added inline tests, move to experimental dir

javascript/ql/lib/javascript.qll

@@ -123,7 +123,6 @@ import semmle.javascript.frameworks.Request
 import semmle.javascript.frameworks.RxJS
 import semmle.javascript.frameworks.ServerLess
 import semmle.javascript.frameworks.ShellJS
-import semmle.javascript.frameworks.Execa
 import semmle.javascript.frameworks.Snapdragon
 import semmle.javascript.frameworks.SystemCommandExecutors
 import semmle.javascript.frameworks.SQL

javascript/ql/src/experimental/semmle/javascript/Execa.qll

@@ -3,7 +3,6 @@
  */
 
 import javascript
-import semmle.javascript.security.dataflow.RequestForgeryCustomizations
 
 /**
  * Provide model for [Execa](https://github.com/sindresorhus/execa) package

javascript/ql/test/experimental/Execa/CommandInjection/tests.expected

@@ -0,0 +1,22 @@
+passingPositiveTests
+| PASSED | CommandInjection | tests.js:11:46:11:70 | // test ... jection |
+| PASSED | CommandInjection | tests.js:12:43:12:67 | // test ... jection |
+| PASSED | CommandInjection | tests.js:13:63:13:87 | // test ... jection |
+| PASSED | CommandInjection | tests.js:14:62:14:86 | // test ... jection |
+| PASSED | CommandInjection | tests.js:15:60:15:84 | // test ... jection |
+| PASSED | CommandInjection | tests.js:17:45:17:69 | // test ... jection |
+| PASSED | CommandInjection | tests.js:18:42:18:66 | // test ... jection |
+| PASSED | CommandInjection | tests.js:19:62:19:86 | // test ... jection |
+| PASSED | CommandInjection | tests.js:20:63:20:87 | // test ... jection |
+| PASSED | CommandInjection | tests.js:21:60:21:84 | // test ... jection |
+| PASSED | CommandInjection | tests.js:23:43:23:67 | // test ... jection |
+| PASSED | CommandInjection | tests.js:24:40:24:64 | // test ... jection |
+| PASSED | CommandInjection | tests.js:25:40:25:64 | // test ... jection |
+| PASSED | CommandInjection | tests.js:26:60:26:84 | // test ... jection |
+| PASSED | CommandInjection | tests.js:28:41:28:65 | // test ... jection |
+| PASSED | CommandInjection | tests.js:29:58:29:82 | // test ... jection |
+| PASSED | CommandInjection | tests.js:31:51:31:75 | // test ... jection |
+| PASSED | CommandInjection | tests.js:32:68:32:92 | // test ... jection |
+| PASSED | CommandInjection | tests.js:34:49:34:73 | // test ... jection |
+| PASSED | CommandInjection | tests.js:35:66:35:90 | // test ... jection |
+failingPositiveTests

javascript/ql/test/experimental/Execa/CommandInjection/tests.js

@@ -0,0 +1,36 @@
+import { execa, execaSync, execaCommand, execaCommandSync, $ } from 'execa';
+import http from 'node:http'
+import url from 'url'
+
+http.createServer(async function (req, res) {
+    let cmd = url.parse(req.url, true).query["cmd"][0];
+    let arg1 = url.parse(req.url, true).query["arg1"];
+    let arg2 = url.parse(req.url, true).query["arg2"];
+    let arg3 = url.parse(req.url, true).query["arg3"];
+
+    await $`${cmd} ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+    await $`ssh ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+    $({ shell: false }).sync`${cmd} ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+    $({ shell: true }).sync`${cmd} ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+    $({ shell: false }).sync`ssh ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+
+    $.sync`${cmd} ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+    $.sync`ssh ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+    await $({ shell: true })`${cmd} ${arg1} ${arg2} ${arg3}` // test: CommandInjection
+    await $({ shell: false })`${cmd} ${arg1} ${arg2} ${arg3}` // test: CommandInjection
+    await $({ shell: false })`ssh ${arg1} ${arg2} ${arg3}` // test: CommandInjection
+
+    await execa(cmd, [arg1, arg2, arg3]); // test: CommandInjection
+    await execa(cmd, { shell: true }); // test: CommandInjection
+    await execa(cmd, { shell: true }); // test: CommandInjection
+    await execa(cmd, [arg1, arg2, arg3], { shell: true }); // test: CommandInjection
+
+    execaSync(cmd, [arg1, arg2, arg3]); // test: CommandInjection
+    execaSync(cmd, [arg1, arg2, arg3], { shell: true }); // test: CommandInjection
+
+    await execaCommand(cmd + arg1 + arg2 + arg3); // test: CommandInjection
+    await execaCommand(cmd + arg1 + arg2 + arg3, { shell: true }); // test: CommandInjection
+
+    execaCommandSync(cmd + arg1 + arg2 + arg3); // test: CommandInjection
+    execaCommandSync(cmd + arg1 + arg2 + arg3, { shell: true }); // test: CommandInjection
+});

javascript/ql/test/experimental/Execa/CommandInjection/tests.ql

@@ -0,0 +1,38 @@
+import javascript
+
+class InlineTest extends LineComment {
+  string tests;
+
+  InlineTest() { tests = this.getText().regexpCapture("\\s*test:(.*)", 1) }
+
+  string getPositiveTest() {
+    result = tests.trim().splitAt(",").trim() and not result.matches("!%")
+  }
+
+  predicate hasPositiveTest(string test) { test = this.getPositiveTest() }
+
+  predicate inNode(DataFlow::Node n) {
+    this.getLocation().getFile() = n.getFile() and
+    this.getLocation().getStartLine() = n.getStartLine()
+  }
+}
+
+import experimental.semmle.javascript.Execa
+
+query predicate passingPositiveTests(string res, string expectation, InlineTest t) {
+  res = "PASSED" and
+  t.hasPositiveTest(expectation) and
+  expectation = "CommandInjection" and
+  exists(SystemCommandExecution n |
+    t.inNode(n.getArgumentList()) or t.inNode(n.getACommandArgument())
+  )
+}
+
+query predicate failingPositiveTests(string res, string expectation, InlineTest t) {
+  res = "FAILED" and
+  t.hasPositiveTest(expectation) and
+  expectation = "CommandInjection" and
+  not exists(SystemCommandExecution n |
+    t.inNode(n.getArgumentList()) or t.inNode(n.getACommandArgument())
+  )
+}

javascript/ql/test/experimental/Execa/PathInjection/tests.expected

@@ -0,0 +1,6 @@
+passingPositiveTests
+| PASSED | PathInjection | tests.js:9:43:9:64 | // test ... jection |
+| PASSED | PathInjection | tests.js:12:50:12:71 | // test ... jection |
+| PASSED | PathInjection | tests.js:15:61:15:82 | // test ... jection |
+| PASSED | PathInjection | tests.js:18:73:18:94 | // test ... jection |
+failingPositiveTests

javascript/ql/test/experimental/Execa/PathInjection/tests.js

@@ -6,14 +6,14 @@ http.createServer(async function (req, res) {
     let filePath = url.parse(req.url, true).query["filePath"][0];
 
     // Piping to stdin from a file
-    await $({ inputFile: filePath })`cat`  // NOT OK
+    await $({ inputFile: filePath })`cat` // test: PathInjection
 
     // Piping to stdin from a file
-    await execa('cat', { inputFile: filePath }); // NOT OK
+    await execa('cat', { inputFile: filePath }); // test: PathInjection
 
     // Piping Stdout to file
-    await execa('echo', ['example3']).pipeStdout(filePath); // NOT OK
+    await execa('echo', ['example3']).pipeStdout(filePath); // test: PathInjection
 
     // Piping all of command output to file
-    await execa('echo', ['example4'], { all: true }).pipeAll(filePath); // NOT OK
+    await execa('echo', ['example4'], { all: true }).pipeAll(filePath); // test: PathInjection
 });

javascript/ql/test/experimental/Execa/PathInjection/tests.ql

@@ -0,0 +1,34 @@
+import javascript
+
+class InlineTest extends LineComment {
+  string tests;
+
+  InlineTest() { tests = this.getText().regexpCapture("\\s*test:(.*)", 1) }
+
+  string getPositiveTest() {
+    result = tests.trim().splitAt(",").trim() and not result.matches("!%")
+  }
+
+  predicate hasPositiveTest(string test) { test = this.getPositiveTest() }
+
+  predicate inNode(DataFlow::Node n) {
+    this.getLocation().getFile() = n.getFile() and
+    this.getLocation().getStartLine() = n.getStartLine()
+  }
+}
+
+import experimental.semmle.javascript.Execa
+
+query predicate passingPositiveTests(string res, string expectation, InlineTest t) {
+  res = "PASSED" and
+  t.hasPositiveTest(expectation) and
+  expectation = "PathInjection" and
+  exists(FileSystemReadAccess n | t.inNode(n.getAPathArgument()))
+}
+
+query predicate failingPositiveTests(string res, string expectation, InlineTest t) {
+  res = "FAILED" and
+  t.hasPositiveTest(expectation) and
+  expectation = "PathInjection" and
+  not exists(FileSystemReadAccess n | t.inNode(n.getAPathArgument()))
+}

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected

@@ -103,79 +103,6 @@ nodes
 | execSeries.js:18:34:18:40 | req.url |
 | execSeries.js:19:12:19:16 | [cmd] |
 | execSeries.js:19:13:19:15 | cmd |
-| execa.js:6:9:6:54 | cmd |
-| execa.js:6:15:6:38 | url.par ... , true) |
-| execa.js:6:15:6:44 | url.par ... ).query |
-| execa.js:6:15:6:51 | url.par ... ["cmd"] |
-| execa.js:6:15:6:54 | url.par ... md"][0] |
-| execa.js:6:25:6:31 | req.url |
-| execa.js:6:25:6:31 | req.url |
-| execa.js:7:9:7:53 | arg1 |
-| execa.js:7:16:7:39 | url.par ... , true) |
-| execa.js:7:16:7:45 | url.par ... ).query |
-| execa.js:7:16:7:53 | url.par ... "arg1"] |
-| execa.js:7:26:7:32 | req.url |
-| execa.js:7:26:7:32 | req.url |
-| execa.js:8:9:8:53 | arg2 |
-| execa.js:8:16:8:39 | url.par ... , true) |
-| execa.js:8:16:8:45 | url.par ... ).query |
-| execa.js:8:16:8:53 | url.par ... "arg2"] |
-| execa.js:8:26:8:32 | req.url |
-| execa.js:8:26:8:32 | req.url |
-| execa.js:9:9:9:53 | arg3 |
-| execa.js:9:16:9:39 | url.par ... , true) |
-| execa.js:9:16:9:45 | url.par ... ).query |
-| execa.js:9:16:9:53 | url.par ... "arg3"] |
-| execa.js:9:26:9:32 | req.url |
-| execa.js:9:26:9:32 | req.url |
-| execa.js:11:15:11:17 | cmd |
-| execa.js:11:15:11:17 | cmd |
-| execa.js:13:32:13:34 | cmd |
-| execa.js:13:32:13:34 | cmd |
-| execa.js:14:31:14:33 | cmd |
-| execa.js:14:31:14:33 | cmd |
-| execa.js:17:14:17:16 | cmd |
-| execa.js:17:14:17:16 | cmd |
-| execa.js:19:32:19:34 | cmd |
-| execa.js:19:32:19:34 | cmd |
-| execa.js:20:33:20:35 | cmd |
-| execa.js:20:33:20:35 | cmd |
-| execa.js:23:17:23:19 | cmd |
-| execa.js:23:17:23:19 | cmd |
-| execa.js:24:17:24:19 | cmd |
-| execa.js:24:17:24:19 | cmd |
-| execa.js:25:17:25:19 | cmd |
-| execa.js:25:17:25:19 | cmd |
-| execa.js:26:17:26:19 | cmd |
-| execa.js:26:17:26:19 | cmd |
-| execa.js:28:15:28:17 | cmd |
-| execa.js:28:15:28:17 | cmd |
-| execa.js:29:15:29:17 | cmd |
-| execa.js:29:15:29:17 | cmd |
-| execa.js:31:24:31:26 | cmd |
-| execa.js:31:24:31:47 | cmd + a ...  + arg3 |
-| execa.js:31:24:31:47 | cmd + a ...  + arg3 |
-| execa.js:31:30:31:33 | arg1 |
-| execa.js:31:37:31:40 | arg2 |
-| execa.js:31:44:31:47 | arg3 |
-| execa.js:32:24:32:26 | cmd |
-| execa.js:32:24:32:47 | cmd + a ...  + arg3 |
-| execa.js:32:24:32:47 | cmd + a ...  + arg3 |
-| execa.js:32:30:32:33 | arg1 |
-| execa.js:32:37:32:40 | arg2 |
-| execa.js:32:44:32:47 | arg3 |
-| execa.js:34:22:34:24 | cmd |
-| execa.js:34:22:34:45 | cmd + a ...  + arg3 |
-| execa.js:34:22:34:45 | cmd + a ...  + arg3 |
-| execa.js:34:28:34:31 | arg1 |
-| execa.js:34:35:34:38 | arg2 |
-| execa.js:34:42:34:45 | arg3 |
-| execa.js:35:22:35:24 | cmd |
-| execa.js:35:22:35:45 | cmd + a ...  + arg3 |
-| execa.js:35:22:35:45 | cmd + a ...  + arg3 |
-| execa.js:35:28:35:31 | arg1 |
-| execa.js:35:35:35:38 | arg2 |
-| execa.js:35:42:35:45 | arg3 |
 | form-parsers.js:9:8:9:39 | "touch  ... nalname |
 | form-parsers.js:9:8:9:39 | "touch  ... nalname |
 | form-parsers.js:9:19:9:26 | req.file |
@@ -359,99 +286,6 @@ edges
 | execSeries.js:18:34:18:40 | req.url | execSeries.js:18:13:18:47 | require ... , true) |
 | execSeries.js:19:12:19:16 | [cmd] | execSeries.js:13:19:13:26 | commands |
 | execSeries.js:19:13:19:15 | cmd | execSeries.js:19:12:19:16 | [cmd] |
-| execa.js:6:9:6:54 | cmd | execa.js:11:15:11:17 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:11:15:11:17 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:13:32:13:34 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:13:32:13:34 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:14:31:14:33 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:14:31:14:33 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:17:14:17:16 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:17:14:17:16 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:19:32:19:34 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:19:32:19:34 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:20:33:20:35 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:20:33:20:35 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:23:17:23:19 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:23:17:23:19 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:24:17:24:19 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:24:17:24:19 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:25:17:25:19 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:25:17:25:19 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:26:17:26:19 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:26:17:26:19 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:28:15:28:17 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:28:15:28:17 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:29:15:29:17 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:29:15:29:17 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:31:24:31:26 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:32:24:32:26 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:34:22:34:24 | cmd |
-| execa.js:6:9:6:54 | cmd | execa.js:35:22:35:24 | cmd |
-| execa.js:6:15:6:38 | url.par ... , true) | execa.js:6:15:6:44 | url.par ... ).query |
-| execa.js:6:15:6:44 | url.par ... ).query | execa.js:6:15:6:51 | url.par ... ["cmd"] |
-| execa.js:6:15:6:51 | url.par ... ["cmd"] | execa.js:6:15:6:54 | url.par ... md"][0] |
-| execa.js:6:15:6:54 | url.par ... md"][0] | execa.js:6:9:6:54 | cmd |
-| execa.js:6:25:6:31 | req.url | execa.js:6:15:6:38 | url.par ... , true) |
-| execa.js:6:25:6:31 | req.url | execa.js:6:15:6:38 | url.par ... , true) |
-| execa.js:7:9:7:53 | arg1 | execa.js:31:30:31:33 | arg1 |
-| execa.js:7:9:7:53 | arg1 | execa.js:32:30:32:33 | arg1 |
-| execa.js:7:9:7:53 | arg1 | execa.js:34:28:34:31 | arg1 |
-| execa.js:7:9:7:53 | arg1 | execa.js:35:28:35:31 | arg1 |
-| execa.js:7:16:7:39 | url.par ... , true) | execa.js:7:16:7:45 | url.par ... ).query |
-| execa.js:7:16:7:45 | url.par ... ).query | execa.js:7:16:7:53 | url.par ... "arg1"] |
-| execa.js:7:16:7:53 | url.par ... "arg1"] | execa.js:7:9:7:53 | arg1 |
-| execa.js:7:26:7:32 | req.url | execa.js:7:16:7:39 | url.par ... , true) |
-| execa.js:7:26:7:32 | req.url | execa.js:7:16:7:39 | url.par ... , true) |
-| execa.js:8:9:8:53 | arg2 | execa.js:31:37:31:40 | arg2 |
-| execa.js:8:9:8:53 | arg2 | execa.js:32:37:32:40 | arg2 |
-| execa.js:8:9:8:53 | arg2 | execa.js:34:35:34:38 | arg2 |
-| execa.js:8:9:8:53 | arg2 | execa.js:35:35:35:38 | arg2 |
-| execa.js:8:16:8:39 | url.par ... , true) | execa.js:8:16:8:45 | url.par ... ).query |
-| execa.js:8:16:8:45 | url.par ... ).query | execa.js:8:16:8:53 | url.par ... "arg2"] |
-| execa.js:8:16:8:53 | url.par ... "arg2"] | execa.js:8:9:8:53 | arg2 |
-| execa.js:8:26:8:32 | req.url | execa.js:8:16:8:39 | url.par ... , true) |
-| execa.js:8:26:8:32 | req.url | execa.js:8:16:8:39 | url.par ... , true) |
-| execa.js:9:9:9:53 | arg3 | execa.js:31:44:31:47 | arg3 |
-| execa.js:9:9:9:53 | arg3 | execa.js:32:44:32:47 | arg3 |
-| execa.js:9:9:9:53 | arg3 | execa.js:34:42:34:45 | arg3 |
-| execa.js:9:9:9:53 | arg3 | execa.js:35:42:35:45 | arg3 |
-| execa.js:9:16:9:39 | url.par ... , true) | execa.js:9:16:9:45 | url.par ... ).query |
-| execa.js:9:16:9:45 | url.par ... ).query | execa.js:9:16:9:53 | url.par ... "arg3"] |
-| execa.js:9:16:9:53 | url.par ... "arg3"] | execa.js:9:9:9:53 | arg3 |
-| execa.js:9:26:9:32 | req.url | execa.js:9:16:9:39 | url.par ... , true) |
-| execa.js:9:26:9:32 | req.url | execa.js:9:16:9:39 | url.par ... , true) |
-| execa.js:31:24:31:26 | cmd | execa.js:31:24:31:47 | cmd + a ...  + arg3 |
-| execa.js:31:24:31:26 | cmd | execa.js:31:24:31:47 | cmd + a ...  + arg3 |
-| execa.js:31:30:31:33 | arg1 | execa.js:31:24:31:47 | cmd + a ...  + arg3 |
-| execa.js:31:30:31:33 | arg1 | execa.js:31:24:31:47 | cmd + a ...  + arg3 |
-| execa.js:31:37:31:40 | arg2 | execa.js:31:24:31:47 | cmd + a ...  + arg3 |
-| execa.js:31:37:31:40 | arg2 | execa.js:31:24:31:47 | cmd + a ...  + arg3 |
-| execa.js:31:44:31:47 | arg3 | execa.js:31:24:31:47 | cmd + a ...  + arg3 |
-| execa.js:31:44:31:47 | arg3 | execa.js:31:24:31:47 | cmd + a ...  + arg3 |
-| execa.js:32:24:32:26 | cmd | execa.js:32:24:32:47 | cmd + a ...  + arg3 |
-| execa.js:32:24:32:26 | cmd | execa.js:32:24:32:47 | cmd + a ...  + arg3 |
-| execa.js:32:30:32:33 | arg1 | execa.js:32:24:32:47 | cmd + a ...  + arg3 |
-| execa.js:32:30:32:33 | arg1 | execa.js:32:24:32:47 | cmd + a ...  + arg3 |
-| execa.js:32:37:32:40 | arg2 | execa.js:32:24:32:47 | cmd + a ...  + arg3 |
-| execa.js:32:37:32:40 | arg2 | execa.js:32:24:32:47 | cmd + a ...  + arg3 |
-| execa.js:32:44:32:47 | arg3 | execa.js:32:24:32:47 | cmd + a ...  + arg3 |
-| execa.js:32:44:32:47 | arg3 | execa.js:32:24:32:47 | cmd + a ...  + arg3 |
-| execa.js:34:22:34:24 | cmd | execa.js:34:22:34:45 | cmd + a ...  + arg3 |
-| execa.js:34:22:34:24 | cmd | execa.js:34:22:34:45 | cmd + a ...  + arg3 |
-| execa.js:34:28:34:31 | arg1 | execa.js:34:22:34:45 | cmd + a ...  + arg3 |
-| execa.js:34:28:34:31 | arg1 | execa.js:34:22:34:45 | cmd + a ...  + arg3 |
-| execa.js:34:35:34:38 | arg2 | execa.js:34:22:34:45 | cmd + a ...  + arg3 |
-| execa.js:34:35:34:38 | arg2 | execa.js:34:22:34:45 | cmd + a ...  + arg3 |
-| execa.js:34:42:34:45 | arg3 | execa.js:34:22:34:45 | cmd + a ...  + arg3 |
-| execa.js:34:42:34:45 | arg3 | execa.js:34:22:34:45 | cmd + a ...  + arg3 |
-| execa.js:35:22:35:24 | cmd | execa.js:35:22:35:45 | cmd + a ...  + arg3 |
-| execa.js:35:22:35:24 | cmd | execa.js:35:22:35:45 | cmd + a ...  + arg3 |
-| execa.js:35:28:35:31 | arg1 | execa.js:35:22:35:45 | cmd + a ...  + arg3 |
-| execa.js:35:28:35:31 | arg1 | execa.js:35:22:35:45 | cmd + a ...  + arg3 |
-| execa.js:35:35:35:38 | arg2 | execa.js:35:22:35:45 | cmd + a ...  + arg3 |
-| execa.js:35:35:35:38 | arg2 | execa.js:35:22:35:45 | cmd + a ...  + arg3 |
-| execa.js:35:42:35:45 | arg3 | execa.js:35:22:35:45 | cmd + a ...  + arg3 |
-| execa.js:35:42:35:45 | arg3 | execa.js:35:22:35:45 | cmd + a ...  + arg3 |
 | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:19:9:39 | req.fil ... nalname |
 | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:19:9:39 | req.fil ... nalname |
 | form-parsers.js:9:19:9:39 | req.fil ... nalname | form-parsers.js:9:8:9:39 | "touch  ... nalname |
@@ -557,34 +391,6 @@ edges
 | exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) | exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:10:40:10:46 | command | This command line depends on a $@. | exec-sh2.js:14:25:14:31 | req.url | user-provided value |
 | exec-sh.js:15:12:15:61 | cp.spaw ... ptions) | exec-sh.js:19:25:19:31 | req.url | exec-sh.js:15:44:15:50 | command | This command line depends on a $@. | exec-sh.js:19:25:19:31 | req.url | user-provided value |
 | execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command line depends on a $@. | execSeries.js:18:34:18:40 | req.url | user-provided value |
-| execa.js:11:15:11:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:11:15:11:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:13:32:13:34 | cmd | execa.js:6:25:6:31 | req.url | execa.js:13:32:13:34 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:14:31:14:33 | cmd | execa.js:6:25:6:31 | req.url | execa.js:14:31:14:33 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:17:14:17:16 | cmd | execa.js:6:25:6:31 | req.url | execa.js:17:14:17:16 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:19:32:19:34 | cmd | execa.js:6:25:6:31 | req.url | execa.js:19:32:19:34 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:20:33:20:35 | cmd | execa.js:6:25:6:31 | req.url | execa.js:20:33:20:35 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:23:17:23:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:23:17:23:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:24:17:24:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:24:17:24:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:25:17:25:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:25:17:25:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:26:17:26:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:26:17:26:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:28:15:28:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:28:15:28:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:29:15:29:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:29:15:29:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:31:24:31:47 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:31:24:31:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:31:24:31:47 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:31:24:31:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
-| execa.js:31:24:31:47 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:31:24:31:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
-| execa.js:31:24:31:47 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:31:24:31:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
-| execa.js:32:24:32:47 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:32:24:32:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:32:24:32:47 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:32:24:32:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
-| execa.js:32:24:32:47 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:32:24:32:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
-| execa.js:32:24:32:47 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:32:24:32:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
-| execa.js:34:22:34:45 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:34:22:34:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:34:22:34:45 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:34:22:34:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
-| execa.js:34:22:34:45 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:34:22:34:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
-| execa.js:34:22:34:45 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:34:22:34:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
-| execa.js:35:22:35:45 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:35:22:35:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:35:22:35:45 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:35:22:35:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
-| execa.js:35:22:35:45 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:35:22:35:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
-| execa.js:35:22:35:45 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:35:22:35:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
 | form-parsers.js:9:8:9:39 | "touch  ... nalname | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch  ... nalname | This command line depends on a $@. | form-parsers.js:9:19:9:26 | req.file | user-provided value |
 | form-parsers.js:14:10:14:37 | "touch  ... nalname | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:14:10:14:37 | "touch  ... nalname | This command line depends on a $@. | form-parsers.js:13:3:13:11 | req.files | user-provided value |
 | form-parsers.js:25:10:25:28 | "touch " + filename | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | This command line depends on a $@. | form-parsers.js:24:48:24:55 | filename | user-provided value |

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execa.js

@@ -1,36 +0,0 @@
-import { execa, execaSync, execaCommand, execaCommandSync, $ } from 'execa';
-import http from 'node:http'
-import url from 'url'
-
-http.createServer(async function (req, res) {
-    let cmd = url.parse(req.url, true).query["cmd"][0];
-    let arg1 = url.parse(req.url, true).query["arg1"];
-    let arg2 = url.parse(req.url, true).query["arg2"];
-    let arg3 = url.parse(req.url, true).query["arg3"];
-
-    await $`${cmd} ${arg1} ${arg2} ${arg3}`; // NOT OK
-    await $`ssh ${arg1} ${arg2} ${arg3}`; // NOT OK
-    $({ shell: false }).sync`${cmd} ${arg1} ${arg2} ${arg3}`; // NOT OK
-    $({ shell: true }).sync`${cmd} ${arg1} ${arg2} ${arg3}`; // NOT OK
-    $({ shell: false }).sync`ssh ${arg1} ${arg2} ${arg3}`; // NOT OK
-
-    $.sync`${cmd} ${arg1} ${arg2} ${arg3}`; // NOT OK
-    $.sync`ssh ${arg1} ${arg2} ${arg3}`; // NOT OK
-    await $({ shell: true })`${cmd} ${arg1} ${arg2} ${arg3}` // NOT OK
-    await $({ shell: false })`${cmd} ${arg1} ${arg2} ${arg3}` // NOT OK
-    await $({ shell: false })`ssh ${arg1} ${arg2} ${arg3}` // NOT OK
-
-    await execa(cmd, [arg1, arg2, arg3]); // NOT OK
-    await execa(cmd, { shell: true }); // NOT OK
-    await execa(cmd, { shell: true }); // NOT OK
-    await execa(cmd, [arg1, arg2, arg3], { shell: true }); // NOT OK
-
-    execaSync(cmd, [arg1, arg2, arg3]); // NOT OK
-    execaSync(cmd, [arg1, arg2, arg3], { shell: true }); // NOT OK
-
-    await execaCommand(cmd + arg1 + arg2 + arg3); // NOT OK
-    await execaCommand(cmd + arg1 + arg2 + arg3, { shell: true }); // NOT OK
-
-    execaCommandSync(cmd + arg1 + arg2 + arg3); // NOT OK
-    execaCommandSync(cmd + arg1 + arg2 + arg3, { shell: true }); // NOT OK
-});