hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: address copilot suggestions

Browse Source
This commit is contained in:
Napalys Klicius
2025-06-24 11:37:07 +02:00
parent 8c345461f0
commit 0902ca0605
2 changed files with 40 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected
View File

@@ -33,25 +33,24 @@
| execa.js:23:17:23:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:23:17:23:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:24:17:24:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:24:17:24:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:25:17:25:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:25:17:25:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:26:17:26:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:26:17:26:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:27:15:27:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:27:15:27:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:28:15:28:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:28:15:28:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:29:15:29:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:29:15:29:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:30:24:30:47 | cmd + a ... + arg3 | execa.js:6:25:6:31 | req.url | execa.js:30:24:30:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:30:24:30:47 | cmd + a ... + arg3 | execa.js:7:26:7:32 | req.url | execa.js:30:24:30:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
| execa.js:30:24:30:47 | cmd + a ... + arg3 | execa.js:8:26:8:32 | req.url | execa.js:30:24:30:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
| execa.js:30:24:30:47 | cmd + a ... + arg3 | execa.js:9:26:9:32 | req.url | execa.js:30:24:30:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
| execa.js:31:24:31:47 | cmd + a ... + arg3 | execa.js:6:25:6:31 | req.url | execa.js:31:24:31:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:31:24:31:47 | cmd + a ... + arg3 | execa.js:7:26:7:32 | req.url | execa.js:31:24:31:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
| execa.js:31:24:31:47 | cmd + a ... + arg3 | execa.js:8:26:8:32 | req.url | execa.js:31:24:31:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
| execa.js:31:24:31:47 | cmd + a ... + arg3 | execa.js:9:26:9:32 | req.url | execa.js:31:24:31:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
| execa.js:32:24:32:47 | cmd + a ... + arg3 | execa.js:6:25:6:31 | req.url | execa.js:32:24:32:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:32:24:32:47 | cmd + a ... + arg3 | execa.js:7:26:7:32 | req.url | execa.js:32:24:32:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
| execa.js:32:24:32:47 | cmd + a ... + arg3 | execa.js:8:26:8:32 | req.url | execa.js:32:24:32:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
| execa.js:32:24:32:47 | cmd + a ... + arg3 | execa.js:9:26:9:32 | req.url | execa.js:32:24:32:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
| execa.js:33:22:33:45 | cmd + a ... + arg3 | execa.js:6:25:6:31 | req.url | execa.js:33:22:33:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:33:22:33:45 | cmd + a ... + arg3 | execa.js:7:26:7:32 | req.url | execa.js:33:22:33:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
| execa.js:33:22:33:45 | cmd + a ... + arg3 | execa.js:8:26:8:32 | req.url | execa.js:33:22:33:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
| execa.js:33:22:33:45 | cmd + a ... + arg3 | execa.js:9:26:9:32 | req.url | execa.js:33:22:33:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
| execa.js:34:22:34:45 | cmd + a ... + arg3 | execa.js:6:25:6:31 | req.url | execa.js:34:22:34:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:34:22:34:45 | cmd + a ... + arg3 | execa.js:7:26:7:32 | req.url | execa.js:34:22:34:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
| execa.js:34:22:34:45 | cmd + a ... + arg3 | execa.js:8:26:8:32 | req.url | execa.js:34:22:34:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
| execa.js:34:22:34:45 | cmd + a ... + arg3 | execa.js:9:26:9:32 | req.url | execa.js:34:22:34:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
| execa.js:35:22:35:45 | cmd + a ... + arg3 | execa.js:6:25:6:31 | req.url | execa.js:35:22:35:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:35:22:35:45 | cmd + a ... + arg3 | execa.js:7:26:7:32 | req.url | execa.js:35:22:35:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
| execa.js:35:22:35:45 | cmd + a ... + arg3 | execa.js:8:26:8:32 | req.url | execa.js:35:22:35:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
| execa.js:35:22:35:45 | cmd + a ... + arg3 | execa.js:9:26:9:32 | req.url | execa.js:35:22:35:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
| form-parsers.js:9:8:9:39 | "touch ... nalname | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch ... nalname | This command line depends on a $@. | form-parsers.js:9:19:9:26 | req.file | user-provided value |
| form-parsers.js:14:10:14:37 | "touch ... nalname | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:14:10:14:37 | "touch ... nalname | This command line depends on a $@. | form-parsers.js:13:3:13:11 | req.files | user-provided value |
| form-parsers.js:25:10:25:28 | "touch " + filename | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | This command line depends on a $@. | form-parsers.js:24:48:24:55 | filename | user-provided value |
@@ -149,49 +148,48 @@ edges
| execa.js:6:9:6:54 | cmd | execa.js:23:17:23:19 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:24:17:24:19 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:25:17:25:19 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:26:17:26:19 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:27:15:27:17 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:28:15:28:17 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:29:15:29:17 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:30:24:30:26 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:31:24:31:26 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:32:24:32:26 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:33:22:33:24 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:34:22:34:24 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:35:22:35:24 | cmd | provenance | |
| execa.js:6:15:6:38 | url.par ... , true) | execa.js:6:9:6:54 | cmd | provenance | |
| execa.js:6:25:6:31 | req.url | execa.js:6:15:6:38 | url.par ... , true) | provenance | |
| execa.js:7:9:7:53 | arg1 | execa.js:30:30:30:33 | arg1 | provenance | |
| execa.js:7:9:7:53 | arg1 | execa.js:31:30:31:33 | arg1 | provenance | |
| execa.js:7:9:7:53 | arg1 | execa.js:32:30:32:33 | arg1 | provenance | |
| execa.js:7:9:7:53 | arg1 | execa.js:33:28:33:31 | arg1 | provenance | |
| execa.js:7:9:7:53 | arg1 | execa.js:34:28:34:31 | arg1 | provenance | |
| execa.js:7:9:7:53 | arg1 | execa.js:35:28:35:31 | arg1 | provenance | |
| execa.js:7:16:7:39 | url.par ... , true) | execa.js:7:9:7:53 | arg1 | provenance | |
| execa.js:7:26:7:32 | req.url | execa.js:7:16:7:39 | url.par ... , true) | provenance | |
| execa.js:8:9:8:53 | arg2 | execa.js:30:37:30:40 | arg2 | provenance | |
| execa.js:8:9:8:53 | arg2 | execa.js:31:37:31:40 | arg2 | provenance | |
| execa.js:8:9:8:53 | arg2 | execa.js:32:37:32:40 | arg2 | provenance | |
| execa.js:8:9:8:53 | arg2 | execa.js:33:35:33:38 | arg2 | provenance | |
| execa.js:8:9:8:53 | arg2 | execa.js:34:35:34:38 | arg2 | provenance | |
| execa.js:8:9:8:53 | arg2 | execa.js:35:35:35:38 | arg2 | provenance | |
| execa.js:8:16:8:39 | url.par ... , true) | execa.js:8:9:8:53 | arg2 | provenance | |
| execa.js:8:26:8:32 | req.url | execa.js:8:16:8:39 | url.par ... , true) | provenance | |
| execa.js:9:9:9:53 | arg3 | execa.js:30:44:30:47 | arg3 | provenance | |
| execa.js:9:9:9:53 | arg3 | execa.js:31:44:31:47 | arg3 | provenance | |
| execa.js:9:9:9:53 | arg3 | execa.js:32:44:32:47 | arg3 | provenance | |
| execa.js:9:9:9:53 | arg3 | execa.js:33:42:33:45 | arg3 | provenance | |
| execa.js:9:9:9:53 | arg3 | execa.js:34:42:34:45 | arg3 | provenance | |
| execa.js:9:9:9:53 | arg3 | execa.js:35:42:35:45 | arg3 | provenance | |
| execa.js:9:16:9:39 | url.par ... , true) | execa.js:9:9:9:53 | arg3 | provenance | |
| execa.js:9:26:9:32 | req.url | execa.js:9:16:9:39 | url.par ... , true) | provenance | |
| execa.js:30:24:30:26 | cmd | execa.js:30:24:30:47 | cmd + a ... + arg3 | provenance | |
| execa.js:30:30:30:33 | arg1 | execa.js:30:24:30:47 | cmd + a ... + arg3 | provenance | |
| execa.js:30:37:30:40 | arg2 | execa.js:30:24:30:47 | cmd + a ... + arg3 | provenance | |
| execa.js:30:44:30:47 | arg3 | execa.js:30:24:30:47 | cmd + a ... + arg3 | provenance | |
| execa.js:31:24:31:26 | cmd | execa.js:31:24:31:47 | cmd + a ... + arg3 | provenance | |
| execa.js:31:30:31:33 | arg1 | execa.js:31:24:31:47 | cmd + a ... + arg3 | provenance | |
| execa.js:31:37:31:40 | arg2 | execa.js:31:24:31:47 | cmd + a ... + arg3 | provenance | |
| execa.js:31:44:31:47 | arg3 | execa.js:31:24:31:47 | cmd + a ... + arg3 | provenance | |
| execa.js:32:24:32:26 | cmd | execa.js:32:24:32:47 | cmd + a ... + arg3 | provenance | |
| execa.js:32:30:32:33 | arg1 | execa.js:32:24:32:47 | cmd + a ... + arg3 | provenance | |
| execa.js:32:37:32:40 | arg2 | execa.js:32:24:32:47 | cmd + a ... + arg3 | provenance | |
| execa.js:32:44:32:47 | arg3 | execa.js:32:24:32:47 | cmd + a ... + arg3 | provenance | |
| execa.js:33:22:33:24 | cmd | execa.js:33:22:33:45 | cmd + a ... + arg3 | provenance | |
| execa.js:33:28:33:31 | arg1 | execa.js:33:22:33:45 | cmd + a ... + arg3 | provenance | |
| execa.js:33:35:33:38 | arg2 | execa.js:33:22:33:45 | cmd + a ... + arg3 | provenance | |
| execa.js:33:42:33:45 | arg3 | execa.js:33:22:33:45 | cmd + a ... + arg3 | provenance | |
| execa.js:34:22:34:24 | cmd | execa.js:34:22:34:45 | cmd + a ... + arg3 | provenance | |
| execa.js:34:28:34:31 | arg1 | execa.js:34:22:34:45 | cmd + a ... + arg3 | provenance | |
| execa.js:34:35:34:38 | arg2 | execa.js:34:22:34:45 | cmd + a ... + arg3 | provenance | |
| execa.js:34:42:34:45 | arg3 | execa.js:34:22:34:45 | cmd + a ... + arg3 | provenance | |
| execa.js:35:22:35:24 | cmd | execa.js:35:22:35:45 | cmd + a ... + arg3 | provenance | |
| execa.js:35:28:35:31 | arg1 | execa.js:35:22:35:45 | cmd + a ... + arg3 | provenance | |
| execa.js:35:35:35:38 | arg2 | execa.js:35:22:35:45 | cmd + a ... + arg3 | provenance | |
| execa.js:35:42:35:45 | arg3 | execa.js:35:22:35:45 | cmd + a ... + arg3 | provenance | |
| form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch ... nalname | provenance | |
| form-parsers.js:13:3:13:11 | req.files | form-parsers.js:13:21:13:24 | file | provenance | |
| form-parsers.js:13:21:13:24 | file | form-parsers.js:14:21:14:24 | file | provenance | |
@@ -317,29 +315,28 @@ nodes
| execa.js:23:17:23:19 | cmd | semmle.label | cmd |
| execa.js:24:17:24:19 | cmd | semmle.label | cmd |
| execa.js:25:17:25:19 | cmd | semmle.label | cmd |
| execa.js:26:17:26:19 | cmd | semmle.label | cmd |
| execa.js:27:15:27:17 | cmd | semmle.label | cmd |
| execa.js:28:15:28:17 | cmd | semmle.label | cmd |
| execa.js:29:15:29:17 | cmd | semmle.label | cmd |
| execa.js:30:24:30:26 | cmd | semmle.label | cmd |
| execa.js:30:24:30:47 | cmd + a ... + arg3 | semmle.label | cmd + a ... + arg3 |
| execa.js:30:30:30:33 | arg1 | semmle.label | arg1 |
| execa.js:30:37:30:40 | arg2 | semmle.label | arg2 |
| execa.js:30:44:30:47 | arg3 | semmle.label | arg3 |
| execa.js:31:24:31:26 | cmd | semmle.label | cmd |
| execa.js:31:24:31:47 | cmd + a ... + arg3 | semmle.label | cmd + a ... + arg3 |
| execa.js:31:30:31:33 | arg1 | semmle.label | arg1 |
| execa.js:31:37:31:40 | arg2 | semmle.label | arg2 |
| execa.js:31:44:31:47 | arg3 | semmle.label | arg3 |
| execa.js:32:24:32:26 | cmd | semmle.label | cmd |
| execa.js:32:24:32:47 | cmd + a ... + arg3 | semmle.label | cmd + a ... + arg3 |
| execa.js:32:30:32:33 | arg1 | semmle.label | arg1 |
| execa.js:32:37:32:40 | arg2 | semmle.label | arg2 |
| execa.js:32:44:32:47 | arg3 | semmle.label | arg3 |
| execa.js:33:22:33:24 | cmd | semmle.label | cmd |
| execa.js:33:22:33:45 | cmd + a ... + arg3 | semmle.label | cmd + a ... + arg3 |
| execa.js:33:28:33:31 | arg1 | semmle.label | arg1 |
| execa.js:33:35:33:38 | arg2 | semmle.label | arg2 |
| execa.js:33:42:33:45 | arg3 | semmle.label | arg3 |
| execa.js:34:22:34:24 | cmd | semmle.label | cmd |
| execa.js:34:22:34:45 | cmd + a ... + arg3 | semmle.label | cmd + a ... + arg3 |
| execa.js:34:28:34:31 | arg1 | semmle.label | arg1 |
| execa.js:34:35:34:38 | arg2 | semmle.label | arg2 |
| execa.js:34:42:34:45 | arg3 | semmle.label | arg3 |
| execa.js:35:22:35:24 | cmd | semmle.label | cmd |
| execa.js:35:22:35:45 | cmd + a ... + arg3 | semmle.label | cmd + a ... + arg3 |
| execa.js:35:28:35:31 | arg1 | semmle.label | arg1 |
| execa.js:35:35:35:38 | arg2 | semmle.label | arg2 |
| execa.js:35:42:35:45 | arg3 | semmle.label | arg3 |
| form-parsers.js:9:8:9:39 | "touch ... nalname | semmle.label | "touch ... nalname |
| form-parsers.js:9:19:9:26 | req.file | semmle.label | req.file |
| form-parsers.js:13:3:13:11 | req.files | semmle.label | req.files |

7
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execa.js
View File

@@ -16,13 +16,12 @@ http.createServer(async function (req, res) {
$.sync`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
$.sync`ssh ${arg1} ${arg2} ${arg3}`; // safely escapes variables, preventing shell injection.
await $({ shell: true })`${cmd} ${arg1} ${arg2} ${arg3}` // $Alert
await $({ shell: false })`${cmd} ${arg1} ${arg2} ${arg3}` // $Alert
await $({ shell: false })`ssh ${arg1} ${arg2} ${arg3}` // safely escapes variables, preventing shell injection.
await $({ shell: true })`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
await $({ shell: false })`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
await $({ shell: false })`ssh ${arg1} ${arg2} ${arg3}`; // safely escapes variables, preventing shell injection.
await execa(cmd, [arg1, arg2, arg3]); // $Alert
await execa(cmd, { shell: true }); // $Alert
await execa(cmd, { shell: true }); // $Alert
await execa(cmd, [arg1, arg2, arg3], { shell: true }); // $Alert
execaSync(cmd, [arg1, arg2, arg3]); // $Alert