consider quoted string concatenations as sanitizers for js/shell-command-injection-from-environment

2026-05-01 19:55:15 +02:00 · 2021-03-25 10:17:30 +01:00
parent 801eb538db
commit 3d49b8cb91
3 changed files with 14 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.expected
@@ -61,6 +61,7 @@ syncCommand
 | tst_shell-command-injection-from-environment.js:5:2:5:62 | cp.exec ... emp")]) |
 | tst_shell-command-injection-from-environment.js:6:2:6:54 | cp.exec ... temp")) |
 | tst_shell-command-injection-from-environment.js:9:2:9:58 | execa.s ... temp")) |
+| tst_shell-command-injection-from-environment.js:12:2:12:34 | execa.s ... + safe) |
 | uselesscat.js:16:1:16:29 | execSyn ... uinfo') |
 | uselesscat.js:18:1:18:26 | execSyn ... path}`) |
 | uselesscat.js:20:1:20:36 | execSyn ... wc -l') |
--- a/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js
@@ -7,4 +7,7 @@ var cp = require('child_process'),

 	execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
 	execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
+
+	const safe = "\"" + path.join(__dirname, "temp") + "\"";
+	execa.shellSync('rm -rf ' + safe); // OK
 });