Merge pull request #4546 from toufik-airane/main

JS: Add ElectronShellOpenExternalSink class for Electron framework security
2026-04-30 19:26:02 +02:00 · 2020-12-03 13:20:46 +00:00
parent 3eb55ddc0b 7d2741a287
commit 254072dd6d
1 changed files with 11 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll
@@ -60,4 +60,15 @@ module ClientSideUrlRedirect {
      guard instanceof HostnameSanitizerGuard
    }
  }
+
+  /**
+   * Improper use of openExternal can be leveraged to compromise the user's host.
+   * When openExternal is used with untrusted content, it can be leveraged to execute arbitrary commands.
+   */
+  class ElectronShellOpenExternalSink extends Sink {
+    ElectronShellOpenExternalSink() {
+      this =
+        DataFlow::moduleMember("electron", "shell").getAMemberCall("openExternal").getArgument(0)
+    }
+  }
 }