hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source 
Co-Authored-By: mc <42146119+mchammer01@users.noreply.github.com>
This commit is contained in:
Erik Krogh Kristensen
2020-02-28 09:43:32 +01:00
committed by GitHub
parent a872d7c5c5
commit 17f1974e05
3 changed files with 10 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
javascript/ql/src/Security/CWE-078/UselessUseOfCat.qhelp
View File

@@ -3,9 +3,9 @@
"qhelp.dtd">
<qhelp>
<overview>
<p>Using the unix command <code>cat</code> to simply read a file is a
unnecessarily complex way to achieve something that can be done simpler and
safer using the Node.js <code>fs.readFile</code> API.
<p>Using the unix command <code>cat</code> only to read a file is a
an unnecessarily complex way to achieve something that can be done in a simpler and
safer manner using the Node.js <code>fs.readFile</code> API.
</p>
<p>
The use of <code>cat</code> for simple file reads leads to code that is
@@ -25,12 +25,11 @@ from the file system.
<sample src="examples/useless-cat.js"/>
<p>The code in the example will break if the input <code>name</code> contain
special characters (including space), the code does not work on windows,
and if the input is user controlled a command injection attack can happen.</p>
<p>The code in the example will break if the input <code>name</code> contains
special characters (including space). Additionally, it does not work on Windows
and if the input is user-controlled, a command injection attack can happen.</p>
<p>To avoid these potential issues the <code>fs.readFile</code> API can be
used instead: </p>
<p>The <code>fs.readFile</code> API should be used to avoid these potential issues:
<sample src="examples/useless-cat-fixed.js"/>

4
javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Useless use of cat
* @description Using `cat`-process to simply read a file is unnecessarily complex, inefficient, unportable, can lead to subtle bugs, or even security vulnerabilities.
* @description Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities.
* @kind problem
* @problem.severity error
* @precision high
@@ -22,4 +22,4 @@ where
if cat.isSync()
then message = " Can be replaced with a call to fs.readFileSync(..)."
else message = " Can be replaced with a call to fs.readFile(..)."
select cat.asExpr().(FirstLineOf), "Useless use of `cat`." + message
select cat.asExpr().(FirstLineOf), "Useless use of `cat`." + message