hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3447 from erik-krogh/LibCmdInjection

Browse Source 
Approved by asgerf, mchammer01
This commit is contained in:
semmle-qlci
2020-05-22 17:10:57 +01:00
committed by GitHub
parent 9259dca40d b79b25ef87
commit b9ecf1a304
31 changed files with 1267 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
change-notes/1.25/analysis-javascript.md
View File

@@ -29,6 +29,7 @@
| Cross-site scripting through DOM (`js/xss-through-dom`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities where existing text from the DOM is used as HTML. Results are not shown on LGTM by default. |
| Incomplete HTML attribute sanitization (`js/incomplete-html-attribute-sanitization`) | security, external/cwe/cwe-20, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities due to incomplete sanitization of HTML meta-characters. Results are shown on LGTM by default. |
| Unsafe expansion of self-closing HTML tag (`js/unsafe-html-expansion`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities caused by unsafe expansion of self-closing HTML tags. |
| Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights potential command injections due to a shell command being constructed from library inputs. Results are shown on LGTM by default. |
## Changes to existing queries

75
javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp Normal file
View File

@@ -0,0 +1,75 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Dynamically constructing a shell command with inputs from exported
functions may inadvertently change the meaning of the shell command.
Clients using the exported function may use inputs containing
characters that the shell interprets in a special way, for instance
quotes and spaces.
This can result in the shell command misbehaving, or even
allowing a malicious user to execute arbitrary commands on the system.
</p>
</overview>
<recommendation>
<p>
If possible, provide the dynamic arguments to the shell as an array
using a safe API such as <code>child_process.execFile</code> to avoid
interpretation by the shell.
</p>
<p>
Alternatively, if the shell command must be constructed
dynamically, then add code to ensure that special characters
do not alter the shell command unexpectedly.
</p>
</recommendation>
<example>
<p>
The following example shows a dynamically constructed shell
command that downloads a file from a remote URL.
</p>
<sample src="examples/unsafe-shell-command-construction.js" />
<p>
The shell command will, however, fail to work as intended if the
input contains spaces or other special characters interpreted in a
special way by the shell.
</p>
<p>
Even worse, a client might pass in user-controlled
data, not knowing that the input is interpreted as a shell command.
This could allow a malicious user to provide the input <code>http://example.org; cat /etc/passwd</code>
in order to execute the command <code>cat /etc/passwd</code>.
</p>
<p>
To avoid such potentially catastrophic behaviors, provide the
inputs from exported functions as an argument that does not
get interpreted by a shell:
</p>
<sample src="examples/unsafe-shell-command-construction_fixed.js" />
</example>
<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
</li>
</references>
</qhelp>

23
javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql Normal file
View File

@@ -0,0 +1,23 @@
/**
* @name Unsafe shell command constructed from library input
* @description Using externally controlled strings in a command line may allow a malicious
* user to change the meaning of the command.
* @kind path-problem
* @problem.severity error
* @precision high
* @id js/shell-command-constructed-from-input
* @tags correctness
* security
* external/cwe/cwe-078
* external/cwe/cwe-088
*/
import javascript
import semmle.javascript.security.dataflow.UnsafeShellCommandConstruction::UnsafeShellCommandConstruction
import DataFlow::PathGraph
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
where cfg.hasFlowPath(source, sink) and sinkNode = sink.getNode()
select sinkNode.getAlertLocation(), source, sink, "$@ based on libary input is later used in $@.",
sinkNode.getAlertLocation(), sinkNode.getSinkType(), sinkNode.getCommandExecution(),
"shell command"

5
javascript/ql/src/Security/CWE-078/examples/unsafe-shell-command-construction.js Normal file
View File

@@ -0,0 +1,5 @@
var cp = require("child_process");
module.exports = function download(path, callback) {
cp.exec("wget " + path, callback);
}

5
javascript/ql/src/Security/CWE-078/examples/unsafe-shell-command-construction_fixed.js Normal file
View File

@@ -0,0 +1,5 @@
var cp = require("child_process");
module.exports = function download(path, callback) {
cp.execFile("wget", [path], callback);
}

71
javascript/ql/src/semmle/javascript/PackageExports.qll Normal file
View File

@@ -0,0 +1,71 @@
/**
* EXPERIMENTAL. This API may change in the future.
*
* Provides predicates for working with values exported from a package.
*/
import javascript
/**
* Gets the number of occurrences of "/" in `path`.
*/
bindingset[path]
private int countSlashes(string path) { result = count(path.splitAt("/")) - 1 }
/**
* Gets the topmost package.json that appears in the project.
*
* There can be multiple results if the there exists multiple package.json that are equally deeply nested in the folder structure.
* Results are limited to package.json files that are at most nested 2 directories deep.
*/
PackageJSON getTopmostPackageJSON() {
result =
min(PackageJSON j |
countSlashes(j.getFile().getRelativePath()) <= 3
|
j order by countSlashes(j.getFile().getRelativePath())
)
}
/**
* Gets a value exported by the main module from the package.json `packageJSON`.
* The value is either directly the `module.exports` value, a nested property of `module.exports`, or a method on an exported class.
*/
DataFlow::Node getAValueExportedBy(PackageJSON packageJSON) {
result = getAnExportFromModule(packageJSON.getMainModule())
or
result = getAValueExportedBy(packageJSON).(DataFlow::PropWrite).getRhs()
or
exists(DataFlow::SourceNode callee |
callee = getAValueExportedBy(packageJSON).(DataFlow::NewNode).getCalleeNode().getALocalSource()
|
result = callee.getAPropertyRead("prototype").getAPropertyWrite()
or
result = callee.(DataFlow::ClassNode).getAnInstanceMethod()
)
or
result = getAValueExportedBy(packageJSON).getALocalSource()
or
result = getAValueExportedBy(packageJSON).(DataFlow::SourceNode).getAPropertyReference()
or
exists(Module mod |
mod = getAValueExportedBy(packageJSON).getEnclosingExpr().(Import).getImportedModule()
|
result = getAnExportFromModule(mod)
)
or
exists(DataFlow::ClassNode cla | cla = getAValueExportedBy(packageJSON) |
result = cla.getAnInstanceMethod() or
result = cla.getAStaticMethod() or
result = cla.getConstructor()
)
}
/**
* Gets an exported node from the module `mod`.
*/
private DataFlow::Node getAnExportFromModule(Module mod) {
result.analyze().getAValue() = mod.(NodeModule).getAModuleExportsValue()
or
exists(ASTNode export | result.getEnclosingExpr() = export | mod.exports(_, export))
}

3
javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -779,7 +779,8 @@ module TaintTracking {
*/
class AdHocWhitelistCheckSanitizer extends SanitizerGuardNode, DataFlow::CallNode {
AdHocWhitelistCheckSanitizer() {
getCalleeName().regexpMatch("(?i).*((?<!un)safe|whitelist|allow|(?<!un)auth(?!or\\b)).*") and
getCalleeName()
.regexpMatch("(?i).*((?<!un)safe|whitelist|(?<!in)valid|allow|(?<!un)auth(?!or\\b)).*") and
getNumArgument() = 1
}

7
javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
View File

@@ -449,10 +449,7 @@ module NodeJSLib {
private DataFlow::SourceNode fsModule(DataFlow::TypeTracker t) {
exists(string moduleName |
moduleName = "fs" or
moduleName = "graceful-fs" or
moduleName = "fs-extra" or
moduleName = "original-fs"
moduleName = ["mz/fs", "original-fs", "fs-extra", "graceful-fs", "fs"]
|
result = DataFlow::moduleImport(moduleName)
or
@@ -621,6 +618,8 @@ module NodeJSLib {
ChildProcessMethodCall() {
this = maybePromisified(DataFlow::moduleMember("child_process", methodName)).getACall()
or
this = DataFlow::moduleMember("mz/child_process", methodName).getACall()
}
private DataFlow::Node getACommandArgument(boolean shell) {

2
javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll
View File

@@ -52,7 +52,7 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::
result = pred.backtrack(t2, t)
or
t = t2.continue() and
TaintTracking::arrayFunctionTaintStep(result, pred, _)
TaintTracking::arrayFunctionTaintStep(any(DataFlow::Node n | result.flowsTo(n)), pred, _)
)
}

35
javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll Normal file
View File

@@ -0,0 +1,35 @@
/**
* Provides a taint tracking configuration for reasoning about shell command
* constructed from library input vulnerabilities (CWE-078).
*
* Note, for performance reasons: only import this file if
* `UnsafeShellCommandConstruction::Configuration` is needed, otherwise
* `UnsafeShellCommandConstructionCustomizations` should be imported instead.
*/
import javascript
/**
* Classes and predicates for the shell command constructed from library input query.
*/
module UnsafeShellCommandConstruction {
import UnsafeShellCommandConstructionCustomizations::UnsafeShellCommandConstruction
/**
* A taint-tracking configuration for reasoning about shell command constructed from library input vulnerabilities.
*/
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "UnsafeShellCommandConstruction" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
guard instanceof PathExistsSanitizerGuard or
guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
}
}
}

190
javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll Normal file
View File

@@ -0,0 +1,190 @@
/**
* Provides default sources, sinks and sanitizers for reasoning about
* shell command constructed from library input vulnerabilities,
* as well as extension points for adding your own.
*/
import javascript
private import semmle.javascript.security.dataflow.RemoteFlowSources
private import semmle.javascript.PackageExports as Exports
/**
* Module containing sources, sinks, and sanitizers for shell command constructed from library input.
*/
module UnsafeShellCommandConstruction {
import IndirectCommandArgument
import semmle.javascript.security.IncompleteBlacklistSanitizer as IncompleteBlacklistSanitizer
/**
* A data flow source for shell command constructed from library input.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for shell command constructed from library input.
*/
abstract class Sink extends DataFlow::Node {
/**
* Gets a description how the shell command is constructed for this sink.
*/
abstract string getSinkType();
/**
* Gets the dataflow node that executes the shell command.
*/
abstract SystemCommandExecution getCommandExecution();
/**
* Gets the node that should be highlighted for this sink.
* E.g. for a string concatenation, the sink is one of the leaves and the highlight is the concatenation root.
*/
abstract DataFlow::Node getAlertLocation();
}
/**
* A sanitizer for shell command constructed from library input.
*/
abstract class Sanitizer extends DataFlow::Node { }
/**
* A parameter of an exported function, seen as a source for shell command constructed from library input.
*/
class ExternalInputSource extends Source, DataFlow::ParameterNode {
ExternalInputSource() {
this =
Exports::getAValueExportedBy(Exports::getTopmostPackageJSON())
.(DataFlow::FunctionNode)
.getAParameter() and
not this.getName() = ["cmd", "command"] // looks to be on purpose.
}
}
/**
* Gets a node that is later executed as a shell command in the command execution `sys`.
*/
private DataFlow::Node isExecutedAsShellCommand(
DataFlow::TypeBackTracker t, SystemCommandExecution sys
) {
t.start() and result = sys.getACommandArgument() and sys.isShellInterpreted(result)
or
t.start() and isIndirectCommandArgument(result, sys)
or
exists(DataFlow::TypeBackTracker t2 |
t2 = t.smallstep(result, isExecutedAsShellCommand(t2, sys))
)
}
/**
* A string concatenation that is later executed as a shell command.
*/
class StringConcatEndingInCommandExecutionSink extends Sink, StringOps::ConcatenationLeaf {
SystemCommandExecution sys;
StringOps::ConcatenationRoot root;
StringConcatEndingInCommandExecutionSink() {
this = root.getALeaf() and
root = isExecutedAsShellCommand(DataFlow::TypeBackTracker::end(), sys) and
exists(string prev | prev = this.getPreviousLeaf().getStringValue() |
prev.regexpMatch(".* ('|\")?[0-9a-zA-Z/]*")
)
}
override string getSinkType() { result = "String concatenation" }
override SystemCommandExecution getCommandExecution() { result = sys }
override DataFlow::Node getAlertLocation() { result = root }
}
/**
* An element pushed to an array, where the array is later used to execute a shell command.
*/
class ArrayAppendEndingInCommandExecutinSink extends Sink {
DataFlow::SourceNode array;
SystemCommandExecution sys;
ArrayAppendEndingInCommandExecutinSink() {
this =
[array.(DataFlow::ArrayCreationNode).getAnElement(),
array.getAMethodCall(["push", "unshift"]).getAnArgument()] and
exists(DataFlow::MethodCallNode joinCall | array.getAMethodCall("join") = joinCall |
joinCall = isExecutedAsShellCommand(DataFlow::TypeBackTracker::end(), sys) and
joinCall.getNumArgument() = 1 and
joinCall.getArgument(0).getStringValue() = " "
)
}
override string getSinkType() { result = "Array element" }
override SystemCommandExecution getCommandExecution() { result = sys }
override DataFlow::Node getAlertLocation() { result = this }
}
/**
* A formatted string that is later executed as a shell command.
*/
class FormatedStringInCommandExecutionSink extends Sink {
PrintfStyleCall call;
SystemCommandExecution sys;
FormatedStringInCommandExecutionSink() {
this = call.getFormatArgument(_) and
call = isExecutedAsShellCommand(DataFlow::TypeBackTracker::end(), sys) and
exists(string formatString | call.getFormatString().mayHaveStringValue(formatString) |
formatString.regexpMatch(".* ('|\")?[0-9a-zA-Z/]*%.*")
)
}
override string getSinkType() { result = "Formatted string" }
override SystemCommandExecution getCommandExecution() { result = sys }
override DataFlow::Node getAlertLocation() { result = this }
}
/**
* A sanitizer like: "'"+name.replace(/'/g,"'\\''")+"'"
* Which sanitizes on Unix.
* The sanitizer is only safe if sorounded by single-quotes, which is assumed.
*/
class ReplaceQuotesSanitizer extends Sanitizer, StringReplaceCall {
ReplaceQuotesSanitizer() {
this.getAReplacedString() = "'" and
this.isGlobal() and
this.getRawReplacement().mayHaveStringValue(["'\\''", ""])
}
}
/**
* A chain of replace calls that replaces all unsafe chars for shell-commands.
*/
class ChainSanitizer extends Sanitizer, IncompleteBlacklistSanitizer::StringReplaceCallSequence {
ChainSanitizer() {
forall(string char |
char = ["&", "`", "$", "|", ">", "<", "#", ";", "(", ")", "[", "]", "\n"]
|
this.getAMember().getAReplacedString() = char
)
}
}
/**
* A sanitizer that sanitizers paths that exist in the file-system.
* For example: `x` is sanitized in `fs.existsSync(x)` or `fs.existsSync(x + "/suffix/path")`.
*/
class PathExistsSanitizerGuard extends TaintTracking::SanitizerGuardNode, DataFlow::CallNode {
PathExistsSanitizerGuard() {
this = DataFlow::moduleMember("path", "exist").getACall() or
this = DataFlow::moduleMember("fs", "existsSync").getACall()
}
override predicate sanitizes(boolean outcome, Expr e) {
outcome = true and
(
e = getArgument(0).asExpr() or
e = getArgument(0).(StringOps::ConcatenationRoot).getALeaf().asExpr()
)
}
}
}

1
javascript/ql/test/library-tests/PackageExports/index.js Normal file
View File

@@ -0,0 +1 @@
module.exports = function notExportedAnyWhere() {}

1
javascript/ql/test/library-tests/PackageExports/lib1/bar.js Normal file
View File

@@ -0,0 +1 @@
module.exports = function notImportedAnywhere() {}

3
javascript/ql/test/library-tests/PackageExports/lib1/foo.js Normal file
View File

@@ -0,0 +1,3 @@
module.exports = function thisIsRequiredFromMain() {}
module.exports.foo = function alsoExported() {}

1
javascript/ql/test/library-tests/PackageExports/lib1/index.js Normal file
View File

@@ -0,0 +1 @@
module.exports = function alsoNotExported() {}

17
javascript/ql/test/library-tests/PackageExports/lib1/main.js Normal file
View File

@@ -0,0 +1,17 @@
module.exports = function isExported() {}
module.exports.foo = require("./foo.js")
module.exports.bar = class Bar {
constructor() {} // all are exported
static staticMethod() {}
instanceMethod() {}
}
class Baz {
constructor() {} // not exported
static staticMethod() {} // not exported
instanceMethod() {} // exported
}
module.exports.Baz = new Baz()

3
javascript/ql/test/library-tests/PackageExports/lib1/package.json Normal file
View File

@@ -0,0 +1,3 @@
{
"main": "main.js"
}

3
javascript/ql/test/library-tests/PackageExports/lib1/sublib/package.json Normal file
View File

@@ -0,0 +1,3 @@
{
"main": "sublib.js"
}

1
javascript/ql/test/library-tests/PackageExports/lib1/sublib/sublib.js Normal file
View File

@@ -0,0 +1 @@
module.exports = function exportedInSublibButIsNotAMainPackageExport() {}

31
javascript/ql/test/library-tests/PackageExports/tests.expected Normal file
View File

@@ -0,0 +1,31 @@
getTopmostPackageJSON
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} |
getAValueExportedBy
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:1:1:1:0 | this |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:1:1:1:53 | module. ... in() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:1:18:1:53 | functio ... in() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:3:1:3:14 | module.exports |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:3:1:3:18 | module.exports.foo |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:3:22:3:21 | this |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:3:22:3:47 | functio ... ed() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:1:1:1:0 | this |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:1:1:1:41 | module. ... ed() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:1:18:1:41 | functio ... ed() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:3:1:3:14 | module.exports |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:3:1:3:18 | module.exports.foo |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:3:1:3:40 | module. ... oo.js") |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:3:22:3:40 | require("./foo.js") |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:5:1:5:14 | module.exports |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:5:1:5:18 | module.exports.bar |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:5:22:9:1 | class B ... () {}\\n} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:6:16:6:20 | () {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:7:5:7:28 | static ... od() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:7:24:7:28 | () {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:8:19:8:23 | () {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:14:19:14:23 | () {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:17:1:17:14 | module.exports |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:17:1:17:18 | module.exports.Baz |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:17:22:17:30 | new Baz() |
| lib1/sublib/package.json:1:1:3:1 | {\\n " ... b.js"\\n} | lib1/sublib/sublib.js:1:1:1:0 | this |
| lib1/sublib/package.json:1:1:3:1 | {\\n " ... b.js"\\n} | lib1/sublib/sublib.js:1:1:1:73 | module. ... rt() {} |
| lib1/sublib/package.json:1:1:3:1 | {\\n " ... b.js"\\n} | lib1/sublib/sublib.js:1:18:1:73 | functio ... rt() {} |

8
javascript/ql/test/library-tests/PackageExports/tests.ql Normal file
View File

@@ -0,0 +1,8 @@
import javascript
import semmle.javascript.PackageExports as Exports
query PackageJSON getTopmostPackageJSON() { result = Exports::getTopmostPackageJSON() }
query DataFlow::Node getAValueExportedBy(PackageJSON json) {
result = Exports::getAValueExportedBy(json)
}

3
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
View File

@@ -3,6 +3,7 @@ nodes
| child_process-test.js:6:15:6:38 | url.par ... , true) |
| child_process-test.js:6:15:6:44 | url.par ... ).query |
| child_process-test.js:6:15:6:49 | url.par ... ry.path |
| child_process-test.js:6:15:6:49 | url.par ... ry.path |
| child_process-test.js:6:25:6:31 | req.url |
| child_process-test.js:6:25:6:31 | req.url |
| child_process-test.js:17:13:17:15 | cmd |
@@ -130,6 +131,7 @@ edges
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:54:46:54:48 | cmd |
| child_process-test.js:6:15:6:38 | url.par ... , true) | child_process-test.js:6:15:6:44 | url.par ... ).query |
| child_process-test.js:6:15:6:44 | url.par ... ).query | child_process-test.js:6:15:6:49 | url.par ... ry.path |
| child_process-test.js:6:15:6:44 | url.par ... ).query | child_process-test.js:6:15:6:49 | url.par ... ry.path |
| child_process-test.js:6:15:6:49 | url.par ... ry.path | child_process-test.js:6:9:6:49 | cmd |
| child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) |
| child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) |
@@ -221,6 +223,7 @@ edges
| child_process-test.js:53:5:53:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:25:53:58 | ['/C', ... , cmd]) | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:53:5:53:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:46:53:57 | ["bar", cmd] | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:53:5:53:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:54:53:56 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:54:5:54:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:49 | url.par ... ry.path | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:54:5:54:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:54:25:54:49 | ['/C', ... at(cmd) | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:59:5:59:39 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:50:15:50:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:64:3:64:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |

435
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected Normal file
View File

@@ -0,0 +1,435 @@
nodes
| lib/lib2.js:3:28:3:31 | name |
| lib/lib2.js:3:28:3:31 | name |
| lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:7:32:7:35 | name |
| lib/lib2.js:7:32:7:35 | name |
| lib/lib2.js:8:22:8:25 | name |
| lib/lib2.js:8:22:8:25 | name |
| lib/lib.js:3:28:3:31 | name |
| lib/lib.js:3:28:3:31 | name |
| lib/lib.js:4:22:4:25 | name |
| lib/lib.js:4:22:4:25 | name |
| lib/lib.js:10:32:10:35 | name |
| lib/lib.js:10:32:10:35 | name |
| lib/lib.js:11:22:11:25 | name |
| lib/lib.js:11:22:11:25 | name |
| lib/lib.js:14:36:14:39 | name |
| lib/lib.js:14:36:14:39 | name |
| lib/lib.js:15:22:15:25 | name |
| lib/lib.js:15:22:15:25 | name |
| lib/lib.js:19:34:19:37 | name |
| lib/lib.js:19:34:19:37 | name |
| lib/lib.js:20:22:20:25 | name |
| lib/lib.js:20:22:20:25 | name |
| lib/lib.js:26:35:26:38 | name |
| lib/lib.js:26:35:26:38 | name |
| lib/lib.js:27:22:27:25 | name |
| lib/lib.js:27:22:27:25 | name |
| lib/lib.js:34:14:34:17 | name |
| lib/lib.js:34:14:34:17 | name |
| lib/lib.js:35:23:35:26 | name |
| lib/lib.js:35:23:35:26 | name |
| lib/lib.js:37:13:37:16 | name |
| lib/lib.js:37:13:37:16 | name |
| lib/lib.js:38:23:38:26 | name |
| lib/lib.js:38:23:38:26 | name |
| lib/lib.js:40:6:40:9 | name |
| lib/lib.js:40:6:40:9 | name |
| lib/lib.js:41:23:41:26 | name |
| lib/lib.js:41:23:41:26 | name |
| lib/lib.js:49:31:49:34 | name |
| lib/lib.js:49:31:49:34 | name |
| lib/lib.js:50:47:50:50 | name |
| lib/lib.js:50:47:50:50 | name |
| lib/lib.js:53:33:53:36 | name |
| lib/lib.js:53:33:53:36 | name |
| lib/lib.js:54:25:54:28 | name |
| lib/lib.js:54:25:54:28 | name |
| lib/lib.js:57:25:57:28 | name |
| lib/lib.js:57:25:57:28 | name |
| lib/lib.js:64:41:64:44 | name |
| lib/lib.js:64:41:64:44 | name |
| lib/lib.js:65:22:65:25 | name |
| lib/lib.js:65:22:65:25 | name |
| lib/lib.js:71:28:71:31 | name |
| lib/lib.js:71:28:71:31 | name |
| lib/lib.js:73:21:73:24 | name |
| lib/lib.js:73:21:73:24 | name |
| lib/lib.js:75:20:75:23 | name |
| lib/lib.js:75:20:75:23 | name |
| lib/lib.js:77:28:77:31 | name |
| lib/lib.js:77:28:77:31 | name |
| lib/lib.js:82:35:82:38 | name |
| lib/lib.js:82:35:82:38 | name |
| lib/lib.js:83:22:83:25 | name |
| lib/lib.js:83:22:83:25 | name |
| lib/lib.js:86:13:86:16 | name |
| lib/lib.js:86:13:86:16 | name |
| lib/lib.js:89:21:89:24 | name |
| lib/lib.js:89:21:89:24 | name |
| lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" |
| lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" |
| lib/lib.js:91:28:91:31 | name |
| lib/lib.js:97:35:97:38 | name |
| lib/lib.js:97:35:97:38 | name |
| lib/lib.js:98:35:98:38 | name |
| lib/lib.js:98:35:98:38 | name |
| lib/lib.js:100:37:100:40 | name |
| lib/lib.js:100:37:100:40 | name |
| lib/lib.js:102:46:102:49 | name |
| lib/lib.js:102:46:102:49 | name |
| lib/lib.js:108:41:108:44 | name |
| lib/lib.js:108:41:108:44 | name |
| lib/lib.js:111:34:111:37 | name |
| lib/lib.js:111:34:111:37 | name |
| lib/lib.js:112:22:112:25 | name |
| lib/lib.js:112:22:112:25 | name |
| lib/lib.js:120:33:120:36 | name |
| lib/lib.js:120:33:120:36 | name |
| lib/lib.js:121:22:121:25 | name |
| lib/lib.js:121:22:121:25 | name |
| lib/lib.js:130:6:130:9 | name |
| lib/lib.js:130:6:130:9 | name |
| lib/lib.js:131:23:131:26 | name |
| lib/lib.js:131:23:131:26 | name |
| lib/lib.js:148:37:148:40 | name |
| lib/lib.js:148:37:148:40 | name |
| lib/lib.js:149:24:149:27 | name |
| lib/lib.js:149:24:149:27 | name |
| lib/lib.js:155:38:155:41 | name |
| lib/lib.js:155:38:155:41 | name |
| lib/lib.js:161:25:161:28 | name |
| lib/lib.js:161:25:161:28 | name |
| lib/lib.js:170:41:170:44 | name |
| lib/lib.js:170:41:170:44 | name |
| lib/lib.js:173:20:173:23 | name |
| lib/lib.js:173:20:173:23 | name |
| lib/lib.js:177:38:177:41 | name |
| lib/lib.js:177:38:177:41 | name |
| lib/lib.js:181:6:181:52 | broken |
| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" |
| lib/lib.js:181:21:181:24 | name |
| lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
| lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:186:34:186:37 | name |
| lib/lib.js:186:34:186:37 | name |
| lib/lib.js:187:22:187:25 | name |
| lib/lib.js:187:22:187:25 | name |
| lib/lib.js:190:23:190:26 | name |
| lib/lib.js:190:23:190:26 | name |
| lib/lib.js:196:45:196:48 | name |
| lib/lib.js:196:45:196:48 | name |
| lib/lib.js:197:22:197:25 | name |
| lib/lib.js:197:22:197:25 | name |
| lib/lib.js:200:23:200:26 | name |
| lib/lib.js:200:23:200:26 | name |
| lib/lib.js:206:45:206:48 | name |
| lib/lib.js:206:45:206:48 | name |
| lib/lib.js:207:22:207:25 | name |
| lib/lib.js:207:22:207:25 | name |
| lib/lib.js:212:23:212:26 | name |
| lib/lib.js:212:23:212:26 | name |
| lib/lib.js:216:39:216:42 | name |
| lib/lib.js:216:39:216:42 | name |
| lib/lib.js:217:22:217:25 | name |
| lib/lib.js:217:22:217:25 | name |
| lib/lib.js:220:23:220:26 | name |
| lib/lib.js:220:23:220:26 | name |
| lib/lib.js:224:22:224:25 | name |
| lib/lib.js:224:22:224:25 | name |
| lib/lib.js:227:39:227:42 | name |
| lib/lib.js:227:39:227:42 | name |
| lib/lib.js:228:22:228:25 | name |
| lib/lib.js:228:22:228:25 | name |
| lib/lib.js:236:22:236:25 | name |
| lib/lib.js:236:22:236:25 | name |
| lib/lib.js:248:42:248:45 | name |
| lib/lib.js:248:42:248:45 | name |
| lib/lib.js:249:22:249:25 | name |
| lib/lib.js:249:22:249:25 | name |
| lib/lib.js:257:35:257:38 | name |
| lib/lib.js:257:35:257:38 | name |
| lib/lib.js:258:22:258:25 | name |
| lib/lib.js:258:22:258:25 | name |
| lib/lib.js:261:30:261:33 | name |
| lib/lib.js:261:30:261:33 | name |
| lib/lib.js:267:46:267:48 | obj |
| lib/lib.js:267:46:267:48 | obj |
| lib/lib.js:268:22:268:24 | obj |
| lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:272:22:272:24 | obj |
| lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:276:8:276:11 | opts |
| lib/lib.js:276:8:276:11 | opts |
| lib/lib.js:277:23:277:26 | opts |
| lib/lib.js:277:23:277:30 | opts.bla |
| lib/lib.js:277:23:277:30 | opts.bla |
| lib/lib.js:307:39:307:42 | name |
| lib/lib.js:307:39:307:42 | name |
| lib/lib.js:308:23:308:26 | name |
| lib/lib.js:308:23:308:26 | name |
edges
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name |
| lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name |
| lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name |
| lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name |
| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name |
| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name |
| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name |
| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name |
| lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name |
| lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name |
| lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name |
| lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name |
| lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name |
| lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name |
| lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name |
| lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name |
| lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name |
| lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name |
| lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name |
| lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name |
| lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name |
| lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name |
| lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name |
| lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name |
| lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name |
| lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name |
| lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name |
| lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name |
| lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name |
| lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name |
| lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name |
| lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name |
| lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name |
| lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name |
| lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name |
| lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name |
| lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name |
| lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name |
| lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name |
| lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:91:28:91:31 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:91:28:91:31 | name |
| lib/lib.js:91:28:91:31 | name | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" |
| lib/lib.js:91:28:91:31 | name | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name |
| lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name |
| lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name |
| lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name |
| lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name |
| lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name |
| lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name |
| lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name |
| lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name |
| lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name |
| lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name |
| lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name |
| lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name |
| lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name |
| lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name |
| lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name |
| lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name |
| lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name |
| lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name |
| lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name |
| lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name |
| lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name |
| lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name |
| lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name |
| lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name |
| lib/lib.js:177:38:177:41 | name | lib/lib.js:181:21:181:24 | name |
| lib/lib.js:177:38:177:41 | name | lib/lib.js:181:21:181:24 | name |
| lib/lib.js:181:6:181:52 | broken | lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:181:6:181:52 | broken | lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" | lib/lib.js:181:6:181:52 | broken |
| lib/lib.js:181:21:181:24 | name | lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
| lib/lib.js:181:21:181:46 | name.re ... "'\\''") | lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name |
| lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name |
| lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name |
| lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name |
| lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:24 | obj |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:24 | obj |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:24 | obj |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:24 | obj |
| lib/lib.js:268:22:268:24 | obj | lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:268:22:268:24 | obj | lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:272:22:272:24 | obj | lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:272:22:272:24 | obj | lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
| lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
| lib/lib.js:277:23:277:26 | opts | lib/lib.js:277:23:277:30 | opts.bla |
| lib/lib.js:277:23:277:26 | opts | lib/lib.js:277:23:277:30 | opts.bla |
| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
#select
| lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | $@ based on libary input is later used in $@. | lib/lib2.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command |
| lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | $@ based on libary input is later used in $@. | lib/lib2.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command |
| lib/lib.js:4:10:4:25 | "rm -rf " + name | lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib.js:4:2:4:26 | cp.exec ... + name) | shell command |
| lib/lib.js:11:10:11:25 | "rm -rf " + name | lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:11:10:11:25 | "rm -rf " + name | String concatenation | lib/lib.js:11:2:11:26 | cp.exec ... + name) | shell command |
| lib/lib.js:15:10:15:25 | "rm -rf " + name | lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:15:10:15:25 | "rm -rf " + name | String concatenation | lib/lib.js:15:2:15:26 | cp.exec ... + name) | shell command |
| lib/lib.js:20:10:20:25 | "rm -rf " + name | lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:20:10:20:25 | "rm -rf " + name | String concatenation | lib/lib.js:20:2:20:26 | cp.exec ... + name) | shell command |
| lib/lib.js:27:10:27:25 | "rm -rf " + name | lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:27:10:27:25 | "rm -rf " + name | String concatenation | lib/lib.js:27:2:27:26 | cp.exec ... + name) | shell command |
| lib/lib.js:35:11:35:26 | "rm -rf " + name | lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:35:11:35:26 | "rm -rf " + name | String concatenation | lib/lib.js:35:3:35:27 | cp.exec ... + name) | shell command |
| lib/lib.js:38:11:38:26 | "rm -rf " + name | lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:38:11:38:26 | "rm -rf " + name | String concatenation | lib/lib.js:38:3:38:27 | cp.exec ... + name) | shell command |
| lib/lib.js:41:11:41:26 | "rm -rf " + name | lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:41:11:41:26 | "rm -rf " + name | String concatenation | lib/lib.js:41:3:41:27 | cp.exec ... + name) | shell command |
| lib/lib.js:50:35:50:50 | "rm -rf " + name | lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name | $@ based on libary input is later used in $@. | lib/lib.js:50:35:50:50 | "rm -rf " + name | String concatenation | lib/lib.js:50:2:50:51 | require ... + name) | shell command |
| lib/lib.js:54:13:54:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name | $@ based on libary input is later used in $@. | lib/lib.js:54:13:54:28 | "rm -rf " + name | String concatenation | lib/lib.js:55:2:55:14 | cp.exec(cmd1) | shell command |
| lib/lib.js:57:13:57:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name | $@ based on libary input is later used in $@. | lib/lib.js:57:13:57:28 | "rm -rf " + name | String concatenation | lib/lib.js:59:3:59:14 | cp.exec(cmd) | shell command |
| lib/lib.js:65:10:65:25 | "rm -rf " + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:65:10:65:25 | "rm -rf " + name | String concatenation | lib/lib.js:65:2:65:26 | cp.exec ... + name) | shell command |
| lib/lib.js:71:10:71:31 | "cat /f ... + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name | $@ based on libary input is later used in $@. | lib/lib.js:71:10:71:31 | "cat /f ... + name | String concatenation | lib/lib.js:71:2:71:32 | cp.exec ... + name) | shell command |
| lib/lib.js:73:10:73:31 | "cat \\" ... + "\\"" | lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name | $@ based on libary input is later used in $@. | lib/lib.js:73:10:73:31 | "cat \\" ... + "\\"" | String concatenation | lib/lib.js:73:2:73:32 | cp.exec ... + "\\"") | shell command |
| lib/lib.js:75:10:75:29 | "cat '" + name + "'" | lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name | $@ based on libary input is later used in $@. | lib/lib.js:75:10:75:29 | "cat '" + name + "'" | String concatenation | lib/lib.js:75:2:75:30 | cp.exec ... + "'") | shell command |
| lib/lib.js:77:10:77:37 | "cat '/ ... e + "'" | lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name | $@ based on libary input is later used in $@. | lib/lib.js:77:10:77:37 | "cat '/ ... e + "'" | String concatenation | lib/lib.js:77:2:77:38 | cp.exec ... + "'") | shell command |
| lib/lib.js:83:10:83:25 | "rm -rf " + name | lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:83:10:83:25 | "rm -rf " + name | String concatenation | lib/lib.js:83:2:83:26 | cp.exec ... + name) | shell command |
| lib/lib.js:86:13:86:16 | name | lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name | $@ based on libary input is later used in $@. | lib/lib.js:86:13:86:16 | name | Array element | lib/lib.js:87:2:87:25 | cp.exec ... n(" ")) | shell command |
| lib/lib.js:89:21:89:24 | name | lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name | $@ based on libary input is later used in $@. | lib/lib.js:89:21:89:24 | name | Array element | lib/lib.js:89:2:89:36 | cp.exec ... n(" ")) | shell command |
| lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | lib/lib.js:82:35:82:38 | name | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | $@ based on libary input is later used in $@. | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | Array element | lib/lib.js:91:2:91:50 | cp.exec ... n(" ")) | shell command |
| lib/lib.js:98:35:98:38 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name | $@ based on libary input is later used in $@. | lib/lib.js:98:35:98:38 | name | Formatted string | lib/lib.js:98:2:98:40 | cp.exec ... name)) | shell command |
| lib/lib.js:100:37:100:40 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name | $@ based on libary input is later used in $@. | lib/lib.js:100:37:100:40 | name | Formatted string | lib/lib.js:100:2:100:42 | cp.exec ... name)) | shell command |
| lib/lib.js:102:46:102:49 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name | $@ based on libary input is later used in $@. | lib/lib.js:102:46:102:49 | name | Formatted string | lib/lib.js:102:2:102:51 | cp.exec ... name)) | shell command |
| lib/lib.js:108:41:108:44 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name | $@ based on libary input is later used in $@. | lib/lib.js:108:41:108:44 | name | Formatted string | lib/lib.js:108:2:108:46 | cp.exec ... name)) | shell command |
| lib/lib.js:112:10:112:25 | "rm -rf " + name | lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:112:10:112:25 | "rm -rf " + name | String concatenation | lib/lib.js:112:2:112:26 | cp.exec ... + name) | shell command |
| lib/lib.js:121:10:121:25 | "rm -rf " + name | lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:121:10:121:25 | "rm -rf " + name | String concatenation | lib/lib.js:121:2:121:26 | cp.exec ... + name) | shell command |
| lib/lib.js:131:11:131:26 | "rm -rf " + name | lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:131:11:131:26 | "rm -rf " + name | String concatenation | lib/lib.js:131:3:131:27 | cp.exec ... + name) | shell command |
| lib/lib.js:149:12:149:27 | "rm -rf " + name | lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name | $@ based on libary input is later used in $@. | lib/lib.js:149:12:149:27 | "rm -rf " + name | String concatenation | lib/lib.js:152:2:152:23 | cp.spaw ... gs, cb) | shell command |
| lib/lib.js:161:13:161:28 | "rm -rf " + name | lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name | $@ based on libary input is later used in $@. | lib/lib.js:161:13:161:28 | "rm -rf " + name | String concatenation | lib/lib.js:163:2:167:2 | cp.spaw ... t' }\\n\\t) | shell command |
| lib/lib.js:173:10:173:23 | "fo \| " + name | lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name | $@ based on libary input is later used in $@. | lib/lib.js:173:10:173:23 | "fo \| " + name | String concatenation | lib/lib.js:173:2:173:24 | cp.exec ... + name) | shell command |
| lib/lib.js:182:10:182:27 | "rm -rf " + broken | lib/lib.js:177:38:177:41 | name | lib/lib.js:182:22:182:27 | broken | $@ based on libary input is later used in $@. | lib/lib.js:182:10:182:27 | "rm -rf " + broken | String concatenation | lib/lib.js:182:2:182:28 | cp.exec ... broken) | shell command |
| lib/lib.js:187:10:187:25 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:187:10:187:25 | "rm -rf " + name | String concatenation | lib/lib.js:187:2:187:26 | cp.exec ... + name) | shell command |
| lib/lib.js:190:11:190:26 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:190:11:190:26 | "rm -rf " + name | String concatenation | lib/lib.js:190:3:190:27 | cp.exec ... + name) | shell command |
| lib/lib.js:197:10:197:25 | "rm -rf " + name | lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:197:10:197:25 | "rm -rf " + name | String concatenation | lib/lib.js:197:2:197:26 | cp.exec ... + name) | shell command |
| lib/lib.js:200:11:200:26 | "rm -rf " + name | lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:200:11:200:26 | "rm -rf " + name | String concatenation | lib/lib.js:200:3:200:27 | cp.exec ... + name) | shell command |
| lib/lib.js:207:10:207:25 | "rm -rf " + name | lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:207:10:207:25 | "rm -rf " + name | String concatenation | lib/lib.js:207:2:207:26 | cp.exec ... + name) | shell command |
| lib/lib.js:212:11:212:26 | "rm -rf " + name | lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:212:11:212:26 | "rm -rf " + name | String concatenation | lib/lib.js:212:3:212:27 | cp.exec ... + name) | shell command |
| lib/lib.js:217:10:217:25 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:217:10:217:25 | "rm -rf " + name | String concatenation | lib/lib.js:217:2:217:26 | cp.exec ... + name) | shell command |
| lib/lib.js:220:11:220:26 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:220:11:220:26 | "rm -rf " + name | String concatenation | lib/lib.js:220:3:220:27 | cp.exec ... + name) | shell command |
| lib/lib.js:224:10:224:25 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:224:10:224:25 | "rm -rf " + name | String concatenation | lib/lib.js:224:2:224:26 | cp.exec ... + name) | shell command |
| lib/lib.js:228:10:228:25 | "rm -rf " + name | lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:228:10:228:25 | "rm -rf " + name | String concatenation | lib/lib.js:228:2:228:26 | cp.exec ... + name) | shell command |
| lib/lib.js:236:10:236:25 | "rm -rf " + name | lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:236:10:236:25 | "rm -rf " + name | String concatenation | lib/lib.js:236:2:236:26 | cp.exec ... + name) | shell command |
| lib/lib.js:249:10:249:25 | "rm -rf " + name | lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:249:10:249:25 | "rm -rf " + name | String concatenation | lib/lib.js:249:2:249:26 | cp.exec ... + name) | shell command |
| lib/lib.js:258:10:258:25 | "rm -rf " + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:258:10:258:25 | "rm -rf " + name | String concatenation | lib/lib.js:258:2:258:26 | cp.exec ... + name) | shell command |
| lib/lib.js:261:11:261:33 | "rm -rf ... + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name | $@ based on libary input is later used in $@. | lib/lib.js:261:11:261:33 | "rm -rf ... + name | String concatenation | lib/lib.js:261:3:261:34 | cp.exec ... + name) | shell command |
| lib/lib.js:268:10:268:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:268:10:268:32 | "rm -rf ... version | String concatenation | lib/lib.js:268:2:268:33 | cp.exec ... ersion) | shell command |
| lib/lib.js:272:10:272:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:272:10:272:32 | "rm -rf ... version | String concatenation | lib/lib.js:272:2:272:33 | cp.exec ... ersion) | shell command |
| lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:30 | opts.bla | $@ based on libary input is later used in $@. | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | String concatenation | lib/lib.js:277:3:277:31 | cp.exec ... ts.bla) | shell command |
| lib/lib.js:308:11:308:26 | "rm -rf " + name | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:308:11:308:26 | "rm -rf " + name | String concatenation | lib/lib.js:308:3:308:27 | cp.exec ... + name) | shell command |

1
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-078/UnsafeShellCommandConstruction.ql

7
javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.expected
View File

@@ -1,4 +1,8 @@
readFile
| lib/lib.js:71:2:71:32 | cp.exec ... + name) | fs.readFile("/foO/BAR/" + name) |
| lib/lib.js:73:2:73:32 | cp.exec ... + "\\"") | fs.readFile(""" + name + """) |
| lib/lib.js:75:2:75:30 | cp.exec ... + "'") | fs.readFile("'" + name + "'") |
| lib/lib.js:77:2:77:38 | cp.exec ... + "'") | fs.readFile("'/foo/bar" + name + "'") |
| uselesscat.js:10:1:10:43 | exec("c ... ut) {}) | fs.readFile("foo/bar", function(err, out) {...}) |
| uselesscat.js:12:1:14:2 | exec("c ... ut);\\n}) | fs.readFile("/proc/" + id + "/status", function(err, out) {...}) |
| uselesscat.js:16:1:16:29 | execSyn ... uinfo') | fs.readFileSync("/proc/cpuinfo") |
@@ -89,6 +93,9 @@ options
| child_process-test.js:53:5:53:59 | cp.spaw ... cmd])) | child_process-test.js:53:25:53:58 | ['/C', ... , cmd]) |
| child_process-test.js:54:5:54:50 | cp.spaw ... t(cmd)) | child_process-test.js:54:25:54:49 | ['/C', ... at(cmd) |
| child_process-test.js:64:3:64:21 | cp.spawn(cmd, args) | child_process-test.js:64:17:64:20 | args |
| lib/lib.js:152:2:152:23 | cp.spaw ... gs, cb) | lib/lib.js:152:21:152:22 | cb |
| lib/lib.js:159:2:159:23 | cp.spaw ... gs, cb) | lib/lib.js:159:21:159:22 | cb |
| lib/lib.js:163:2:167:2 | cp.spaw ... t' }\\n\\t) | lib/lib.js:166:3:166:22 | { stdio: 'inherit' } |
| uselesscat.js:28:1:28:39 | execSyn ... 1000}) | uselesscat.js:28:28:28:38 | {uid: 1000} |
| uselesscat.js:30:1:30:64 | exec('c ... t) { }) | uselesscat.js:30:26:30:38 | { cwd: './' } |
| uselesscat.js:34:1:34:54 | execSyn ... utf8'}) | uselesscat.js:34:36:34:53 | {encoding: 'utf8'} |

312
javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js Normal file
View File

@@ -0,0 +1,312 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK
cp.execFile(name, [name]); // OK
cp.execFile(name, name); // OK
};
module.exports.foo = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
module.exports.foo.bar = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
function cla() { }
cla.prototype.method = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
module.exports = new cla();
function cla2() { }
cla2.prototype.method = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
module.exports.bla = new cla2();
module.exports.lib2 = require("./lib2.js")
class Cla3 {
constructor(name) {
cp.exec("rm -rf " + name); // NOT OK
}
static foo(name) {
cp.exec("rm -rf " + name); // NOT OK
}
bar(name) {
cp.exec("rm -rf " + name); // NOT OK
cp.exec("rm -rf " + notASource); // OK
}
}
module.exports.cla3 = Cla3;
module.exports.mz = function (name) {
require("mz/child_process").exec("rm -rf " + name); // NOT OK.
}
module.exports.flow = function (name) {
var cmd1 = "rm -rf " + name;
cp.exec(cmd1); // NOT OK.
var cmd2 = "rm -rf " + name;
function myExec(cmd) {
cp.exec(cmd); // NOT OK.
}
myExec(cmd2);
}
module.exports.stringConcat = function (name) {
cp.exec("rm -rf " + name); // NOT OK.
cp.exec(name); // OK.
cp.exec("for foo in (" + name + ") do bla end"); // OK.
cp.exec("cat /foO/BAR/" + name) // NOT OK.
cp.exec("cat \"" + name + "\"") // NOT OK.
cp.exec("cat '" + name + "'") // NOT OK.
cp.exec("cat '/foo/bar" + name + "'") // NOT OK.
cp.exec(name + " some file") // OK.
}
module.exports.arrays = function (name) {
cp.exec("rm -rf " + name); // NOT OK.
var args1 = ["node"];
args1.push(name);
cp.exec(args1.join(" ")); // NOT OK.
cp.exec(["rm -rf", name].join(" ")); // NOT OK.
cp.exec(["rm -rf", "\"" + name + "\""].join(" ")); // NOT OK.
cp.execFile("rm", ["-rf", name]); // OK
}
var util = require("util");
module.exports.format = function (name) {
cp.exec(util.format("rm -rf %s", name)); // NOT OK
cp.exec(util.format("rm -rf '%s'", name)); // NOT OK
cp.exec(util.format("rm -rf '/foo/bar/%s'", name)); // NOT OK
cp.exec(util.format("%s foo/bar", name)); // OK
cp.exec(util.format("for foo in (%s) do bar end", name)); // OK
cp.exec(require("printf")('rm -rf %s', name)); // NOT OK
}
module.exports.valid = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!isValidName(name)) {
return;
}
cp.exec("rm -rf " + name); // OK
}
module.exports.safe = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!isSafeName(name)) {
return;
}
cp.exec("rm -rf " + name); // OK
}
class Cla4 {
wha(name) {
cp.exec("rm -rf " + name); // NOT OK
}
static bla(name) {
cp.exec("rm -rf " + name); // OK - not exported
}
constructor(name) {
cp.exec("rm -rf " + name); // OK - not exported
}
}
module.exports.cla4 = new Cla4();
function Cla5(name) {
cp.exec("rm -rf " + name); // OK - not exported
}
module.exports.cla5 = new Cla5();
module.exports.indirect = function (name) {
let cmd = "rm -rf " + name;
let sh = "sh";
let args = ["-c", cmd];
cp.spawn(sh, args, cb); // NOT OK
}
module.exports.indirect2 = function (name) {
let cmd = name;
let sh = "sh";
let args = ["-c", cmd];
cp.spawn(sh, args, cb); // OK
let cmd2 = "rm -rf " + name;
var args2 = [cmd2];
cp.spawn(
'cmd.exe',
['/C', editor].concat(args2),
{ stdio: 'inherit' }
);
}
module.exports.cmd = function (command, name) {
cp.exec("fo | " + command); // OK
cp.exec("fo | " + name); // NOT OK
}
module.exports.sanitizer = function (name) {
var sanitized = "'" + name.replace(/'/g, "'\\''") + "'"
cp.exec("rm -rf " + sanitized); // OK
var broken = "'" + name.replace(/'/g, "'\''") + "'"
cp.exec("rm -rf " + broken); // NOT OK
}
var path = require("path");
module.exports.guard = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!path.exist(name)) {
cp.exec("rm -rf " + name); // NOT OK
return;
}
cp.exec("rm -rf " + name); // OK
}
module.exports.blacklistOfChars = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (/[^A-Za-z0-9_\/:=-]/.test(name)) {
cp.exec("rm -rf " + name); // NOT OK
} else {
cp.exec("rm -rf " + name); // OK
}
}
module.exports.whitelistOfChars = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (/^[A-Za-z0-9_\/:=-]$/.test(name)) {
cp.exec("rm -rf " + name); // OK
} else {
cp.exec("rm -rf " + name); // NOT OK
}
}
module.exports.blackList2 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!/^([a-zA-Z0-9]+))?$/.test(name)) {
cp.exec("rm -rf " + name); // NOT OK
process.exit(-1);
}
cp.exec("rm -rf " + name); // OK - but FP due to tracking flow through `process.exit()`.
}
module.exports.accessSync = function (name) {
cp.exec("rm -rf " + name); // NOT OK
try {
path.accessSync(name);
} catch (e) {
return;
}
cp.exec("rm -rf " + name); // OK - but FP due to `path.accessSync` not being recognized as a sanitizer.
}
var cleanInput = function (s) {
if (/[^A-Za-z0-9_\/:=-]/.test(s)) {
s = "'" + s.replace(/'/g, "'\\''") + "'";
s = s.replace(/^(?:'')+/g, '') // unduplicate single-quote at the beginning
.replace(/\\'''/g, "\\'"); // remove non-escaped single-quote if there are enclosed between 2 escaped
}
return s;
}
module.exports.goodSanitizer = function (name) {
cp.exec("rm -rf " + name); // NOT OK
var cleaned = cleanInput(name);
cp.exec("rm -rf " + cleaned); // OK
}
var fs = require("fs");
module.exports.guard2 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!fs.existsSync("prefix/" + name)) {
cp.exec("rm -rf prefix/" + name); // NOT OK
return;
}
cp.exec("rm -rf prefix/" + name); // OK
}
module.exports.sanitizerProperty = function (obj) {
cp.exec("rm -rf " + obj.version); // NOT OK
obj.version = "";
cp.exec("rm -rf " + obj.version); // OK - but FP
}
module.exports.Foo = class Foo {
start(opts) {
cp.exec("rm -rf " + opts.bla); // NOT OK
this.opts = {};
this.opts.bla = opts.bla
cp.exec("rm -rf " + this.opts.bla); // NOT OK - but FN
}
}
function sanitizeShellString(str) {
let result = str;
result = result.replace(/>/g, "");
result = result.replace(/</g, "");
result = result.replace(/\*/g, "");
result = result.replace(/\?/g, "");
result = result.replace(/\[/g, "");
result = result.replace(/\]/g, "");
result = result.replace(/\|/g, "");
result = result.replace(/\`/g, "");
result = result.replace(/$/g, "");
result = result.replace(/;/g, "");
result = result.replace(/&/g, "");
result = result.replace(/\)/g, "");
result = result.replace(/\(/g, "");
result = result.replace(/\$/g, "");
result = result.replace(/#/g, "");
result = result.replace(/\\/g, "");
result = result.replace(/\n/g, "");
return result
}
module.exports.sanitizer2 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
var sanitized = sanitizeShellString(name);
cp.exec("rm -rf " + sanitized); // OK
}

9
javascript/ql/test/query-tests/Security/CWE-078/lib/lib2.js Normal file
View File

@@ -0,0 +1,9 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK - is imported from main module.
};
module.exports.foo = function (name) {
cp.exec("rm -rf " + name); // NOT OK - is imported from main module.
};

5
javascript/ql/test/query-tests/Security/CWE-078/lib/other.js Normal file
View File

@@ -0,0 +1,5 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // OK, is not exported to a main-module.
};

5
javascript/ql/test/query-tests/Security/CWE-078/lib/subLib/index.js Normal file
View File

@@ -0,0 +1,5 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // OK - this file belongs in a sub-"module", and is not the primary exported module.
};

5
javascript/ql/test/query-tests/Security/CWE-078/lib/subLib/package.json Normal file
View File

@@ -0,0 +1,5 @@
{
"name": "mySubLib",
"version": "0.0.7",
"main": "./index.js"
}

5
javascript/ql/test/query-tests/Security/CWE-078/package.json Normal file
View File

@@ -0,0 +1,5 @@
{
"name": "myLib",
"version": "0.0.7",
"main": "./lib/lib.js"
}