Merge branch 'master' of github.com:Semmle/ql into js/more-fs-modules

javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape.ql

@@ -6,6 +6,4 @@ where
   char = getAnIdentityEscapedCharacter(n, _, _) and
   not hasALikelyRegExpPatternMistake(n) and
   not char = "\n" // ignore escaped newlines in multiline strings
-select n,
-  "The escape sequence '\\" + char + "' is equivalent to just '" +
-    char + "'."
+select n, "The escape sequence '\\" + char + "' is equivalent to just '" + char + "'."

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

@@ -1631,6 +1631,29 @@ nodes
 | normalizedPaths.js:332:19:332:32 | normalizedPath |
 | normalizedPaths.js:332:19:332:32 | normalizedPath |
 | normalizedPaths.js:332:19:332:32 | normalizedPath |
+| normalizedPaths.js:339:6:339:46 | path |
+| normalizedPaths.js:339:6:339:46 | path |
+| normalizedPaths.js:339:6:339:46 | path |
+| normalizedPaths.js:339:6:339:46 | path |
+| normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
+| normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
+| normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
+| normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
+| normalizedPaths.js:339:32:339:45 | req.query.path |
+| normalizedPaths.js:339:32:339:45 | req.query.path |
+| normalizedPaths.js:339:32:339:45 | req.query.path |
+| normalizedPaths.js:339:32:339:45 | req.query.path |
+| normalizedPaths.js:339:32:339:45 | req.query.path |
+| normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:346:19:346:22 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
@@ -4736,6 +4759,34 @@ edges
 | normalizedPaths.js:320:45:320:48 | path | normalizedPaths.js:320:23:320:49 | pathMod ... , path) |
 | normalizedPaths.js:320:45:320:48 | path | normalizedPaths.js:320:23:320:49 | pathMod ... , path) |
 | normalizedPaths.js:320:45:320:48 | path | normalizedPaths.js:320:23:320:49 | pathMod ... , path) |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:341:18:341:21 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:339:6:339:46 | path | normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:339:13:339:46 | pathMod ... y.path) | normalizedPaths.js:339:6:339:46 | path |
+| normalizedPaths.js:339:13:339:46 | pathMod ... y.path) | normalizedPaths.js:339:6:339:46 | path |
+| normalizedPaths.js:339:13:339:46 | pathMod ... y.path) | normalizedPaths.js:339:6:339:46 | path |
+| normalizedPaths.js:339:13:339:46 | pathMod ... y.path) | normalizedPaths.js:339:6:339:46 | path |
+| normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
+| normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
+| normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
+| normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
+| normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
+| normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
+| normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
+| normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
@@ -5952,6 +6003,8 @@ edges
 | normalizedPaths.js:316:19:316:22 | path | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:316:19:316:22 | path | This path depends on $@. | normalizedPaths.js:303:13:303:26 | req.query.path | a user-provided value |
 | normalizedPaths.js:325:19:325:32 | normalizedPath | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:325:19:325:32 | normalizedPath | This path depends on $@. | normalizedPaths.js:303:13:303:26 | req.query.path | a user-provided value |
 | normalizedPaths.js:332:19:332:32 | normalizedPath | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:332:19:332:32 | normalizedPath | This path depends on $@. | normalizedPaths.js:303:13:303:26 | req.query.path | a user-provided value |
+| normalizedPaths.js:341:18:341:21 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:341:18:341:21 | path | This path depends on $@. | normalizedPaths.js:339:32:339:45 | req.query.path | a user-provided value |
+| normalizedPaths.js:346:19:346:22 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:346:19:346:22 | path | This path depends on $@. | normalizedPaths.js:339:32:339:45 | req.query.path | a user-provided value |
 | other-fs-libraries.js:11:19:11:22 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:11:19:11:22 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:12:27:12:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:12:27:12:30 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:13:24:13:27 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:13:24:13:27 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js

@@ -334,3 +334,17 @@ app.get('/pseudo-normalizations', (req, res) => {
 	}
 
 });
+
+app.get('/yet-another-prefix', (req, res) => {
+	let path = pathModule.resolve(req.query.path);
+
+	fs.readFileSync(path); // NOT OK
+
+	var abs = pathModule.resolve(path); 
+
+	if (abs.indexOf(root) !== 0) {
+		fs.readFileSync(path); // NOT OK
+		return;
+    }
+	fs.readFileSync(path); // OK
+});

javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.expected

@@ -0,0 +1,112 @@
+readFile
+| uselesscat.js:10:1:10:43 | exec("c ... ut) {}) | fs.readFile("foo/bar", function(err, out) {...}) |
+| uselesscat.js:12:1:14:2 | exec("c ... ut);\\n}) | fs.readFile("/proc/" + id + "/status", function(err, out) {...}) |
+| uselesscat.js:16:1:16:29 | execSyn ... uinfo') | fs.readFileSync("/proc/cpuinfo") |
+| uselesscat.js:18:1:18:26 | execSyn ... path}`) | fs.readFileSync(newpath) |
+| uselesscat.js:32:1:32:34 | execSyn ... path}`) | fs.readFileSync(`foo/bar/${newpath}`) |
+| uselesscat.js:34:1:34:54 | execSyn ... utf8'}) | fs.readFileSync(`foo/bar/${newpath}`, {encoding: 'utf8'}) |
+| uselesscat.js:51:9:51:31 | execSyn ... + file) | fs.readFileSync(file) |
+| uselesscat.js:59:1:62:2 | execFil ... ut);\\n}) | fs.readFile("pom.xml", function(error, stdout, stderr) {...}) |
+| uselesscat.js:69:1:72:2 | execFil ... ut);\\n}) | fs.readFile("pom.xml", {encoding: 'utf8'}, function(error, stdout, stderr) {...}) |
+| uselesscat.js:74:1:74:60 | execFil ... utf8'}) | fs.readFileSync("pom.xml", {encoding: 'utf8'}) |
+| uselesscat.js:76:1:76:39 | execFil ... xml' ]) | fs.readFileSync("pom.xml") |
+| uselesscat.js:79:1:79:46 | execFil ...   opts) | fs.readFileSync("pom.xml", opts) |
+| uselesscat.js:82:1:82:90 | execFil ... String) | fs.readFileSync("pom.xml", anOptsFileNameThatIsTooLongToBePrintedByToString) |
+| uselesscat.js:84:1:84:115 | execFil ... ring'}) | fs.readFileSync("pom.xml", ...) |
+| uselesscat.js:86:1:86:75 | execFil ... utf8'}) | fs.readFileSync("foo/" + newPath + "bar", {encoding: 'utf8'}) |
+| uselesscat.js:88:1:88:35 | execSyn ...  + foo) | fs.readFileSync("/proc/cpuinfo" + foo) |
+| uselesscat.js:90:1:90:50 | execFil ... th}` ]) | fs.readFileSync(`foo/bar/${newpath}`) |
+| uselesscat.js:94:1:94:43 | exec("c ... ut) {}) | fs.readFile("foo/bar", function(err, out) {...}) |
+| uselesscat.js:96:1:96:53 | exec("c ... (out)}) | fs.readFile("foo/bar", (err, out) => {...}) |
+| uselesscat.js:98:1:98:55 | exec("c ... h(out)) | fs.readFile("foo/bar", (err, out) => ...) |
+| uselesscat.js:121:12:121:64 | exec("c ... (out)}) | fs.readFile("foo/bar", (err, out) => {...}) |
+| uselesscat.js:127:14:127:66 | exec("c ... (out)}) | fs.readFile("foo/bar", (err, out) => {...}) |
+| uselesscat.js:136:17:138:2 | execSyn ... tf8'\\n}) | fs.readFileSync("/etc/dnsmasq.conf", ...) |
+| uselesscat.js:146:1:146:61 | shelljs ... (out)}) | fs.readFile("foo/bar", (err, out) => {...}) |
+| uselesscat.js:147:1:147:47 | shelljs ... utf8'}) | fs.readFile("foo/bar", {encoding: 'utf8'}) |
+| uselesscat.js:148:1:148:81 | shelljs ... (out)}) | fs.readFile("foo/bar", (err, out) => {...}) |
+| uselesscat.js:151:1:151:48 | cspawn( ... tf8' }) | fs.readFile("foo/bar", { encoding: 'utf8' }) |
+| uselesscat.js:152:1:152:82 | cspawn( ... (out)}) | fs.readFile("foo/bar", (err, out) => {...}) |
+| uselesscat.js:153:1:153:60 | cspawn( ... (out)}) | fs.readFile("foo/bar", (err, out) => {...}) |
+| uselesscat.js:154:1:154:26 | cspawn( ... /bar']) | fs.readFile("foo/bar") |
+| uselesscat.js:158:16:158:46 | cspawn. ... /bar']) | fs.readFileSync("foo/bar") |
+| uselesscat.js:159:16:159:68 | cspawn. ... tf8' }) | fs.readFileSync("foo/bar", { encoding: 'utf8' }) |
+| uselesscat.js:162:1:162:56 | execmod ... (out)}) | fs.readFile("foo/bar", (err, out) => {...}) |
+| uselesscat.js:163:1:163:42 | execmod ... utf8'}) | fs.readFile("foo/bar") |
+| uselesscat.js:164:1:164:76 | execmod ... (out)}) | fs.readFile("foo/bar", {encoding: 'utf8'}, (err, out) => {...}) |
+syncCommand
+| child_process-test.js:9:5:9:22 | cp.execSync("foo") |
+| child_process-test.js:11:5:11:26 | cp.exec ... ("foo") |
+| child_process-test.js:13:5:13:23 | cp.spawnSync("foo") |
+| child_process-test.js:18:5:18:20 | cp.execSync(cmd) |
+| child_process-test.js:20:5:20:24 | cp.execFileSync(cmd) |
+| child_process-test.js:22:5:22:21 | cp.spawnSync(cmd) |
+| command-line-parameter-command-injection.js:11:2:11:21 | cp.execSync(args[0]) |
+| command-line-parameter-command-injection.js:12:2:12:33 | cp.exec ... rgs[0]) |
+| command-line-parameter-command-injection.js:15:2:15:26 | cp.exec ... rgs[0]) |
+| command-line-parameter-command-injection.js:16:2:16:38 | cp.exec ... rgs[0]) |
+| command-line-parameter-command-injection.js:19:2:19:18 | cp.execSync(arg0) |
+| command-line-parameter-command-injection.js:20:2:20:30 | cp.exec ... + arg0) |
+| command-line-parameter-command-injection.js:26:2:26:51 | cp.exec ... tion"`) |
+| command-line-parameter-command-injection.js:27:2:27:58 | cp.exec ... tion"`) |
+| other.js:7:5:7:36 | require ... nc(cmd) |
+| other.js:9:5:9:35 | require ... nc(cmd) |
+| other.js:12:5:12:30 | require ... nc(cmd) |
+| third-party-command-injection.js:6:9:6:28 | cp.execSync(command) |
+| tst_shell-command-injection-from-environment.js:4:2:4:62 | cp.exec ... emp")]) |
+| tst_shell-command-injection-from-environment.js:5:2:5:54 | cp.exec ... temp")) |
+| uselesscat.js:16:1:16:29 | execSyn ... uinfo') |
+| uselesscat.js:18:1:18:26 | execSyn ... path}`) |
+| uselesscat.js:20:1:20:36 | execSyn ... wc -l') |
+| uselesscat.js:22:1:22:38 | execSyn ... o/bar') |
+| uselesscat.js:24:1:24:35 | execSyn ... o/bar`) |
+| uselesscat.js:28:1:28:39 | execSyn ...  1000}) |
+| uselesscat.js:32:1:32:34 | execSyn ... path}`) |
+| uselesscat.js:34:1:34:54 | execSyn ... utf8'}) |
+| uselesscat.js:36:1:36:77 | execSyn ... utf8'}) |
+| uselesscat.js:38:1:38:43 | execSyn ... r/baz') |
+| uselesscat.js:40:1:40:40 | execSyn ... path}`) |
+| uselesscat.js:42:1:42:47 | execSyn ... File}`) |
+| uselesscat.js:44:1:44:34 | execSyn ... ' ')}`) |
+| uselesscat.js:48:1:48:41 | execSyn ... tool}`) |
+| uselesscat.js:51:9:51:31 | execSyn ... + file) |
+| uselesscat.js:54:1:54:39 | execSyn ...  + "'") |
+| uselesscat.js:74:1:74:60 | execFil ... utf8'}) |
+| uselesscat.js:76:1:76:39 | execFil ... xml' ]) |
+| uselesscat.js:79:1:79:46 | execFil ...   opts) |
+| uselesscat.js:82:1:82:90 | execFil ... String) |
+| uselesscat.js:84:1:84:115 | execFil ... ring'}) |
+| uselesscat.js:86:1:86:75 | execFil ... utf8'}) |
+| uselesscat.js:88:1:88:35 | execSyn ...  + foo) |
+| uselesscat.js:90:1:90:50 | execFil ... th}` ]) |
+| uselesscat.js:92:1:92:46 | execFil ... th}` ]) |
+| uselesscat.js:100:1:100:56 | execFil ... ptions) |
+| uselesscat.js:104:1:104:31 | execFil ... cat` ]) |
+| uselesscat.js:136:17:138:2 | execSyn ... tf8'\\n}) |
+| uselesscat.js:158:16:158:46 | cspawn. ... /bar']) |
+| uselesscat.js:159:16:159:68 | cspawn. ... tf8' }) |
+options
+| child_process-test.js:53:5:53:59 | cp.spaw ...  cmd])) | child_process-test.js:53:25:53:58 | ['/C',  ... , cmd]) |
+| child_process-test.js:54:5:54:50 | cp.spaw ... t(cmd)) | child_process-test.js:54:25:54:49 | ['/C',  ... at(cmd) |
+| child_process-test.js:64:3:64:21 | cp.spawn(cmd, args) | child_process-test.js:64:17:64:20 | args |
+| uselesscat.js:28:1:28:39 | execSyn ...  1000}) | uselesscat.js:28:28:28:38 | {uid: 1000} |
+| uselesscat.js:30:1:30:64 | exec('c ... t) { }) | uselesscat.js:30:26:30:38 | { cwd: './' } |
+| uselesscat.js:34:1:34:54 | execSyn ... utf8'}) | uselesscat.js:34:36:34:53 | {encoding: 'utf8'} |
+| uselesscat.js:36:1:36:77 | execSyn ... utf8'}) | uselesscat.js:36:36:36:76 | { uid:  ... 'utf8'} |
+| uselesscat.js:69:1:72:2 | execFil ... ut);\\n}) | uselesscat.js:69:38:69:55 | {encoding: 'utf8'} |
+| uselesscat.js:74:1:74:60 | execFil ... utf8'}) | uselesscat.js:74:42:74:59 | {encoding: 'utf8'} |
+| uselesscat.js:79:1:79:46 | execFil ...   opts) | uselesscat.js:79:42:79:45 | opts |
+| uselesscat.js:82:1:82:90 | execFil ... String) | uselesscat.js:82:42:82:89 | anOptsF ... oString |
+| uselesscat.js:84:1:84:115 | execFil ... ring'}) | uselesscat.js:84:42:84:114 | {encodi ... tring'} |
+| uselesscat.js:86:1:86:75 | execFil ... utf8'}) | uselesscat.js:86:57:86:74 | {encoding: 'utf8'} |
+| uselesscat.js:100:1:100:56 | execFil ... ptions) | uselesscat.js:100:42:100:55 | unknownOptions |
+| uselesscat.js:111:1:111:51 | spawn(' ... it'] }) | uselesscat.js:111:14:111:50 | { stdio ... rit'] } |
+| uselesscat.js:136:17:138:2 | execSyn ... tf8'\\n}) | uselesscat.js:136:51:138:1 | { // NO ... utf8'\\n} |
+| uselesscat.js:147:1:147:47 | shelljs ... utf8'}) | uselesscat.js:147:29:147:46 | {encoding: 'utf8'} |
+| uselesscat.js:151:1:151:48 | cspawn( ... tf8' }) | uselesscat.js:151:28:151:47 | { encoding: 'utf8' } |
+| uselesscat.js:156:1:156:35 | cspawn( ... tf8' }) | uselesscat.js:156:15:156:34 | { encoding: 'utf8' } |
+| uselesscat.js:159:16:159:68 | cspawn. ... tf8' }) | uselesscat.js:159:48:159:67 | { encoding: 'utf8' } |
+| uselesscat.js:164:1:164:76 | execmod ... (out)}) | uselesscat.js:164:24:164:41 | {encoding: 'utf8'} |
+#select
+| False negative | uselesscat.js:54:42:54:69 | // NOT  ... lagged] |
+| False positive | uselesscat.js:44:37:44:85 | // OK [ ... le read |

javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.ql

@@ -0,0 +1,28 @@
+import javascript
+import semmle.javascript.security.UselessUseOfCat
+
+from LineComment comment, string msg
+where
+  comment.getFile().getAbsolutePath().regexpMatch(".*/uselesscat.js") and
+  (
+    comment.getText().regexpMatch(".*NOT OK.*") and
+    not any(UselessCat cat).asExpr().getLocation().getStartLine() =
+      comment.getLocation().getStartLine() and
+    msg = "False negative"
+    or
+    comment.getText().regexpMatch(".* OK.*") and
+    not comment.getText().regexpMatch(".*NOT OK.*") and
+    any(UselessCat cat).asExpr().getLocation().getStartLine() = comment.getLocation().getStartLine() and
+    msg = "False positive"
+  )
+select msg, comment
+
+query string readFile(UselessCat cat) { result = PrettyPrintCatCall::createReadFileCall(cat) }
+
+query SystemCommandExecution syncCommand() {
+  result.isSync()	
+}
+
+query DataFlow::Node options(SystemCommandExecution sys) {
+  result = sys.getOptionsArg()
+}

javascript/ql/test/query-tests/Security/CWE-078/uselesscat.js

@@ -0,0 +1,166 @@
+var express = require('express');
+var child_process = require('child_process');
+var execSync = child_process.execSync;
+var exec = child_process.exec;
+var spawn = child_process.spawn;
+var spawnSync = child_process.spawnSync;
+var fs = require('fs');
+var app = express();
+
+exec("cat foo/bar", function (err, out) {}); // NOT OK
+
+exec("cat /proc/" + id + "/status", function (err, out) { // NOT OK
+	console.log(out);
+});
+
+execSync('cat /proc/cpuinfo').toString(); // NOT OK.
+
+execSync(`cat ${newpath}`) // NOT OK
+
+execSync('cat package.json | wc -l'); // OK - pipes!
+
+execSync('cat /proc/cpuinfo /foo/bar').toString(); // OK multiple files.
+
+execSync(`cat ${newpath} /foo/bar`).toString(); // OK multiple files.
+
+exec(`cat ${newpath} | grep foo`, function (err, out) { }) // OK - pipes
+
+execSync(`cat ${newpath}`, {uid: 1000}) // OK - non trivial options
+
+exec('cat *.js | wc -l', { cwd: './' }, function (err, out) { }); // OK - wildcard and pipes
+
+execSync(`cat foo/bar/${newpath}`); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync)
+
+execSync(`cat foo/bar/${newpath}`, {encoding: 'utf8'}); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync)
+
+execSync("/bin/cat /proc/cpuinfo", { uid: 1000, gid: 1000, encoding: 'utf8'}); // OK (fs.readFileSync cannot emulate uid / gid))
+
+execSync('cat /proc/cpuinfo > foo/bar/baz').toString(); // OK.
+
+execSync(`cat ${newpath} > ${destpath}`).toString(); // OK.
+
+execSync(`cat ${files.join(' ')} > ${outFile}`); // OK
+
+execSync(`cat ${files.join(' ')}`); // OK [but flagged] - not just a simple file read
+
+exec("cat /proc/cpuinfo | grep name"); // OK - pipes
+
+execSync(`cat ${newpath} | ${othertool}`); // OK - pipes
+
+function cat(file) {
+	return execSync('cat ' + file).toString(); // NOT OK
+}
+
+execSync("sh -c 'cat " + newpath + "'"); // NOT OK. [but not flagged]
+
+var execFile = child_process.execFile;
+var execFileSync = child_process.execFileSync;
+
+execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // NOT OK
+  // Not using stderr
+  console.log(stdout);
+});
+
+execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // OK. - stderr is used.
+  console.log(stderr); 
+});
+
+
+execFile('/bin/cat', [ 'pom.xml' ],  {encoding: 'utf8'}, function(error, stdout, stderr ) { // NOT OK
+  // Not using stderr
+  console.log(stdout);
+});
+
+execFileSync('/bin/cat', [ 'pom.xml' ],  {encoding: 'utf8'}); // NOT OK
+
+execFileSync('/bin/cat', [ 'pom.xml' ]);  // NOT OK
+
+var opts = {encoding: 'utf8'};
+execFileSync('/bin/cat', [ 'pom.xml' ],  opts); // NOT OK
+
+var anOptsFileNameThatIsTooLongToBePrintedByToString = {encoding: 'utf8'};
+execFileSync('/bin/cat', [ 'pom.xml' ],  anOptsFileNameThatIsTooLongToBePrintedByToString); // NOT OK
+
+execFileSync('/bin/cat', [ 'pom.xml' ],  {encoding: 'someEncodingValueThatIsCompletelyBogusAndTooLongForToString'}); // NOT OK
+
+execFileSync('/bin/cat', [ "foo/" + newPath + "bar" ],  {encoding: 'utf8'}); // NOT OK
+
+execSync('cat /proc/cpuinfo' + foo).toString(); // NOT OK.
+
+execFileSync('/bin/cat', [ `foo/bar/${newpath}` ]); // NOT OK
+
+execFileSync('node', [ `foo/bar/${newpath}` ]); // OK - not a call to cat
+
+exec("cat foo/bar", function (err, out) {}); // NOT OK
+
+exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK
+
+exec("cat foo/bar", (err, out) => doSomethingWith(out)); // NOT OK
+
+execFileSync('/bin/cat', [ 'pom.xml' ],  unknownOptions); // OK - unknown options.
+
+exec("node foo/bar", (err, out) => doSomethingWith(out)); // OK - Not a call to cat
+
+execFileSync('node', [ `cat` ]); // OK - not a call to cat
+
+exec("cat foo/bar&", function (err, out) {}); // OK - contains &
+exec("cat foo/bar,", function (err, out) {}); // OK - contains ,
+exec("cat foo/bar$", function (err, out) {}); // OK - contains $
+exec("cat foo/bar`", function (err, out) {}); // OK - contains `
+
+spawn('cat', { stdio: ['pipe', stdin, 'inherit'] }); // OK - Non trivial use. (But weird API use.)
+
+(function () {
+  const cat = spawn('cat', [filename]); // OK - non trivial use.
+  cat.stdout.on('data', (data) => {
+    res.write(data);
+  });
+  cat.stdout.on('end', () => res.end());
+})();
+
+var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK
+
+var notDead = exec("cat foo/bar", (err, out) => {console.log(out)}); // OK
+console.log(notDead);
+
+(function () {
+  var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK
+
+  someCall(
+	exec("cat foo/bar", (err, out) => {console.log(out)}) // OK - non-trivial use of returned proccess.
+  );
+
+  return exec("cat foo/bar", (err, out) => {console.log(out)}); // OK - non-trivial use of returned proccess.
+})();
+
+const stdout2 = execSync('cat /etc/dnsmasq.conf', { // NOT OK.
+  encoding: 'utf8'
+});
+
+exec('/bin/cat', function (e, s) {});  // OK
+
+spawn("cat") // OK  
+
+
+var shelljs = require("shelljs");
+shelljs.exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK
+shelljs.exec("cat foo/bar", {encoding: 'utf8'}); // NOT OK
+shelljs.exec("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // NOT OK
+
+let cspawn = require('cross-spawn');
+cspawn('cat', ['foo/bar'], { encoding: 'utf8' }); // NOT OK
+cspawn('cat', ['foo/bar'], { encoding: 'utf8' }, (err, out) => {console.log(out)}); // NOT OK
+cspawn('cat', ['foo/bar'], (err, out) => {console.log(out)}); // NOT OK
+cspawn('cat', ['foo/bar']); // NOT OK
+cspawn('cat', (err, out) => {console.log(out)}); // OK
+cspawn('cat', { encoding: 'utf8' }); // OK
+ 
+let myResult = cspawn.sync('cat', ['foo/bar']); // NOT OK
+let myResult = cspawn.sync('cat', ['foo/bar'], { encoding: 'utf8' }); // NOT OK
+
+var execmod = require('exec');
+execmod("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK
+execmod("cat foo/bar", {encoding: 'utf8'}); // NOT OK
+execmod("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // NOT OK
+
+  

javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.ql

@@ -16,7 +16,6 @@ import semmle.javascript.security.dataflow.DomBasedXss::DomBasedXss
 import DataFlow::PathGraph
 import semmle.javascript.heuristics.AdditionalSources
 
-
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
 select sink.getNode(), source, sink,