JavaScript: Model another execa function relevant for command injection.

2026-04-30 11:15:13 +02:00 · 2020-07-27 11:33:24 +01:00
parent 2e5af67626
commit 2f842042ea
4 changed files with 14 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/SystemCommandExecutors.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SystemCommandExecutors.qll
@@ -32,6 +32,12 @@ private class SystemCommandExecutors extends SystemCommandExecution, DataFlow::I
          (method = "command" or method = "commandSync")
        ) and
        cmdArg = 0
+        or
+        mod = "execa" and
+        method = "node" and
+        cmdArg = 0 and
+        optionsArg = 1 and
+        shell = false
      |
        callee = DataFlow::moduleMember(mod, method) and
        sync = getSync(method)
--- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -109,6 +109,8 @@ nodes
 | other.js:23:28:23:30 | cmd |
 | other.js:26:34:26:36 | cmd |
 | other.js:26:34:26:36 | cmd |
+| other.js:28:27:28:29 | cmd |
+| other.js:28:27:28:29 | cmd |
 | third-party-command-injection.js:5:20:5:26 | command |
 | third-party-command-injection.js:5:20:5:26 | command |
 | third-party-command-injection.js:6:21:6:27 | command |
@@ -213,6 +215,8 @@ edges
 | other.js:5:9:5:49 | cmd | other.js:23:28:23:30 | cmd |
 | other.js:5:9:5:49 | cmd | other.js:26:34:26:36 | cmd |
 | other.js:5:9:5:49 | cmd | other.js:26:34:26:36 | cmd |
+| other.js:5:9:5:49 | cmd | other.js:28:27:28:29 | cmd |
+| other.js:5:9:5:49 | cmd | other.js:28:27:28:29 | cmd |
 | other.js:5:15:5:38 | url.par ... , true) | other.js:5:15:5:44 | url.par ... ).query |
 | other.js:5:15:5:44 | url.par ... ).query | other.js:5:15:5:49 | url.par ... ry.path |
 | other.js:5:15:5:49 | url.par ... ry.path | other.js:5:9:5:49 | cmd |
@@ -261,4 +265,5 @@ edges
 | other.js:22:21:22:23 | cmd | other.js:5:25:5:31 | req.url | other.js:22:21:22:23 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:23:28:23:30 | cmd | other.js:5:25:5:31 | req.url | other.js:23:28:23:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:26:34:26:36 | cmd | other.js:5:25:5:31 | req.url | other.js:26:34:26:36 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
+| other.js:28:27:28:29 | cmd | other.js:5:25:5:31 | req.url | other.js:28:27:28:29 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | third-party-command-injection.js:6:21:6:27 | command | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | This command depends on $@. | third-party-command-injection.js:5:20:5:26 | command | a server-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-078/other.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/other.js
@@ -24,4 +24,6 @@ var server = http.createServer(function(req, res) {

    const SSH2Stream = require("ssh2-streams").SSH2Stream;
    new SSH2Stream().exec(false, cmd); // NOT OK
+
+    require("execa").node(cmd); // NOT OK
 });