add qhelp for js/shell-command-constructed-from-input

2026-04-30 03:05:15 +02:00 · 2020-05-11 21:03:25 +02:00
parent 5e647da0de
commit 59001bbdf4
3 changed files with 85 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp
+++ b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp
@@ -0,0 +1,75 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+<overview>
+	<p>
+		
+		Dynamically constructing a shell command with inputs from exported 
+		functions, may inadvertently change the meaning of the shell command.
+		
+		Clients using the exported function may use inputs that contains
+		characters that the shell interprets in a special way, for instance
+		quotes and spaces.
+
+		This can result in the shell command misbehaving, or even
+		allowing a malicious user to execute arbitrary commands on the system.
+	</p>
+
+
+</overview>
+<recommendation>
+
+	<p>
+		If possible, use hard-coded string literals to specify the
+		shell command to run, and provide the dynamic arguments to the shell
+		command separately to avoid interpretation by the shell.
+	</p>
+
+	<p>
+		Alternatively, if the shell command must be constructed
+		dynamically, then add code to ensure that special characters 
+		do not alter the shell command unexpectedly.
+	</p>
+
+</recommendation>
+<example>
+
+	<p>
+		The following example shows a dynamically constructed shell
+		command that downloads a file from a remote url.
+	</p>
+
+	<sample src="examples/unsafe-shell-command-construction.js" />
+
+	<p>
+		The shell command will, however, fail to work as intended if the
+		input contains spaces or other special characters interpreted in a 
+		special way by the shell. 
+	</p>
+
+	<p>
+		Even worse, although less likely, a malicious user could
+		provide the input <code>http://example.org; cat /etc/passwd</code>
+		in order to execute the command <code>cat /etc/passwd</code>.
+
+	</p>
+
+	<p>
+		To avoid such potentially catastrophic behaviors, provide the
+		inputs from exported functions as an argument that does not
+		get interpreted by a shell:
+	</p>
+
+	<sample src="examples/unsafe-shell-command-construction_fixed.js" />
+
+</example>
+<references>
+
+	<li>
+		OWASP:
+		<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+	</li>
+
+</references>
+</qhelp>
--- a/javascript/ql/src/Security/CWE-078/examples/unsafe-shell-command-construction.js
+++ b/javascript/ql/src/Security/CWE-078/examples/unsafe-shell-command-construction.js
@@ -0,0 +1,5 @@
+var cp = require("child_process");
+
+module.exports = function download(path, callback) {
+  cp.exec("wget " + path, callback);
+}
--- a/javascript/ql/src/Security/CWE-078/examples/unsafe-shell-command-construction_fixed.js
+++ b/javascript/ql/src/Security/CWE-078/examples/unsafe-shell-command-construction_fixed.js
@@ -0,0 +1,5 @@
+var cp = require("child_process");
+
+module.exports = function download(path, callback) {
+  cp.execFile("wget", [path], callback);
+}