recognize bound functions in js/shell-command-constructed-from-input

2026-04-30 19:26:02 +02:00 · 2020-12-22 11:11:59 +01:00
parent e2bba97794
commit 6a9089b15e
1 changed files with 6 additions and 4 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -51,10 +51,12 @@ module UnsafeShellCommandConstruction {
   */
  class ExternalInputSource extends Source, DataFlow::ParameterNode {
    ExternalInputSource() {
-      this =
-        Exports::getAValueExportedBy(Exports::getTopmostPackageJSON())
-            .getAFunctionValue()
-            .getAParameter() and
+      exists(int bound, DataFlow::FunctionNode func |
+        func =
+          Exports::getAValueExportedBy(Exports::getTopmostPackageJSON())
+              .getABoundFunctionValue(bound) and
+        this = func.getParameter(any(int arg | arg >= bound))
+      ) and
      not this.getName() = ["cmd", "command"] // looks to be on purpose.
    }
  }