hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

require that an options object has a known set of properties

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-02-20 11:35:11 +01:00
parent b5ef45e6c2
commit 12c0291dde
3 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
javascript/ql/src/semmle/javascript/security/UselessUseOfCat.qll
View File

@@ -60,15 +60,20 @@ class UselessCat extends DataFlow::CallNode {
UselessCat() {
this = candidate and
exists(createReadFileCall(this)) and
// wildcards, pipes, redirections, and multiple files are OK.
// (The multiple files detection relies on the fileArgument not containing spaces anywhere)
not candidate.getFileArgument().regexpMatch(".*(\\*|\\||>|<| ).*") and
// Only acceptable option is "encoding", everything else is non-trivial to emulate with fs.readFile.
not exists(string prop |
not prop = "encoding" and
exists(candidate.getOptionsArg().getALocalSource().getAPropertyWrite(prop))
(
not exists(candidate.getOptionsArg())
or
forex(string prop |
exists(candidate.getOptionsArg().getALocalSource().getAPropertyWrite(prop))
|
prop = "encoding"
)
) and
exists(createReadFileCall(this)) and
// If there is a callback, then it must either have one or two arguments, or if there is a third argument it must be unused.
(
not exists(candidate.getCallback())