hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

for demonstration

Browse Source
This commit is contained in:
amammad
2023-10-11 17:34:33 +02:00
parent de2ee4d289
commit b24c6fd579
2 changed files with 28 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
javascript/ql/lib/semmle/javascript/frameworks/Execa.qll
View File

@@ -119,8 +119,6 @@ module Execa {
} }
} }
API::Node test() { result = API::moduleImport("execa").getMember("$").getASuccessor*() }
/** /**
* The system command execution nodes for `execa.$` or `execa.$.sync` tag functions * The system command execution nodes for `execa.$` or `execa.$.sync` tag functions
*/ */
@@ -131,16 +129,17 @@ module Execa {
override predicate isShellInterpreted(DataFlow::Node arg) { override predicate isShellInterpreted(DataFlow::Node arg) {
isExecaShellEnable(this.getParameter(0)) and isExecaShellEnable(this.getParameter(0)) and
arg = this.getParameter(0).asSink() arg = this.getAParameter().asSink()
} }
override DataFlow::Node getArgumentList() { override DataFlow::Node getArgumentList() {
result = this.getParameter(any(int i | i > 1)).asSink() result = this.getParameter(any(int i | i > 1)).asSink() and
not exists(string s | this.getACall().getArgument(0).mayHaveStringValue(s) | s.matches(""))
} }
override predicate isSync() { isSync = true }
override DataFlow::Node getOptionsArg() { result = this.getParameter(0).asSink() } override DataFlow::Node getOptionsArg() { result = this.getParameter(0).asSink() }
override predicate isSync() { isSync = true }
} }
/** /**

36
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execa.js
View File

@@ -4,22 +4,32 @@ import url from 'url'
http.createServer(async function (req, res) { http.createServer(async function (req, res) {
let cmd = url.parse(req.url, true).query["cmd"][0]; let cmd = url.parse(req.url, true).query["cmd"][0];
let arg = url.parse(req.url, true).query["arg"]; let arg1 = url.parse(req.url, true).query["arg1"];
let arg2 = url.parse(req.url, true).query["arg2"];
await $`${cmd} ${arg}`; // NOT OK await $`${cmd} ${arg1} ${arg2}`; // NOT OK
$.sync`${cmd} ${arg}`; // NOT OK await $`ssh ${arg1} ${arg2}`; // NOT OK
await $({ shell: true })`${cmd} ${arg}` // NOT OK $({ shell: false }).sync`${cmd} ${arg} ${arg} ${arg2}`; // NOT OK
await $({ shell: false })`${cmd} ${arg}` // NOT OK $({ shell: true }).sync`${cmd} ${arg} ${arg} ${arg2}`; // NOT OK
$({ shell: false }).sync`ssh ${arg} ${arg} ${arg2}`; // NOT OK
await execa(cmd, [arg]); // NOT OK $.sync`${cmd} ${arg1} ${arg2}`; // NOT OK
$.sync`ssh ${arg1} ${arg2}`; // NOT OK
await $({ shell: true })`${cmd} ${arg1} ${arg2}` // NOT OK
await $({ shell: false })`${cmd} ${arg1} ${arg2}` // NOT OK
await $({ shell: false })`ssh ${arg1} ${arg2}` // NOT OK
await execa(cmd, [arg1]); // NOT OK
await execa(cmd, { shell: true }); // NOT OK await execa(cmd, { shell: true }); // NOT OK
await execa(cmd, { shell: true }); // NOT OK await execa(cmd, { shell: true }); // NOT OK
await execa(cmd, [arg], { shell: true }); // NOT OK await execa(cmd, [arg1], { shell: true }); // NOT OK
execaSync(cmd, [arg]); // NOT OK
execaSync(cmd, [arg], { shell: true }); // NOT OK
await execaCommand(cmd + arg); // NOT OK execaSync(cmd, [arg1]); // NOT OK
execaCommandSync(cmd + arg); // NOT OK execaSync(cmd, [arg1], { shell: true }); // NOT OK
await execaCommand(cmd + arg, { shell: true }); // NOT OK
execaCommandSync(cmd + arg, { shell: true }); // NOT OK await execaCommand(cmd + arg1); // NOT OK
await execaCommand(cmd + arg1, { shell: true }); // NOT OK
execaCommandSync(cmd + arg1); // NOT OK
execaCommandSync(cmd + arg1, { shell: true }); // NOT OK
}); });