamic_model_local_path_] dynamic_model_factory.h 43:3 **Instance [dynamic_model_local_path_] dynamic_model_factory.h 43:3 *call to Instance [dynamic_model_local_path_] sim_control_manager.cc 88:25 *model_factory [dynamic_model_local_path_] sim_control_manager.cc 89:10 *this [dynamic_model_local_path_] dynamic_model_factory.cc 219:6 *this [dynamic_model_local_path_] dynamic_model_factory.cc 229:3 *this [dynamic_model_local_path_] dynamic_model_factory.cc 154:6 *this [dynamic_model_local_path_] dynamic_model_factory.cc 158:11 *dynamic_model_local_path_ :1 *__lhs basic_string.h 5888:60 *operator+ basic_string.h 5888:5 call to operator+ dynamic_model_factory.cc 158:37 operator= output argument dynamic_model_factory.cc 158:3 GetDynamicModelPath output argument dynamic_model_factory.cc 229:43 *dynamic_model_dir dynamic_model_factory.cc 230:37 call to operator+ dynamic_model_factory.cc 230:35 *call to data dynamic_model_factory.cc 233:27