hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4733 from erik-krogh/args

Browse Source 
Approved by esbena
This commit is contained in:
CodeQL CI
2020-12-16 06:51:26 -08:00
committed by GitHub
parent 287954e0d8 94e07bb91c
commit 41ef7a3fce
5 changed files with 345 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandInjection.qll
View File

@@ -30,5 +30,9 @@ module IndirectCommandInjection {
override predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
argsParseStep(pred, succ)
}
}
}

62
javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll
View File

@@ -47,14 +47,70 @@ module IndirectCommandInjection {
// `require('get-them-args')(...)` => `{ unknown: [], a: ... b: ... }`
this = DataFlow::moduleImport("get-them-args").getACall()
or
// `require('minimist')(...)` => `{ _: [], a: ... b: ... }`
this = DataFlow::moduleImport("minimist").getACall()
or
// `require('optimist').argv` => `{ _: [], a: ... b: ... }`
this = DataFlow::moduleMember("optimist", "argv")
or
// `require("arg")({...spec})` => `{_: [], a: ..., b: ...}`
this = DataFlow::moduleImport("arg").getACall()
or
// `(new (require(argparse)).ArgumentParser({...spec})).parse_args()` => `{a: ..., b: ...}`
this =
API::moduleImport("argparse")
.getMember("ArgumentParser")
.getInstance()
.getMember("parse_args")
.getACall()
or
// `require('command-line-args')({...spec})` => `{a: ..., b: ...}`
this = DataFlow::moduleImport("command-line-args").getACall()
or
// `require('meow')(help, {...spec})` => `{a: ..., b: ....}`
this = DataFlow::moduleImport("meow").getACall()
or
// `require("dashdash").createParser(...spec)` => `{a: ..., b: ...}`
this =
[
API::moduleImport("dashdash"),
API::moduleImport("dashdash").getMember("createParser").getReturn()
].getMember("parse").getACall()
or
// `require('commander').myCmdArgumentName`
this = commander().getAMember().getAnImmediateUse()
or
// `require('commander').opt()` => `{a: ..., b: ...}`
this = commander().getMember("opts").getACall()
}
}
/**
* A command line parsing step from `pred` to `succ`.
* E.g: `var succ = require("minimist")(pred)`.
*/
predicate argsParseStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(DataFlow::CallNode call |
call = DataFlow::moduleMember("args", "parse").getACall() or
call = DataFlow::moduleImport(["yargs-parser", "minimist", "subarg"]).getACall()
|
succ = call and
pred = call.getArgument(0)
)
}
/**
* A Command instance from the `commander` library.
*/
private API::Node commander() {
result = API::moduleImport("commander")
or
// `require("commander").program === require("commander")`
result = commander().getMember("program")
or
result = commander().getMember("Command").getInstance()
or
// lots of chainable methods
result = commander().getAMember().getReturn()
}
/**
* Gets an instance of `yargs`.
* Either directly imported as a module, or through some chained method call.

209
javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected
View File

@@ -53,11 +53,6 @@ nodes
| command-line-parameter-command-injection.js:30:21:30:46 | require ... rgs")() |
| command-line-parameter-command-injection.js:30:21:30:46 | require ... rgs")() |
| command-line-parameter-command-injection.js:30:21:30:50 | require ... )().foo |
| command-line-parameter-command-injection.js:31:9:31:45 | "cmd.sh ... )().foo |
| command-line-parameter-command-injection.js:31:9:31:45 | "cmd.sh ... )().foo |
| command-line-parameter-command-injection.js:31:21:31:41 | require ... ist")() |
| command-line-parameter-command-injection.js:31:21:31:41 | require ... ist")() |
| command-line-parameter-command-injection.js:31:21:31:45 | require ... )().foo |
| command-line-parameter-command-injection.js:32:9:32:45 | "cmd.sh ... rgv.foo |
| command-line-parameter-command-injection.js:32:9:32:45 | "cmd.sh ... rgv.foo |
| command-line-parameter-command-injection.js:32:21:32:41 | require ... ").argv |
@@ -120,6 +115,102 @@ nodes
| command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
| command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
| command-line-parameter-command-injection.js:72:22:72:27 | taint4 |
| command-line-parameter-command-injection.js:76:8:76:35 | argv |
| command-line-parameter-command-injection.js:76:15:76:26 | process.argv |
| command-line-parameter-command-injection.js:76:15:76:26 | process.argv |
| command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) |
| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo |
| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo |
| command-line-parameter-command-injection.js:79:22:79:35 | minimist(argv) |
| command-line-parameter-command-injection.js:79:22:79:39 | minimist(argv).foo |
| command-line-parameter-command-injection.js:79:31:79:34 | argv |
| command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo |
| command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo |
| command-line-parameter-command-injection.js:82:22:82:50 | subarg( ... ice(2)) |
| command-line-parameter-command-injection.js:82:22:82:54 | subarg( ... 2)).foo |
| command-line-parameter-command-injection.js:82:29:82:40 | process.argv |
| command-line-parameter-command-injection.js:82:29:82:40 | process.argv |
| command-line-parameter-command-injection.js:82:29:82:49 | process ... lice(2) |
| command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo |
| command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo |
| command-line-parameter-command-injection.js:85:22:85:55 | yargsPa ... ice(2)) |
| command-line-parameter-command-injection.js:85:22:85:59 | yargsPa ... 2)).foo |
| command-line-parameter-command-injection.js:85:34:85:45 | process.argv |
| command-line-parameter-command-injection.js:85:34:85:45 | process.argv |
| command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) |
| command-line-parameter-command-injection.js:88:6:88:37 | flags |
| command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) |
| command-line-parameter-command-injection.js:88:25:88:36 | process.argv |
| command-line-parameter-command-injection.js:88:25:88:36 | process.argv |
| command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:89:22:89:26 | flags |
| command-line-parameter-command-injection.js:89:22:89:30 | flags.foo |
| command-line-parameter-command-injection.js:91:6:91:38 | flags |
| command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) |
| command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) |
| command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:92:22:92:26 | flags |
| command-line-parameter-command-injection.js:92:22:92:30 | flags.foo |
| command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo |
| command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo |
| command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() |
| command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() |
| command-line-parameter-command-injection.js:102:22:102:44 | parser. ... s().foo |
| command-line-parameter-command-injection.js:107:8:107:51 | options |
| command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) |
| command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) |
| command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo |
| command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo |
| command-line-parameter-command-injection.js:108:22:108:28 | options |
| command-line-parameter-command-injection.js:108:22:108:32 | options.foo |
| command-line-parameter-command-injection.js:114:8:114:52 | cli |
| command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) |
| command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) |
| command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] |
| command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] |
| command-line-parameter-command-injection.js:116:22:116:24 | cli |
| command-line-parameter-command-injection.js:116:22:116:30 | cli.input |
| command-line-parameter-command-injection.js:116:22:116:33 | cli.input[0] |
| command-line-parameter-command-injection.js:122:6:122:46 | opts |
| command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) |
| command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) |
| command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:124:22:124:25 | opts |
| command-line-parameter-command-injection.js:124:22:124:29 | opts.foo |
| command-line-parameter-command-injection.js:127:6:127:26 | opts |
| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() |
| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() |
| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:129:22:129:25 | opts |
| command-line-parameter-command-injection.js:129:22:129:29 | opts.foo |
| command-line-parameter-command-injection.js:133:8:133:41 | program |
| command-line-parameter-command-injection.js:133:10:133:16 | program |
| command-line-parameter-command-injection.js:133:10:133:16 | program |
| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() |
| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() |
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:137:22:137:28 | program |
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType |
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType |
| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() |
| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() |
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType |
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType |
edges
| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
| command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] |
@@ -169,10 +260,6 @@ edges
| command-line-parameter-command-injection.js:30:21:30:46 | require ... rgs")() | command-line-parameter-command-injection.js:30:21:30:50 | require ... )().foo |
| command-line-parameter-command-injection.js:30:21:30:50 | require ... )().foo | command-line-parameter-command-injection.js:30:9:30:50 | "cmd.sh ... )().foo |
| command-line-parameter-command-injection.js:30:21:30:50 | require ... )().foo | command-line-parameter-command-injection.js:30:9:30:50 | "cmd.sh ... )().foo |
| command-line-parameter-command-injection.js:31:21:31:41 | require ... ist")() | command-line-parameter-command-injection.js:31:21:31:45 | require ... )().foo |
| command-line-parameter-command-injection.js:31:21:31:41 | require ... ist")() | command-line-parameter-command-injection.js:31:21:31:45 | require ... )().foo |
| command-line-parameter-command-injection.js:31:21:31:45 | require ... )().foo | command-line-parameter-command-injection.js:31:9:31:45 | "cmd.sh ... )().foo |
| command-line-parameter-command-injection.js:31:21:31:45 | require ... )().foo | command-line-parameter-command-injection.js:31:9:31:45 | "cmd.sh ... )().foo |
| command-line-parameter-command-injection.js:32:21:32:41 | require ... ").argv | command-line-parameter-command-injection.js:32:21:32:45 | require ... rgv.foo |
| command-line-parameter-command-injection.js:32:21:32:41 | require ... ").argv | command-line-parameter-command-injection.js:32:21:32:45 | require ... rgv.foo |
| command-line-parameter-command-injection.js:32:21:32:45 | require ... rgv.foo | command-line-parameter-command-injection.js:32:9:32:45 | "cmd.sh ... rgv.foo |
@@ -226,6 +313,92 @@ edges
| command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line-parameter-command-injection.js:71:6:71:16 | [...taint4] |
| command-line-parameter-command-injection.js:72:22:72:27 | taint4 | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
| command-line-parameter-command-injection.js:72:22:72:27 | taint4 | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
| command-line-parameter-command-injection.js:76:8:76:35 | argv | command-line-parameter-command-injection.js:79:31:79:34 | argv |
| command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) |
| command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) |
| command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) | command-line-parameter-command-injection.js:76:8:76:35 | argv |
| command-line-parameter-command-injection.js:79:22:79:35 | minimist(argv) | command-line-parameter-command-injection.js:79:22:79:39 | minimist(argv).foo |
| command-line-parameter-command-injection.js:79:22:79:39 | minimist(argv).foo | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo |
| command-line-parameter-command-injection.js:79:22:79:39 | minimist(argv).foo | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo |
| command-line-parameter-command-injection.js:79:31:79:34 | argv | command-line-parameter-command-injection.js:79:22:79:35 | minimist(argv) |
| command-line-parameter-command-injection.js:82:22:82:50 | subarg( ... ice(2)) | command-line-parameter-command-injection.js:82:22:82:54 | subarg( ... 2)).foo |
| command-line-parameter-command-injection.js:82:22:82:54 | subarg( ... 2)).foo | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo |
| command-line-parameter-command-injection.js:82:22:82:54 | subarg( ... 2)).foo | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo |
| command-line-parameter-command-injection.js:82:29:82:40 | process.argv | command-line-parameter-command-injection.js:82:29:82:49 | process ... lice(2) |
| command-line-parameter-command-injection.js:82:29:82:40 | process.argv | command-line-parameter-command-injection.js:82:29:82:49 | process ... lice(2) |
| command-line-parameter-command-injection.js:82:29:82:49 | process ... lice(2) | command-line-parameter-command-injection.js:82:22:82:50 | subarg( ... ice(2)) |
| command-line-parameter-command-injection.js:85:22:85:55 | yargsPa ... ice(2)) | command-line-parameter-command-injection.js:85:22:85:59 | yargsPa ... 2)).foo |
| command-line-parameter-command-injection.js:85:22:85:59 | yargsPa ... 2)).foo | command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo |
| command-line-parameter-command-injection.js:85:22:85:59 | yargsPa ... 2)).foo | command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo |
| command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) |
| command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) |
| command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) | command-line-parameter-command-injection.js:85:22:85:55 | yargsPa ... ice(2)) |
| command-line-parameter-command-injection.js:88:6:88:37 | flags | command-line-parameter-command-injection.js:89:22:89:26 | flags |
| command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) | command-line-parameter-command-injection.js:88:6:88:37 | flags |
| command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) |
| command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) |
| command-line-parameter-command-injection.js:89:22:89:26 | flags | command-line-parameter-command-injection.js:89:22:89:30 | flags.foo |
| command-line-parameter-command-injection.js:89:22:89:30 | flags.foo | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:89:22:89:30 | flags.foo | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:91:6:91:38 | flags | command-line-parameter-command-injection.js:92:22:92:26 | flags |
| command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:91:6:91:38 | flags |
| command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:91:6:91:38 | flags |
| command-line-parameter-command-injection.js:92:22:92:26 | flags | command-line-parameter-command-injection.js:92:22:92:30 | flags.foo |
| command-line-parameter-command-injection.js:92:22:92:30 | flags.foo | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:92:22:92:30 | flags.foo | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo |
| command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line-parameter-command-injection.js:102:22:102:44 | parser. ... s().foo |
| command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line-parameter-command-injection.js:102:22:102:44 | parser. ... s().foo |
| command-line-parameter-command-injection.js:102:22:102:44 | parser. ... s().foo | command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo |
| command-line-parameter-command-injection.js:102:22:102:44 | parser. ... s().foo | command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo |
| command-line-parameter-command-injection.js:107:8:107:51 | options | command-line-parameter-command-injection.js:108:22:108:28 | options |
| command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line-parameter-command-injection.js:107:8:107:51 | options |
| command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line-parameter-command-injection.js:107:8:107:51 | options |
| command-line-parameter-command-injection.js:108:22:108:28 | options | command-line-parameter-command-injection.js:108:22:108:32 | options.foo |
| command-line-parameter-command-injection.js:108:22:108:32 | options.foo | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo |
| command-line-parameter-command-injection.js:108:22:108:32 | options.foo | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo |
| command-line-parameter-command-injection.js:114:8:114:52 | cli | command-line-parameter-command-injection.js:116:22:116:24 | cli |
| command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line-parameter-command-injection.js:114:8:114:52 | cli |
| command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line-parameter-command-injection.js:114:8:114:52 | cli |
| command-line-parameter-command-injection.js:116:22:116:24 | cli | command-line-parameter-command-injection.js:116:22:116:30 | cli.input |
| command-line-parameter-command-injection.js:116:22:116:30 | cli.input | command-line-parameter-command-injection.js:116:22:116:33 | cli.input[0] |
| command-line-parameter-command-injection.js:116:22:116:33 | cli.input[0] | command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] |
| command-line-parameter-command-injection.js:116:22:116:33 | cli.input[0] | command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] |
| command-line-parameter-command-injection.js:122:6:122:46 | opts | command-line-parameter-command-injection.js:124:22:124:25 | opts |
| command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line-parameter-command-injection.js:122:6:122:46 | opts |
| command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line-parameter-command-injection.js:122:6:122:46 | opts |
| command-line-parameter-command-injection.js:124:22:124:25 | opts | command-line-parameter-command-injection.js:124:22:124:29 | opts.foo |
| command-line-parameter-command-injection.js:124:22:124:29 | opts.foo | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:124:22:124:29 | opts.foo | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:127:6:127:26 | opts | command-line-parameter-command-injection.js:129:22:129:25 | opts |
| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:127:6:127:26 | opts |
| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:127:6:127:26 | opts |
| command-line-parameter-command-injection.js:129:22:129:25 | opts | command-line-parameter-command-injection.js:129:22:129:29 | opts.foo |
| command-line-parameter-command-injection.js:129:22:129:29 | opts.foo | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:129:22:129:29 | opts.foo | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
| command-line-parameter-command-injection.js:133:8:133:41 | program | command-line-parameter-command-injection.js:137:22:137:28 | program |
| command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:133:8:133:41 | program |
| command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:133:8:133:41 | program |
| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:137:22:137:28 | program | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType |
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
#select
| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument |
@@ -238,7 +411,6 @@ edges
| command-line-parameter-command-injection.js:26:14:26:50 | `node $ ... ption"` | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line-parameter-command-injection.js:26:14:26:50 | `node $ ... ption"` | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:30:9:30:50 | "cmd.sh ... )().foo | command-line-parameter-command-injection.js:30:21:30:46 | require ... rgs")() | command-line-parameter-command-injection.js:30:9:30:50 | "cmd.sh ... )().foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:30:21:30:46 | require ... rgs")() | command-line argument |
| command-line-parameter-command-injection.js:31:9:31:45 | "cmd.sh ... )().foo | command-line-parameter-command-injection.js:31:21:31:41 | require ... ist")() | command-line-parameter-command-injection.js:31:9:31:45 | "cmd.sh ... )().foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:31:21:31:41 | require ... ist")() | command-line argument |
| command-line-parameter-command-injection.js:32:9:32:45 | "cmd.sh ... rgv.foo | command-line-parameter-command-injection.js:32:21:32:41 | require ... ").argv | command-line-parameter-command-injection.js:32:9:32:45 | "cmd.sh ... rgv.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:32:21:32:41 | require ... ").argv | command-line argument |
| command-line-parameter-command-injection.js:33:9:33:48 | "cmd.sh ... rgv.foo | command-line-parameter-command-injection.js:33:21:33:44 | require ... ").argv | command-line-parameter-command-injection.js:33:9:33:48 | "cmd.sh ... rgv.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:33:21:33:44 | require ... ").argv | command-line argument |
| command-line-parameter-command-injection.js:41:10:41:25 | "cmd.sh " + args | command-line-parameter-command-injection.js:36:13:39:7 | require ... \\t\\t.argv | command-line-parameter-command-injection.js:41:10:41:25 | "cmd.sh " + args | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:36:13:39:7 | require ... \\t\\t.argv | command-line argument |
@@ -248,3 +420,20 @@ edges
| command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest | command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line argument |
| command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 | command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line argument |
| command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line argument |
| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo | command-line-parameter-command-injection.js:82:29:82:40 | process.argv | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:82:29:82:40 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo | command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line argument |
| command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line argument |
| command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line argument |
| command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line argument |
| command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line argument |
| command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line argument |
| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line argument |
| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line argument |
| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line argument |
| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:133:10:133:16 | program | command-line argument |
| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line argument |
| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line argument |
| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line argument |
| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line argument |

75
javascript/ql/test/query-tests/Security/CWE-078/command-line-parameter-command-injection.js
View File

@@ -28,7 +28,7 @@ var cp = require("child_process");
});
cp.exec("cmd.sh " + require("get-them-args")().foo); // NOT OK
cp.exec("cmd.sh " + require("minimist")().foo); // NOT OK
cp.exec("cmd.sh " + require("minimist")().foo); // OK - no args provided.
cp.exec("cmd.sh " + require("yargs").argv.foo); // NOT OK
cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
@@ -72,3 +72,76 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
cp.exec("cmd.sh " + taint4); // NOT OK
});
(function () {
const argv = process.argv.slice(2);
var minimist = require("minimist");
cp.exec("cmd.sh " + minimist(argv).foo); // NOT OK
var subarg = require('subarg');
cp.exec("cmd.sh " + subarg(process.argv.slice(2)).foo); // NOT OK
var yargsParser = require('yargs-parser');
cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // NOT OK
import args from 'args'
var flags = args.parse(process.argv);
cp.exec("cmd.sh " + flags.foo); // NOT OK
var flags = require('arg')({...spec});
cp.exec("cmd.sh " + flags.foo); // NOT OK
})
(function () {
const { ArgumentParser } = require('argparse');
const parser = new ArgumentParser({description: 'Argparse example'});
parser.add_argument('-f', '--foo', { help: 'foo bar' });
cp.exec("cmd.sh " + parser.parse_args().foo); // NOT OK
});
(function () {
const commandLineArgs = require('command-line-args');
const options = commandLineArgs(optionDefinitions);
cp.exec("cmd.sh " + options.foo); // NOT OK
});
(function () {
const meow = require('meow');
const cli = meow(`helpstring`, {flags: {...flags}});
cp.exec("cmd.sh " + cli.input[0]); // NOT OK
});
(function () {
var dashdash = require('dashdash');
var opts = dashdash.parse({options: options});
cp.exec("cmd.sh " + opts.foo); // NOT OK
var parser = dashdash.createParser({options: options});
var opts = parser.parse();
cp.exec("cmd.sh " + opts.foo); // NOT OK
});
(function () {
const { program } = require('commander');
program.version('0.0.1');
cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK
cp.exec("cmd.sh " + program.pizzaType); // NOT OK
});
(function () {
const { Command } = require('commander');
const program = new Command();
program.version('0.0.1');
cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK
cp.exec("cmd.sh " + program.pizzaType); // NOT OK
});