hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

don't call environment variables for command-line arguments

Browse Source
This commit is contained in:
erik-krogh
2023-02-14 14:27:41 +01:00
parent 36478124ae
commit 393649b7ce
4 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
View File

@@ -25,4 +25,4 @@ where
then cfg.isSinkWithHighlight(sink.getNode(), highlight)
else highlight = sink.getNode()
select highlight, source, sink, "This command depends on an unsanitized $@.", source.getNode(),
"command-line argument"
source.getNode().(Source).describe()