add second order command execution sinks to tests

2026-04-27 17:55:19 +02:00 · 2023-09-22 20:00:36 +10:00
parent a20ca78599
commit 2c74dc23c9
2 changed files with 71 additions and 67 deletions
--- a/javascript/ql/test/library-tests/frameworks/Execa/Execa.expected
+++ b/javascript/ql/test/library-tests/frameworks/Execa/Execa.expected
@@ -1,68 +1,68 @@
 test_FileSystemAccess
-| tst.js:18:9:18:23 | { shell: true } |
-| tst.js:20:9:20:24 | { shell: false } |
-| tst.js:24:13:24:22 | 'aCommand' |
-| tst.js:24:25:24:36 | ['example1'] |
-| tst.js:26:13:26:18 | 'echo' |
-| tst.js:26:21:26:32 | ['example1'] |
-| tst.js:28:13:28:47 | 'echo e ... ple 11' |
-| tst.js:28:50:28:64 | { shell: true } |
-| tst.js:29:13:29:29 | 'echo example 10' |
-| tst.js:29:32:29:52 | ['; ech ... le 11'] |
-| tst.js:29:55:29:69 | { shell: true } |
-| tst.js:32:11:32:16 | 'echo' |
-| tst.js:32:19:32:35 | ['example5 sync'] |
-| tst.js:34:20:34:42 | "echo " ... gument" |
-| tst.js:35:20:35:52 | `echo $ ... ndSync` |
-| tst.js:37:18:37:20 | arg |
-| tst.js:39:18:39:39 | "echo 1 ... echo 2" |
-| tst.js:39:42:39:56 | { shell: true } |
-| tst.js:45:9:45:27 | { inputFile: file } |
-| tst.js:46:13:46:17 | 'cat' |
-| tst.js:46:20:46:38 | { inputFile: file } |
-| tst.js:47:13:47:18 | 'echo' |
-| tst.js:47:21:47:32 | ['example2'] |
-| tst.js:48:13:48:18 | 'echo' |
-| tst.js:48:21:48:32 | ['example3'] |
-| tst.js:49:13:49:18 | 'echo' |
-| tst.js:49:21:49:32 | ['example4'] |
-| tst.js:49:35:49:47 | { all: true } |
+| tst.js:22:9:22:23 | { shell: true } |
+| tst.js:24:9:24:24 | { shell: false } |
+| tst.js:28:13:28:22 | 'aCommand' |
+| tst.js:28:25:28:36 | ['example1'] |
+| tst.js:30:13:30:17 | 'git' |
+| tst.js:30:20:30:31 | ['example1'] |
+| tst.js:32:13:32:47 | 'echo e ... ple 11' |
+| tst.js:32:50:32:64 | { shell: true } |
+| tst.js:33:13:33:29 | 'echo example 10' |
+| tst.js:33:32:33:52 | ['; ech ... le 11'] |
+| tst.js:33:55:33:69 | { shell: true } |
+| tst.js:36:11:36:16 | 'echo' |
+| tst.js:36:19:36:35 | ['example5 sync'] |
+| tst.js:38:20:38:41 | "git "  ... gument" |
+| tst.js:39:20:39:51 | `git ${ ... ndSync` |
+| tst.js:41:18:41:20 | arg |
+| tst.js:43:18:43:39 | "echo 1 ... echo 2" |
+| tst.js:43:42:43:56 | { shell: true } |
+| tst.js:49:9:49:27 | { inputFile: file } |
+| tst.js:50:13:50:17 | 'cat' |
+| tst.js:50:20:50:38 | { inputFile: file } |
+| tst.js:51:13:51:18 | 'echo' |
+| tst.js:51:21:51:32 | ['example2'] |
+| tst.js:52:13:52:18 | 'echo' |
+| tst.js:52:21:52:32 | ['example3'] |
+| tst.js:53:13:53:18 | 'echo' |
+| tst.js:53:21:53:32 | ['example4'] |
+| tst.js:53:35:53:47 | { all: true } |
 test_MissingFileSystemAccess
-| tst.js:43:35:43:38 | file |
-| tst.js:47:46:47:49 | file |
-| tst.js:48:46:48:49 | file |
-| tst.js:49:58:49:61 | file |
+| tst.js:47:35:47:38 | file |
+| tst.js:51:46:51:49 | file |
+| tst.js:52:46:52:49 | file |
+| tst.js:53:58:53:61 | file |
 test_SystemCommandExecution
 | tst.js:1:71:1:71 | $ |
-| tst.js:4:7:4:7 | $ |
-| tst.js:5:7:5:7 | $ |
-| tst.js:6:1:6:1 | $ |
-| tst.js:6:1:6:6 | $.sync |
-| tst.js:10:7:10:7 | $ |
-| tst.js:12:7:12:7 | $ |
-| tst.js:13:1:13:1 | $ |
-| tst.js:13:1:13:6 | $.sync |
-| tst.js:15:1:15:1 | $ |
-| tst.js:15:1:15:6 | $.sync |
+| tst.js:7:7:7:7 | $ |
+| tst.js:9:7:9:7 | $ |
+| tst.js:10:1:10:1 | $ |
+| tst.js:10:1:10:6 | $.sync |
+| tst.js:14:7:14:7 | $ |
 | tst.js:16:7:16:7 | $ |
-| tst.js:18:7:18:7 | $ |
-| tst.js:18:7:18:24 | $({ shell: true }) |
+| tst.js:17:1:17:1 | $ |
+| tst.js:17:1:17:6 | $.sync |
+| tst.js:19:1:19:1 | $ |
+| tst.js:19:1:19:6 | $.sync |
 | tst.js:20:7:20:7 | $ |
-| tst.js:20:7:20:25 | $({ shell: false }) |
-| tst.js:24:7:24:37 | execa(' ... ple1']) |
-| tst.js:26:7:26:33 | execa(' ... ple1']) |
-| tst.js:28:7:28:65 | execa(' ... true }) |
-| tst.js:29:7:29:70 | execa(' ... true }) |
-| tst.js:32:1:32:36 | execaSy ... sync']) |
-| tst.js:34:7:34:43 | execaCo ... ument") |
-| tst.js:35:7:35:53 | execaCo ... dSync`) |
-| tst.js:37:1:37:21 | execaCo ... nc(arg) |
-| tst.js:39:1:39:57 | execaCo ... true }) |
-| tst.js:43:7:43:7 | $ |
-| tst.js:45:7:45:7 | $ |
-| tst.js:45:7:45:28 | $({ inp ... file }) |
-| tst.js:46:7:46:39 | execa(' ... file }) |
-| tst.js:47:7:47:33 | execa(' ... ple2']) |
-| tst.js:48:7:48:33 | execa(' ... ple3']) |
-| tst.js:49:7:49:48 | execa(' ... true }) |
+| tst.js:22:7:22:7 | $ |
+| tst.js:22:7:22:24 | $({ shell: true }) |
+| tst.js:24:7:24:7 | $ |
+| tst.js:24:7:24:25 | $({ shell: false }) |
+| tst.js:28:7:28:37 | execa(' ... ple1']) |
+| tst.js:30:7:30:32 | execa(' ... ple1']) |
+| tst.js:32:7:32:65 | execa(' ... true }) |
+| tst.js:33:7:33:70 | execa(' ... true }) |
+| tst.js:36:1:36:36 | execaSy ... sync']) |
+| tst.js:38:7:38:42 | execaCo ... ument") |
+| tst.js:39:7:39:52 | execaCo ... dSync`) |
+| tst.js:41:1:41:21 | execaCo ... nc(arg) |
+| tst.js:43:1:43:57 | execaCo ... true }) |
+| tst.js:47:7:47:7 | $ |
+| tst.js:49:7:49:7 | $ |
+| tst.js:49:7:49:28 | $({ inp ... file }) |
+| tst.js:50:7:50:39 | execa(' ... file }) |
+| tst.js:51:7:51:33 | execa(' ... ple2']) |
+| tst.js:52:7:52:33 | execa(' ... ple3']) |
+| tst.js:53:7:53:48 | execa(' ... true }) |
 test_FileNameSource
--- a/javascript/ql/test/library-tests/frameworks/Execa/tst.js
+++ b/javascript/ql/test/library-tests/frameworks/Execa/tst.js
@@ -1,8 +1,12 @@
 import { execa, execaSync, execaCommand, execaCommandSync, execaNode, $ } from 'execa';

+const arg = process.argv[0];
+
 // Node.js scripts
+// GOOD
 await $`echo example1`.pipeStderr(`tmp`);
-await $`echo ${"example2"}`.pipeStderr(`tmp`);
+// BAD argument injection
+await $`ssh ${"example2"}`.pipeStderr(`tmp`);
 $.sync`echo example2 sync`
 // Multiple arguments
 const args = ["arg:" + arg, 'example3', '&', 'rainbows!'];
@@ -12,8 +16,8 @@ await $`${arg} sth`;
 await $`${arg}`;
 $.sync`${arg}`
 // BAD argument injection
-$.sync`echo ${args} ${args}`
-await $`echo ${["-a", "-lps"]}`
+$.sync`git ${args} ${args}`
+await $`git ${["-o", "-lps"]}`
 // if shell: true then all inputs except first are dangerous
 await $({ shell: true })`echo example6 ${";echo example6 > tmpdir/example6"}`
 // GOOD
@@ -23,7 +27,7 @@ await $({ shell: false })`echo example6 ${";echo example6 > tmpdir/example6"}`
 // GOOD
 await execa('aCommand', ['example1']);
 // BAD argument injection
-await execa('echo', ['example1']);
+await execa('git', ['example1']);
 // BAD shell is enable
 await execa('echo example 10 ; echo example 11', { shell: true });
 await execa('echo example 10', ['; echo example 11'], { shell: true });
@@ -31,8 +35,8 @@ await execa('echo example 10', ['; echo example 11'], { shell: true });
 // BAD argument injection
 execaSync('echo', ['example5 sync']);
 // BAD argument injection
-await execaCommand("echo " + "badArgument");
-await execaCommand(`echo ${"arg1"} execaCommandSync`);
+await execaCommand("git " + "badArgument");
+await execaCommand(`git ${"arg1"} execaCommandSync`);
 // bad totally controllable argument
 execaCommandSync(arg);
 // BAD shell is enable