Clarify that splitting arguments on space is not safe.

2026-04-25 16:55:19 +02:00 · 2023-07-04 14:50:48 +01:00
parent 74af0b1f05
commit 5fb6b5810f
3 changed files with 42 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-078/CommandInjection.inc.qhelp
+++ b/javascript/ql/src/Security/CWE-078/CommandInjection.inc.qhelp
@@ -20,6 +20,13 @@ then add code to verify that the user input string is safe before using it.</p>
 <p>If possible, prefer APIs that run the commands directly rather than via a
 shell, and that accept command arguments as an array of strings rather than a
 single concatenated string. This is both safer and more portable.</p>
+
+<p>In the latter case, if you are given the arguments as a single string, note
+that it is not safe to simply split the string on whitespace, since an argument
+may contain quoted whitespace which would cause it to be split into multiple
+arguments. Instead, use a library such as <code>shell-quote</code> to parse the
+string into an array of arguments.</p>
+
 </recommendation>

 <example>
@@ -46,6 +53,10 @@ default:</p>
 OWASP:
 <a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
 </li>
+<li>
+npm:
+<a href="https://www.npmjs.com/package/shell-quote">shell-quote</a>.
+</li>
 <!--  LocalWords:  CWE untrusted unsanitized Runtime
 -->
 </references>
--- a/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.qhelp
+++ b/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.qhelp
@@ -51,6 +51,17 @@

 		</p>

+		<p>
+
+			In the latter case, if you are given the arguments as a single
+			string, note that it is not safe to simply split the string on
+			whitespace, since an argument may contain quoted whitespace which
+			would cause it to be split into multiple arguments. Instead, use a
+			library such as <code>shell-quote</code> to parse the string into an
+			array of arguments.
+
+		</p>
+
 	</recommendation>
 	<example>

@@ -100,6 +111,11 @@
 			<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
 		</li>

+		<li>
+			npm:
+			<a href="https://www.npmjs.com/package/shell-quote">shell-quote</a>.
+		</li>
+
 	</references>

 </qhelp>
--- a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp
+++ b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp
@@ -26,6 +26,16 @@
 		interpretation by the shell.
 	</p>

+	<p>
+
+		Note, however, that if you are given the arguments as a single string,
+		it is not safe to simply split the string on whitespace, since an
+		argument may contain quoted whitespace which would cause it to be split
+		into multiple arguments. Instead, use a library such as
+		<code>shell-quote</code> to parse the string into an array of arguments.
+
+	</p>
+
 	<p>
 		Alternatively, if the shell command must be constructed
 		dynamically, then add code to ensure that special characters 
@@ -71,5 +81,10 @@
 		<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
 	</li>

+	<li>
+		npm:
+		<a href="https://www.npmjs.com/package/shell-quote">shell-quote</a>.
+	</li>
+
 </references>
 </qhelp>