Added support for shelljs.cmd and async-shelljs.asyncExec

2026-04-26 09:15:12 +02:00 · 2025-04-30 13:37:02 +02:00
parent 25d04f1cdd
commit 18cea2d6a5
2 changed files with 19 additions and 5 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/ShellJS.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/ShellJS.qll
@@ -15,7 +15,7 @@ module ShellJS {
          .getMember([
              "exec", "cd", "cp", "touch", "chmod", "pushd", "find", "ls", "ln", "mkdir", "mv",
              "rm", "cat", "head", "sort", "tail", "uniq", "grep", "sed", "to", "toEnd", "echo",
-              "which",
+              "which", "cmd", "asyncExec"
            ])
          .getReturn()
  }
@@ -154,16 +154,27 @@ module ShellJS {
  }

  /**
-   * A call to `shelljs.exec()` modeled as command execution.
+   * A call to `shelljs.exec()`, `shelljs.cmd()`, or `async-shelljs.asyncExec()` modeled as command execution.
   */
  private class ShellJSExec extends SystemCommandExecution, ShellJSCall {
-    ShellJSExec() { name = "exec" }
+    ShellJSExec() { name = ["exec", "cmd", "asyncExec"] }

-    override DataFlow::Node getACommandArgument() { result = this.getArgument(0) }
+    override DataFlow::Node getACommandArgument() {
+      if name = "cmd"
+      then
+        result = this.getArgument(_) and
+        not (
+          result = this.getLastArgument() and
+          exists(this.getOptionsArg())
+        )
+      else
+        // For exec/asyncExec: only first argument is command
+        result = this.getArgument(0)
+    }

    override predicate isShellInterpreted(DataFlow::Node arg) { arg = this.getACommandArgument() }

-    override predicate isSync() { none() }
+    override predicate isSync() { name = "cmd" }

    override DataFlow::Node getOptionsArg() {
      result = this.getLastArgument() and
--- a/javascript/ql/test/library-tests/frameworks/Shelljs/ShellJS.expected
+++ b/javascript/ql/test/library-tests/frameworks/Shelljs/ShellJS.expected
@@ -61,6 +61,9 @@ test_SystemCommandExecution
 | tst.js:14:1:14:27 | shelljs ... ts, cb) |
 | tst.js:60:1:60:51 | shelljs ... ec(cmd) |
 | tst.js:61:1:61:27 | shelljs ... ec(cmd) |
+| tst.js:63:1:63:37 | shelljs ... ptions) |
+| tst.js:64:1:64:16 | shelljs.cmd(cmd) |
+| tst.js:68:1:68:36 | shelljs ... ts, cb) |
 test_FileNameSource
 | tst.js:15:1:15:26 | shelljs ...  file2) |
 | tst.js:24:1:24:16 | shelljs.ls(file) |