Merge pull request #5653 from erik-krogh/givenCommand

Approved by asgerf

javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll

@@ -53,7 +53,12 @@ module UnsafeShellCommandConstruction {
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
     ExternalInputSource() {
       this = Exports::getALibraryInputParameter() and
-      not this.getName() = ["cmd", "command"] // looks to be on purpose.
+      not (
+        // looks to be on purpose.
+        this.getName() = ["cmd", "command"]
+        or
+        this.getName().regexpMatch(".*(Cmd|Command)$") // ends with "Cmd" or "Command"
+      )
     }
   }
 

javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js

@@ -483,4 +483,9 @@ module.exports.splitConcat = function (name) {
 	let args = ' my name is ' + name; // NOT OK
 	let cmd = 'echo';
 	cp.exec(cmd + args);
+}
+
+module.exports.myCommand = function (myCommand) {
+	let cmd = `cd ${cwd} ; ${myCommand}`; // OK - the parameter name suggests that it is purposely a shell command.
+	cp.exec(cmd);
 }