hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

add qhelp

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-02-24 14:03:41 +01:00
parent fb94af9764
commit a779ae58a8
3 changed files with 42 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
javascript/ql/src/Security/CWE-078/UselessUseOfCat.qhelp
View File

@@ -3,28 +3,45 @@
"qhelp.dtd">
<qhelp>
<overview>
<p>
Useless use of cat
</p>
<p>Using the unix command <code>cat</code> to simply read a file is a
unnecessarily complex way to achieve something that can be done simpler and
safer using the Node.js <code>fs.readFile</code> API.
</p>
<p>
The use of <code>cat</code> for simple file reads leads to code that is
unportable, inefficient, complex, and can lead to subtle bugs or even
security vulnerabilities.
</p>
</overview>
<recommendation>
<p>
TODO: This is a placeholder
</p>
<p>
Use <code>fs.readFile</code> or <code>fs.readFileSync</code> to read files
from the file system.
</p>
</recommendation>
<example>
<p>
</p>
<p>The following example shows code that reads a file using <code>cat</code>:</p>
<sample src="examples/useless-cat.js"/>
<p>The code in the example will break if the input <code>name</code> contain
special characters (including space), the code does not work on windows,
and if the input is user controlled a command injection attack can happen.</p>
<p>To avoid these potential issues the <code>fs.readFile</code> API can be
used instead: </p>
<sample src="examples/useless-cat-fixed.js"/>
</example>
<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
</li>
<li>
OWASP: <a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
Node.js: <a href="https://nodejs.org/api/fs.html">File System API</a>.
</li>
</references>
</qhelp>

5
javascript/ql/src/Security/CWE-078/examples/useless-cat-fixed.js Normal file
View File

@@ -0,0 +1,5 @@
var fs = require('fs');
module.exports = function (name) {
return fs.readFileSync(name).toString();
};

5
javascript/ql/src/Security/CWE-078/examples/useless-cat.js Normal file
View File

@@ -0,0 +1,5 @@
var child_process = require('child_process');
module.exports = function (name) {
return child_process.execSync("cat " + name).toString();
};