From 32beebd059ae27f4b5f32dcda39240a9aec1e5e2 Mon Sep 17 00:00:00 2001
From: Slavomir <gagliardetto@users.noreply.github.com>
Date: Thu, 2 Apr 2020 12:09:06 +0300
Subject: [PATCH] Apply suggestions from code review

Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
Co-Authored-By: Sauyon Lee <sauyon@github.com>
---
 change-notes/1.24/analysis-go.md                       | 2 +-
 ql/src/semmle/go/frameworks/SystemCommandExecutors.qll | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/change-notes/1.24/analysis-go.md b/change-notes/1.24/analysis-go.md
index 86da77dbfce..e7ce2468a58 100644
--- a/change-notes/1.24/analysis-go.md
+++ b/change-notes/1.24/analysis-go.md
@@ -31,4 +31,4 @@ The CodeQL library for Go now contains a folder of simple "cookbook" queries tha
 | Useless assignment to field (`go/useless-assignment-to-field`)                | Fewer false positives | The query now conservatively handles fields promoted through embedded pointer types.                                                                                        |
 | Bitwise exclusive-or used like exponentiation (`go/mistyped-exponentiation`)  | Fewer false positives | The query now identifies when the value of an xor is assigned to a mask object, and excludes such results.                                                                  |
 | Open URL redirect (`go/unvalidated-url-redirection`)                          | Fewer false positives | The query now identifies some sources that are not attacker-controlled, and excludes results with such sources.                                                             |
-| Operating system command from user-controlled sources (`go/command-injection`) | More results          | The library models used by the query have been improved, allowing it to flag more potentially problematic cases, including sources that flow into shells, sudo, or programming-language interpreters as arguments. |
+| Command built from user-controlled sources (`go/command-injection`) | More results          | The library models used by the query have been improved, allowing it to flag more potentially problematic cases, including sources that flow into shells, sudo, or programming-language interpreters as arguments. |
diff --git a/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll b/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll
index 024cb6a4632..f3dfda9961b 100644
--- a/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll
+++ b/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll
@@ -154,7 +154,8 @@ private string getAShellCommand() {
   result = "shpp" or
   result = "xiki" or
   result = "xonsh" or
-  result = "yash"
+  result = "yash" or
+  result = "env"
 }
 
 /**