hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 05:05:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3447 from erik-krogh/LibCmdInjection

Browse Source 
Approved by asgerf, mchammer01
This commit is contained in:
semmle-qlci
2020-05-22 17:10:57 +01:00
committed by GitHub
parent 9259dca40d b79b25ef87
commit b9ecf1a304
31 changed files with 1267 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
javascript/ql/test/library-tests/PackageExports/index.js Normal file
View File

@@ -0,0 +1 @@
module.exports = function notExportedAnyWhere() {}

1
javascript/ql/test/library-tests/PackageExports/lib1/bar.js Normal file
View File

@@ -0,0 +1 @@
module.exports = function notImportedAnywhere() {}

3
javascript/ql/test/library-tests/PackageExports/lib1/foo.js Normal file
View File

@@ -0,0 +1,3 @@
module.exports = function thisIsRequiredFromMain() {}
module.exports.foo = function alsoExported() {}

1
javascript/ql/test/library-tests/PackageExports/lib1/index.js Normal file
View File

@@ -0,0 +1 @@
module.exports = function alsoNotExported() {}

17
javascript/ql/test/library-tests/PackageExports/lib1/main.js Normal file
View File

@@ -0,0 +1,17 @@
module.exports = function isExported() {}
module.exports.foo = require("./foo.js")
module.exports.bar = class Bar {
constructor() {} // all are exported
static staticMethod() {}
instanceMethod() {}
}
class Baz {
constructor() {} // not exported
static staticMethod() {} // not exported
instanceMethod() {} // exported
}
module.exports.Baz = new Baz()

3
javascript/ql/test/library-tests/PackageExports/lib1/package.json Normal file
View File

@@ -0,0 +1,3 @@
{
"main": "main.js"
}

3
javascript/ql/test/library-tests/PackageExports/lib1/sublib/package.json Normal file
View File

@@ -0,0 +1,3 @@
{
"main": "sublib.js"
}

1
javascript/ql/test/library-tests/PackageExports/lib1/sublib/sublib.js Normal file
View File

@@ -0,0 +1 @@
module.exports = function exportedInSublibButIsNotAMainPackageExport() {}

31
javascript/ql/test/library-tests/PackageExports/tests.expected Normal file
View File

@@ -0,0 +1,31 @@
getTopmostPackageJSON
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} |
getAValueExportedBy
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:1:1:1:0 | this |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:1:1:1:53 | module. ... in() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:1:18:1:53 | functio ... in() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:3:1:3:14 | module.exports |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:3:1:3:18 | module.exports.foo |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:3:22:3:21 | this |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/foo.js:3:22:3:47 | functio ... ed() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:1:1:1:0 | this |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:1:1:1:41 | module. ... ed() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:1:18:1:41 | functio ... ed() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:3:1:3:14 | module.exports |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:3:1:3:18 | module.exports.foo |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:3:1:3:40 | module. ... oo.js") |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:3:22:3:40 | require("./foo.js") |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:5:1:5:14 | module.exports |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:5:1:5:18 | module.exports.bar |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:5:22:9:1 | class B ... () {}\\n} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:6:16:6:20 | () {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:7:5:7:28 | static ... od() {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:7:24:7:28 | () {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:8:19:8:23 | () {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:14:19:14:23 | () {} |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:17:1:17:14 | module.exports |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:17:1:17:18 | module.exports.Baz |
| lib1/package.json:1:1:3:1 | {\\n " ... n.js"\\n} | lib1/main.js:17:22:17:30 | new Baz() |
| lib1/sublib/package.json:1:1:3:1 | {\\n " ... b.js"\\n} | lib1/sublib/sublib.js:1:1:1:0 | this |
| lib1/sublib/package.json:1:1:3:1 | {\\n " ... b.js"\\n} | lib1/sublib/sublib.js:1:1:1:73 | module. ... rt() {} |
| lib1/sublib/package.json:1:1:3:1 | {\\n " ... b.js"\\n} | lib1/sublib/sublib.js:1:18:1:73 | functio ... rt() {} |

8
javascript/ql/test/library-tests/PackageExports/tests.ql Normal file
View File

@@ -0,0 +1,8 @@
import javascript
import semmle.javascript.PackageExports as Exports
query PackageJSON getTopmostPackageJSON() { result = Exports::getTopmostPackageJSON() }
query DataFlow::Node getAValueExportedBy(PackageJSON json) {
result = Exports::getAValueExportedBy(json)
}

3
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
View File

@@ -3,6 +3,7 @@ nodes
| child_process-test.js:6:15:6:38 | url.par ... , true) |
| child_process-test.js:6:15:6:44 | url.par ... ).query |
| child_process-test.js:6:15:6:49 | url.par ... ry.path |
| child_process-test.js:6:15:6:49 | url.par ... ry.path |
| child_process-test.js:6:25:6:31 | req.url |
| child_process-test.js:6:25:6:31 | req.url |
| child_process-test.js:17:13:17:15 | cmd |
@@ -130,6 +131,7 @@ edges
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:54:46:54:48 | cmd |
| child_process-test.js:6:15:6:38 | url.par ... , true) | child_process-test.js:6:15:6:44 | url.par ... ).query |
| child_process-test.js:6:15:6:44 | url.par ... ).query | child_process-test.js:6:15:6:49 | url.par ... ry.path |
| child_process-test.js:6:15:6:44 | url.par ... ).query | child_process-test.js:6:15:6:49 | url.par ... ry.path |
| child_process-test.js:6:15:6:49 | url.par ... ry.path | child_process-test.js:6:9:6:49 | cmd |
| child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) |
| child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) |
@@ -221,6 +223,7 @@ edges
| child_process-test.js:53:5:53:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:25:53:58 | ['/C', ... , cmd]) | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:53:5:53:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:46:53:57 | ["bar", cmd] | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:53:5:53:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:54:53:56 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:54:5:54:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:49 | url.par ... ry.path | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:54:5:54:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:54:25:54:49 | ['/C', ... at(cmd) | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:59:5:59:39 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:50:15:50:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:64:3:64:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |

435
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected Normal file
View File

@@ -0,0 +1,435 @@
nodes
| lib/lib2.js:3:28:3:31 | name |
| lib/lib2.js:3:28:3:31 | name |
| lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:7:32:7:35 | name |
| lib/lib2.js:7:32:7:35 | name |
| lib/lib2.js:8:22:8:25 | name |
| lib/lib2.js:8:22:8:25 | name |
| lib/lib.js:3:28:3:31 | name |
| lib/lib.js:3:28:3:31 | name |
| lib/lib.js:4:22:4:25 | name |
| lib/lib.js:4:22:4:25 | name |
| lib/lib.js:10:32:10:35 | name |
| lib/lib.js:10:32:10:35 | name |
| lib/lib.js:11:22:11:25 | name |
| lib/lib.js:11:22:11:25 | name |
| lib/lib.js:14:36:14:39 | name |
| lib/lib.js:14:36:14:39 | name |
| lib/lib.js:15:22:15:25 | name |
| lib/lib.js:15:22:15:25 | name |
| lib/lib.js:19:34:19:37 | name |
| lib/lib.js:19:34:19:37 | name |
| lib/lib.js:20:22:20:25 | name |
| lib/lib.js:20:22:20:25 | name |
| lib/lib.js:26:35:26:38 | name |
| lib/lib.js:26:35:26:38 | name |
| lib/lib.js:27:22:27:25 | name |
| lib/lib.js:27:22:27:25 | name |
| lib/lib.js:34:14:34:17 | name |
| lib/lib.js:34:14:34:17 | name |
| lib/lib.js:35:23:35:26 | name |
| lib/lib.js:35:23:35:26 | name |
| lib/lib.js:37:13:37:16 | name |
| lib/lib.js:37:13:37:16 | name |
| lib/lib.js:38:23:38:26 | name |
| lib/lib.js:38:23:38:26 | name |
| lib/lib.js:40:6:40:9 | name |
| lib/lib.js:40:6:40:9 | name |
| lib/lib.js:41:23:41:26 | name |
| lib/lib.js:41:23:41:26 | name |
| lib/lib.js:49:31:49:34 | name |
| lib/lib.js:49:31:49:34 | name |
| lib/lib.js:50:47:50:50 | name |
| lib/lib.js:50:47:50:50 | name |
| lib/lib.js:53:33:53:36 | name |
| lib/lib.js:53:33:53:36 | name |
| lib/lib.js:54:25:54:28 | name |
| lib/lib.js:54:25:54:28 | name |
| lib/lib.js:57:25:57:28 | name |
| lib/lib.js:57:25:57:28 | name |
| lib/lib.js:64:41:64:44 | name |
| lib/lib.js:64:41:64:44 | name |
| lib/lib.js:65:22:65:25 | name |
| lib/lib.js:65:22:65:25 | name |
| lib/lib.js:71:28:71:31 | name |
| lib/lib.js:71:28:71:31 | name |
| lib/lib.js:73:21:73:24 | name |
| lib/lib.js:73:21:73:24 | name |
| lib/lib.js:75:20:75:23 | name |
| lib/lib.js:75:20:75:23 | name |
| lib/lib.js:77:28:77:31 | name |
| lib/lib.js:77:28:77:31 | name |
| lib/lib.js:82:35:82:38 | name |
| lib/lib.js:82:35:82:38 | name |
| lib/lib.js:83:22:83:25 | name |
| lib/lib.js:83:22:83:25 | name |
| lib/lib.js:86:13:86:16 | name |
| lib/lib.js:86:13:86:16 | name |
| lib/lib.js:89:21:89:24 | name |
| lib/lib.js:89:21:89:24 | name |
| lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" |
| lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" |
| lib/lib.js:91:28:91:31 | name |
| lib/lib.js:97:35:97:38 | name |
| lib/lib.js:97:35:97:38 | name |
| lib/lib.js:98:35:98:38 | name |
| lib/lib.js:98:35:98:38 | name |
| lib/lib.js:100:37:100:40 | name |
| lib/lib.js:100:37:100:40 | name |
| lib/lib.js:102:46:102:49 | name |
| lib/lib.js:102:46:102:49 | name |
| lib/lib.js:108:41:108:44 | name |
| lib/lib.js:108:41:108:44 | name |
| lib/lib.js:111:34:111:37 | name |
| lib/lib.js:111:34:111:37 | name |
| lib/lib.js:112:22:112:25 | name |
| lib/lib.js:112:22:112:25 | name |
| lib/lib.js:120:33:120:36 | name |
| lib/lib.js:120:33:120:36 | name |
| lib/lib.js:121:22:121:25 | name |
| lib/lib.js:121:22:121:25 | name |
| lib/lib.js:130:6:130:9 | name |
| lib/lib.js:130:6:130:9 | name |
| lib/lib.js:131:23:131:26 | name |
| lib/lib.js:131:23:131:26 | name |
| lib/lib.js:148:37:148:40 | name |
| lib/lib.js:148:37:148:40 | name |
| lib/lib.js:149:24:149:27 | name |
| lib/lib.js:149:24:149:27 | name |
| lib/lib.js:155:38:155:41 | name |
| lib/lib.js:155:38:155:41 | name |
| lib/lib.js:161:25:161:28 | name |
| lib/lib.js:161:25:161:28 | name |
| lib/lib.js:170:41:170:44 | name |
| lib/lib.js:170:41:170:44 | name |
| lib/lib.js:173:20:173:23 | name |
| lib/lib.js:173:20:173:23 | name |
| lib/lib.js:177:38:177:41 | name |
| lib/lib.js:177:38:177:41 | name |
| lib/lib.js:181:6:181:52 | broken |
| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" |
| lib/lib.js:181:21:181:24 | name |
| lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
| lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:186:34:186:37 | name |
| lib/lib.js:186:34:186:37 | name |
| lib/lib.js:187:22:187:25 | name |
| lib/lib.js:187:22:187:25 | name |
| lib/lib.js:190:23:190:26 | name |
| lib/lib.js:190:23:190:26 | name |
| lib/lib.js:196:45:196:48 | name |
| lib/lib.js:196:45:196:48 | name |
| lib/lib.js:197:22:197:25 | name |
| lib/lib.js:197:22:197:25 | name |
| lib/lib.js:200:23:200:26 | name |
| lib/lib.js:200:23:200:26 | name |
| lib/lib.js:206:45:206:48 | name |
| lib/lib.js:206:45:206:48 | name |
| lib/lib.js:207:22:207:25 | name |
| lib/lib.js:207:22:207:25 | name |
| lib/lib.js:212:23:212:26 | name |
| lib/lib.js:212:23:212:26 | name |
| lib/lib.js:216:39:216:42 | name |
| lib/lib.js:216:39:216:42 | name |
| lib/lib.js:217:22:217:25 | name |
| lib/lib.js:217:22:217:25 | name |
| lib/lib.js:220:23:220:26 | name |
| lib/lib.js:220:23:220:26 | name |
| lib/lib.js:224:22:224:25 | name |
| lib/lib.js:224:22:224:25 | name |
| lib/lib.js:227:39:227:42 | name |
| lib/lib.js:227:39:227:42 | name |
| lib/lib.js:228:22:228:25 | name |
| lib/lib.js:228:22:228:25 | name |
| lib/lib.js:236:22:236:25 | name |
| lib/lib.js:236:22:236:25 | name |
| lib/lib.js:248:42:248:45 | name |
| lib/lib.js:248:42:248:45 | name |
| lib/lib.js:249:22:249:25 | name |
| lib/lib.js:249:22:249:25 | name |
| lib/lib.js:257:35:257:38 | name |
| lib/lib.js:257:35:257:38 | name |
| lib/lib.js:258:22:258:25 | name |
| lib/lib.js:258:22:258:25 | name |
| lib/lib.js:261:30:261:33 | name |
| lib/lib.js:261:30:261:33 | name |
| lib/lib.js:267:46:267:48 | obj |
| lib/lib.js:267:46:267:48 | obj |
| lib/lib.js:268:22:268:24 | obj |
| lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:272:22:272:24 | obj |
| lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:276:8:276:11 | opts |
| lib/lib.js:276:8:276:11 | opts |
| lib/lib.js:277:23:277:26 | opts |
| lib/lib.js:277:23:277:30 | opts.bla |
| lib/lib.js:277:23:277:30 | opts.bla |
| lib/lib.js:307:39:307:42 | name |
| lib/lib.js:307:39:307:42 | name |
| lib/lib.js:308:23:308:26 | name |
| lib/lib.js:308:23:308:26 | name |
edges
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
| lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name |
| lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name |
| lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name |
| lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name |
| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name |
| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name |
| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name |
| lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name |
| lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name |
| lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name |
| lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name |
| lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name |
| lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name |
| lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name |
| lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name |
| lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name |
| lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name |
| lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name |
| lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name |
| lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name |
| lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name |
| lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name |
| lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name |
| lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name |
| lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name |
| lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name |
| lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name |
| lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name |
| lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name |
| lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name |
| lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name |
| lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name |
| lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name |
| lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name |
| lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name |
| lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name |
| lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name |
| lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name |
| lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name |
| lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name |
| lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name |
| lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:91:28:91:31 | name |
| lib/lib.js:82:35:82:38 | name | lib/lib.js:91:28:91:31 | name |
| lib/lib.js:91:28:91:31 | name | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" |
| lib/lib.js:91:28:91:31 | name | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name |
| lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name |
| lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name |
| lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name |
| lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name |
| lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name |
| lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name |
| lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name |
| lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name |
| lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name |
| lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name |
| lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name |
| lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name |
| lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name |
| lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name |
| lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name |
| lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name |
| lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name |
| lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name |
| lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name |
| lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name |
| lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name |
| lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name |
| lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name |
| lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name |
| lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name |
| lib/lib.js:177:38:177:41 | name | lib/lib.js:181:21:181:24 | name |
| lib/lib.js:177:38:177:41 | name | lib/lib.js:181:21:181:24 | name |
| lib/lib.js:181:6:181:52 | broken | lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:181:6:181:52 | broken | lib/lib.js:182:22:182:27 | broken |
| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" | lib/lib.js:181:6:181:52 | broken |
| lib/lib.js:181:21:181:24 | name | lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
| lib/lib.js:181:21:181:46 | name.re ... "'\\''") | lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name |
| lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name |
| lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name |
| lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name |
| lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name |
| lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name |
| lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name |
| lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name |
| lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name |
| lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:24 | obj |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:24 | obj |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:24 | obj |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:24 | obj |
| lib/lib.js:268:22:268:24 | obj | lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:268:22:268:24 | obj | lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:272:22:272:24 | obj | lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:272:22:272:24 | obj | lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
| lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
| lib/lib.js:277:23:277:26 | opts | lib/lib.js:277:23:277:30 | opts.bla |
| lib/lib.js:277:23:277:26 | opts | lib/lib.js:277:23:277:30 | opts.bla |
| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
| lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
#select
| lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | $@ based on libary input is later used in $@. | lib/lib2.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command |
| lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | $@ based on libary input is later used in $@. | lib/lib2.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command |
| lib/lib.js:4:10:4:25 | "rm -rf " + name | lib/lib.js:3:28:3:31 | name | lib/lib.js:4:22:4:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib.js:4:2:4:26 | cp.exec ... + name) | shell command |
| lib/lib.js:11:10:11:25 | "rm -rf " + name | lib/lib.js:10:32:10:35 | name | lib/lib.js:11:22:11:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:11:10:11:25 | "rm -rf " + name | String concatenation | lib/lib.js:11:2:11:26 | cp.exec ... + name) | shell command |
| lib/lib.js:15:10:15:25 | "rm -rf " + name | lib/lib.js:14:36:14:39 | name | lib/lib.js:15:22:15:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:15:10:15:25 | "rm -rf " + name | String concatenation | lib/lib.js:15:2:15:26 | cp.exec ... + name) | shell command |
| lib/lib.js:20:10:20:25 | "rm -rf " + name | lib/lib.js:19:34:19:37 | name | lib/lib.js:20:22:20:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:20:10:20:25 | "rm -rf " + name | String concatenation | lib/lib.js:20:2:20:26 | cp.exec ... + name) | shell command |
| lib/lib.js:27:10:27:25 | "rm -rf " + name | lib/lib.js:26:35:26:38 | name | lib/lib.js:27:22:27:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:27:10:27:25 | "rm -rf " + name | String concatenation | lib/lib.js:27:2:27:26 | cp.exec ... + name) | shell command |
| lib/lib.js:35:11:35:26 | "rm -rf " + name | lib/lib.js:34:14:34:17 | name | lib/lib.js:35:23:35:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:35:11:35:26 | "rm -rf " + name | String concatenation | lib/lib.js:35:3:35:27 | cp.exec ... + name) | shell command |
| lib/lib.js:38:11:38:26 | "rm -rf " + name | lib/lib.js:37:13:37:16 | name | lib/lib.js:38:23:38:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:38:11:38:26 | "rm -rf " + name | String concatenation | lib/lib.js:38:3:38:27 | cp.exec ... + name) | shell command |
| lib/lib.js:41:11:41:26 | "rm -rf " + name | lib/lib.js:40:6:40:9 | name | lib/lib.js:41:23:41:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:41:11:41:26 | "rm -rf " + name | String concatenation | lib/lib.js:41:3:41:27 | cp.exec ... + name) | shell command |
| lib/lib.js:50:35:50:50 | "rm -rf " + name | lib/lib.js:49:31:49:34 | name | lib/lib.js:50:47:50:50 | name | $@ based on libary input is later used in $@. | lib/lib.js:50:35:50:50 | "rm -rf " + name | String concatenation | lib/lib.js:50:2:50:51 | require ... + name) | shell command |
| lib/lib.js:54:13:54:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name | $@ based on libary input is later used in $@. | lib/lib.js:54:13:54:28 | "rm -rf " + name | String concatenation | lib/lib.js:55:2:55:14 | cp.exec(cmd1) | shell command |
| lib/lib.js:57:13:57:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name | $@ based on libary input is later used in $@. | lib/lib.js:57:13:57:28 | "rm -rf " + name | String concatenation | lib/lib.js:59:3:59:14 | cp.exec(cmd) | shell command |
| lib/lib.js:65:10:65:25 | "rm -rf " + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:65:10:65:25 | "rm -rf " + name | String concatenation | lib/lib.js:65:2:65:26 | cp.exec ... + name) | shell command |
| lib/lib.js:71:10:71:31 | "cat /f ... + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name | $@ based on libary input is later used in $@. | lib/lib.js:71:10:71:31 | "cat /f ... + name | String concatenation | lib/lib.js:71:2:71:32 | cp.exec ... + name) | shell command |
| lib/lib.js:73:10:73:31 | "cat \\" ... + "\\"" | lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name | $@ based on libary input is later used in $@. | lib/lib.js:73:10:73:31 | "cat \\" ... + "\\"" | String concatenation | lib/lib.js:73:2:73:32 | cp.exec ... + "\\"") | shell command |
| lib/lib.js:75:10:75:29 | "cat '" + name + "'" | lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name | $@ based on libary input is later used in $@. | lib/lib.js:75:10:75:29 | "cat '" + name + "'" | String concatenation | lib/lib.js:75:2:75:30 | cp.exec ... + "'") | shell command |
| lib/lib.js:77:10:77:37 | "cat '/ ... e + "'" | lib/lib.js:64:41:64:44 | name | lib/lib.js:77:28:77:31 | name | $@ based on libary input is later used in $@. | lib/lib.js:77:10:77:37 | "cat '/ ... e + "'" | String concatenation | lib/lib.js:77:2:77:38 | cp.exec ... + "'") | shell command |
| lib/lib.js:83:10:83:25 | "rm -rf " + name | lib/lib.js:82:35:82:38 | name | lib/lib.js:83:22:83:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:83:10:83:25 | "rm -rf " + name | String concatenation | lib/lib.js:83:2:83:26 | cp.exec ... + name) | shell command |
| lib/lib.js:86:13:86:16 | name | lib/lib.js:82:35:82:38 | name | lib/lib.js:86:13:86:16 | name | $@ based on libary input is later used in $@. | lib/lib.js:86:13:86:16 | name | Array element | lib/lib.js:87:2:87:25 | cp.exec ... n(" ")) | shell command |
| lib/lib.js:89:21:89:24 | name | lib/lib.js:82:35:82:38 | name | lib/lib.js:89:21:89:24 | name | $@ based on libary input is later used in $@. | lib/lib.js:89:21:89:24 | name | Array element | lib/lib.js:89:2:89:36 | cp.exec ... n(" ")) | shell command |
| lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | lib/lib.js:82:35:82:38 | name | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | $@ based on libary input is later used in $@. | lib/lib.js:91:21:91:38 | "\\"" + name + "\\"" | Array element | lib/lib.js:91:2:91:50 | cp.exec ... n(" ")) | shell command |
| lib/lib.js:98:35:98:38 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:98:35:98:38 | name | $@ based on libary input is later used in $@. | lib/lib.js:98:35:98:38 | name | Formatted string | lib/lib.js:98:2:98:40 | cp.exec ... name)) | shell command |
| lib/lib.js:100:37:100:40 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:100:37:100:40 | name | $@ based on libary input is later used in $@. | lib/lib.js:100:37:100:40 | name | Formatted string | lib/lib.js:100:2:100:42 | cp.exec ... name)) | shell command |
| lib/lib.js:102:46:102:49 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:102:46:102:49 | name | $@ based on libary input is later used in $@. | lib/lib.js:102:46:102:49 | name | Formatted string | lib/lib.js:102:2:102:51 | cp.exec ... name)) | shell command |
| lib/lib.js:108:41:108:44 | name | lib/lib.js:97:35:97:38 | name | lib/lib.js:108:41:108:44 | name | $@ based on libary input is later used in $@. | lib/lib.js:108:41:108:44 | name | Formatted string | lib/lib.js:108:2:108:46 | cp.exec ... name)) | shell command |
| lib/lib.js:112:10:112:25 | "rm -rf " + name | lib/lib.js:111:34:111:37 | name | lib/lib.js:112:22:112:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:112:10:112:25 | "rm -rf " + name | String concatenation | lib/lib.js:112:2:112:26 | cp.exec ... + name) | shell command |
| lib/lib.js:121:10:121:25 | "rm -rf " + name | lib/lib.js:120:33:120:36 | name | lib/lib.js:121:22:121:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:121:10:121:25 | "rm -rf " + name | String concatenation | lib/lib.js:121:2:121:26 | cp.exec ... + name) | shell command |
| lib/lib.js:131:11:131:26 | "rm -rf " + name | lib/lib.js:130:6:130:9 | name | lib/lib.js:131:23:131:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:131:11:131:26 | "rm -rf " + name | String concatenation | lib/lib.js:131:3:131:27 | cp.exec ... + name) | shell command |
| lib/lib.js:149:12:149:27 | "rm -rf " + name | lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name | $@ based on libary input is later used in $@. | lib/lib.js:149:12:149:27 | "rm -rf " + name | String concatenation | lib/lib.js:152:2:152:23 | cp.spaw ... gs, cb) | shell command |
| lib/lib.js:161:13:161:28 | "rm -rf " + name | lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name | $@ based on libary input is later used in $@. | lib/lib.js:161:13:161:28 | "rm -rf " + name | String concatenation | lib/lib.js:163:2:167:2 | cp.spaw ... t' }\\n\\t) | shell command |
| lib/lib.js:173:10:173:23 | "fo \| " + name | lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name | $@ based on libary input is later used in $@. | lib/lib.js:173:10:173:23 | "fo \| " + name | String concatenation | lib/lib.js:173:2:173:24 | cp.exec ... + name) | shell command |
| lib/lib.js:182:10:182:27 | "rm -rf " + broken | lib/lib.js:177:38:177:41 | name | lib/lib.js:182:22:182:27 | broken | $@ based on libary input is later used in $@. | lib/lib.js:182:10:182:27 | "rm -rf " + broken | String concatenation | lib/lib.js:182:2:182:28 | cp.exec ... broken) | shell command |
| lib/lib.js:187:10:187:25 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:187:10:187:25 | "rm -rf " + name | String concatenation | lib/lib.js:187:2:187:26 | cp.exec ... + name) | shell command |
| lib/lib.js:190:11:190:26 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:190:11:190:26 | "rm -rf " + name | String concatenation | lib/lib.js:190:3:190:27 | cp.exec ... + name) | shell command |
| lib/lib.js:197:10:197:25 | "rm -rf " + name | lib/lib.js:196:45:196:48 | name | lib/lib.js:197:22:197:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:197:10:197:25 | "rm -rf " + name | String concatenation | lib/lib.js:197:2:197:26 | cp.exec ... + name) | shell command |
| lib/lib.js:200:11:200:26 | "rm -rf " + name | lib/lib.js:196:45:196:48 | name | lib/lib.js:200:23:200:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:200:11:200:26 | "rm -rf " + name | String concatenation | lib/lib.js:200:3:200:27 | cp.exec ... + name) | shell command |
| lib/lib.js:207:10:207:25 | "rm -rf " + name | lib/lib.js:206:45:206:48 | name | lib/lib.js:207:22:207:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:207:10:207:25 | "rm -rf " + name | String concatenation | lib/lib.js:207:2:207:26 | cp.exec ... + name) | shell command |
| lib/lib.js:212:11:212:26 | "rm -rf " + name | lib/lib.js:206:45:206:48 | name | lib/lib.js:212:23:212:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:212:11:212:26 | "rm -rf " + name | String concatenation | lib/lib.js:212:3:212:27 | cp.exec ... + name) | shell command |
| lib/lib.js:217:10:217:25 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:217:22:217:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:217:10:217:25 | "rm -rf " + name | String concatenation | lib/lib.js:217:2:217:26 | cp.exec ... + name) | shell command |
| lib/lib.js:220:11:220:26 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:220:23:220:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:220:11:220:26 | "rm -rf " + name | String concatenation | lib/lib.js:220:3:220:27 | cp.exec ... + name) | shell command |
| lib/lib.js:224:10:224:25 | "rm -rf " + name | lib/lib.js:216:39:216:42 | name | lib/lib.js:224:22:224:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:224:10:224:25 | "rm -rf " + name | String concatenation | lib/lib.js:224:2:224:26 | cp.exec ... + name) | shell command |
| lib/lib.js:228:10:228:25 | "rm -rf " + name | lib/lib.js:227:39:227:42 | name | lib/lib.js:228:22:228:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:228:10:228:25 | "rm -rf " + name | String concatenation | lib/lib.js:228:2:228:26 | cp.exec ... + name) | shell command |
| lib/lib.js:236:10:236:25 | "rm -rf " + name | lib/lib.js:227:39:227:42 | name | lib/lib.js:236:22:236:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:236:10:236:25 | "rm -rf " + name | String concatenation | lib/lib.js:236:2:236:26 | cp.exec ... + name) | shell command |
| lib/lib.js:249:10:249:25 | "rm -rf " + name | lib/lib.js:248:42:248:45 | name | lib/lib.js:249:22:249:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:249:10:249:25 | "rm -rf " + name | String concatenation | lib/lib.js:249:2:249:26 | cp.exec ... + name) | shell command |
| lib/lib.js:258:10:258:25 | "rm -rf " + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:258:10:258:25 | "rm -rf " + name | String concatenation | lib/lib.js:258:2:258:26 | cp.exec ... + name) | shell command |
| lib/lib.js:261:11:261:33 | "rm -rf ... + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name | $@ based on libary input is later used in $@. | lib/lib.js:261:11:261:33 | "rm -rf ... + name | String concatenation | lib/lib.js:261:3:261:34 | cp.exec ... + name) | shell command |
| lib/lib.js:268:10:268:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:268:10:268:32 | "rm -rf ... version | String concatenation | lib/lib.js:268:2:268:33 | cp.exec ... ersion) | shell command |
| lib/lib.js:272:10:272:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:272:10:272:32 | "rm -rf ... version | String concatenation | lib/lib.js:272:2:272:33 | cp.exec ... ersion) | shell command |
| lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:30 | opts.bla | $@ based on libary input is later used in $@. | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | String concatenation | lib/lib.js:277:3:277:31 | cp.exec ... ts.bla) | shell command |
| lib/lib.js:308:11:308:26 | "rm -rf " + name | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:308:11:308:26 | "rm -rf " + name | String concatenation | lib/lib.js:308:3:308:27 | cp.exec ... + name) | shell command |

1
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-078/UnsafeShellCommandConstruction.ql

7
javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.expected
View File

@@ -1,4 +1,8 @@
readFile
| lib/lib.js:71:2:71:32 | cp.exec ... + name) | fs.readFile("/foO/BAR/" + name) |
| lib/lib.js:73:2:73:32 | cp.exec ... + "\\"") | fs.readFile(""" + name + """) |
| lib/lib.js:75:2:75:30 | cp.exec ... + "'") | fs.readFile("'" + name + "'") |
| lib/lib.js:77:2:77:38 | cp.exec ... + "'") | fs.readFile("'/foo/bar" + name + "'") |
| uselesscat.js:10:1:10:43 | exec("c ... ut) {}) | fs.readFile("foo/bar", function(err, out) {...}) |
| uselesscat.js:12:1:14:2 | exec("c ... ut);\\n}) | fs.readFile("/proc/" + id + "/status", function(err, out) {...}) |
| uselesscat.js:16:1:16:29 | execSyn ... uinfo') | fs.readFileSync("/proc/cpuinfo") |
@@ -89,6 +93,9 @@ options
| child_process-test.js:53:5:53:59 | cp.spaw ... cmd])) | child_process-test.js:53:25:53:58 | ['/C', ... , cmd]) |
| child_process-test.js:54:5:54:50 | cp.spaw ... t(cmd)) | child_process-test.js:54:25:54:49 | ['/C', ... at(cmd) |
| child_process-test.js:64:3:64:21 | cp.spawn(cmd, args) | child_process-test.js:64:17:64:20 | args |
| lib/lib.js:152:2:152:23 | cp.spaw ... gs, cb) | lib/lib.js:152:21:152:22 | cb |
| lib/lib.js:159:2:159:23 | cp.spaw ... gs, cb) | lib/lib.js:159:21:159:22 | cb |
| lib/lib.js:163:2:167:2 | cp.spaw ... t' }\\n\\t) | lib/lib.js:166:3:166:22 | { stdio: 'inherit' } |
| uselesscat.js:28:1:28:39 | execSyn ... 1000}) | uselesscat.js:28:28:28:38 | {uid: 1000} |
| uselesscat.js:30:1:30:64 | exec('c ... t) { }) | uselesscat.js:30:26:30:38 | { cwd: './' } |
| uselesscat.js:34:1:34:54 | execSyn ... utf8'}) | uselesscat.js:34:36:34:53 | {encoding: 'utf8'} |

312
javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js Normal file
View File

@@ -0,0 +1,312 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK
cp.execFile(name, [name]); // OK
cp.execFile(name, name); // OK
};
module.exports.foo = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
module.exports.foo.bar = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
function cla() { }
cla.prototype.method = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
module.exports = new cla();
function cla2() { }
cla2.prototype.method = function (name) {
cp.exec("rm -rf " + name); // NOT OK
}
module.exports.bla = new cla2();
module.exports.lib2 = require("./lib2.js")
class Cla3 {
constructor(name) {
cp.exec("rm -rf " + name); // NOT OK
}
static foo(name) {
cp.exec("rm -rf " + name); // NOT OK
}
bar(name) {
cp.exec("rm -rf " + name); // NOT OK
cp.exec("rm -rf " + notASource); // OK
}
}
module.exports.cla3 = Cla3;
module.exports.mz = function (name) {
require("mz/child_process").exec("rm -rf " + name); // NOT OK.
}
module.exports.flow = function (name) {
var cmd1 = "rm -rf " + name;
cp.exec(cmd1); // NOT OK.
var cmd2 = "rm -rf " + name;
function myExec(cmd) {
cp.exec(cmd); // NOT OK.
}
myExec(cmd2);
}
module.exports.stringConcat = function (name) {
cp.exec("rm -rf " + name); // NOT OK.
cp.exec(name); // OK.
cp.exec("for foo in (" + name + ") do bla end"); // OK.
cp.exec("cat /foO/BAR/" + name) // NOT OK.
cp.exec("cat \"" + name + "\"") // NOT OK.
cp.exec("cat '" + name + "'") // NOT OK.
cp.exec("cat '/foo/bar" + name + "'") // NOT OK.
cp.exec(name + " some file") // OK.
}
module.exports.arrays = function (name) {
cp.exec("rm -rf " + name); // NOT OK.
var args1 = ["node"];
args1.push(name);
cp.exec(args1.join(" ")); // NOT OK.
cp.exec(["rm -rf", name].join(" ")); // NOT OK.
cp.exec(["rm -rf", "\"" + name + "\""].join(" ")); // NOT OK.
cp.execFile("rm", ["-rf", name]); // OK
}
var util = require("util");
module.exports.format = function (name) {
cp.exec(util.format("rm -rf %s", name)); // NOT OK
cp.exec(util.format("rm -rf '%s'", name)); // NOT OK
cp.exec(util.format("rm -rf '/foo/bar/%s'", name)); // NOT OK
cp.exec(util.format("%s foo/bar", name)); // OK
cp.exec(util.format("for foo in (%s) do bar end", name)); // OK
cp.exec(require("printf")('rm -rf %s', name)); // NOT OK
}
module.exports.valid = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!isValidName(name)) {
return;
}
cp.exec("rm -rf " + name); // OK
}
module.exports.safe = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!isSafeName(name)) {
return;
}
cp.exec("rm -rf " + name); // OK
}
class Cla4 {
wha(name) {
cp.exec("rm -rf " + name); // NOT OK
}
static bla(name) {
cp.exec("rm -rf " + name); // OK - not exported
}
constructor(name) {
cp.exec("rm -rf " + name); // OK - not exported
}
}
module.exports.cla4 = new Cla4();
function Cla5(name) {
cp.exec("rm -rf " + name); // OK - not exported
}
module.exports.cla5 = new Cla5();
module.exports.indirect = function (name) {
let cmd = "rm -rf " + name;
let sh = "sh";
let args = ["-c", cmd];
cp.spawn(sh, args, cb); // NOT OK
}
module.exports.indirect2 = function (name) {
let cmd = name;
let sh = "sh";
let args = ["-c", cmd];
cp.spawn(sh, args, cb); // OK
let cmd2 = "rm -rf " + name;
var args2 = [cmd2];
cp.spawn(
'cmd.exe',
['/C', editor].concat(args2),
{ stdio: 'inherit' }
);
}
module.exports.cmd = function (command, name) {
cp.exec("fo | " + command); // OK
cp.exec("fo | " + name); // NOT OK
}
module.exports.sanitizer = function (name) {
var sanitized = "'" + name.replace(/'/g, "'\\''") + "'"
cp.exec("rm -rf " + sanitized); // OK
var broken = "'" + name.replace(/'/g, "'\''") + "'"
cp.exec("rm -rf " + broken); // NOT OK
}
var path = require("path");
module.exports.guard = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!path.exist(name)) {
cp.exec("rm -rf " + name); // NOT OK
return;
}
cp.exec("rm -rf " + name); // OK
}
module.exports.blacklistOfChars = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (/[^A-Za-z0-9_\/:=-]/.test(name)) {
cp.exec("rm -rf " + name); // NOT OK
} else {
cp.exec("rm -rf " + name); // OK
}
}
module.exports.whitelistOfChars = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (/^[A-Za-z0-9_\/:=-]$/.test(name)) {
cp.exec("rm -rf " + name); // OK
} else {
cp.exec("rm -rf " + name); // NOT OK
}
}
module.exports.blackList2 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!/^([a-zA-Z0-9]+))?$/.test(name)) {
cp.exec("rm -rf " + name); // NOT OK
process.exit(-1);
}
cp.exec("rm -rf " + name); // OK - but FP due to tracking flow through `process.exit()`.
}
module.exports.accessSync = function (name) {
cp.exec("rm -rf " + name); // NOT OK
try {
path.accessSync(name);
} catch (e) {
return;
}
cp.exec("rm -rf " + name); // OK - but FP due to `path.accessSync` not being recognized as a sanitizer.
}
var cleanInput = function (s) {
if (/[^A-Za-z0-9_\/:=-]/.test(s)) {
s = "'" + s.replace(/'/g, "'\\''") + "'";
s = s.replace(/^(?:'')+/g, '') // unduplicate single-quote at the beginning
.replace(/\\'''/g, "\\'"); // remove non-escaped single-quote if there are enclosed between 2 escaped
}
return s;
}
module.exports.goodSanitizer = function (name) {
cp.exec("rm -rf " + name); // NOT OK
var cleaned = cleanInput(name);
cp.exec("rm -rf " + cleaned); // OK
}
var fs = require("fs");
module.exports.guard2 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
if (!fs.existsSync("prefix/" + name)) {
cp.exec("rm -rf prefix/" + name); // NOT OK
return;
}
cp.exec("rm -rf prefix/" + name); // OK
}
module.exports.sanitizerProperty = function (obj) {
cp.exec("rm -rf " + obj.version); // NOT OK
obj.version = "";
cp.exec("rm -rf " + obj.version); // OK - but FP
}
module.exports.Foo = class Foo {
start(opts) {
cp.exec("rm -rf " + opts.bla); // NOT OK
this.opts = {};
this.opts.bla = opts.bla
cp.exec("rm -rf " + this.opts.bla); // NOT OK - but FN
}
}
function sanitizeShellString(str) {
let result = str;
result = result.replace(/>/g, "");
result = result.replace(/</g, "");
result = result.replace(/\*/g, "");
result = result.replace(/\?/g, "");
result = result.replace(/\[/g, "");
result = result.replace(/\]/g, "");
result = result.replace(/\|/g, "");
result = result.replace(/\`/g, "");
result = result.replace(/$/g, "");
result = result.replace(/;/g, "");
result = result.replace(/&/g, "");
result = result.replace(/\)/g, "");
result = result.replace(/\(/g, "");
result = result.replace(/\$/g, "");
result = result.replace(/#/g, "");
result = result.replace(/\\/g, "");
result = result.replace(/\n/g, "");
return result
}
module.exports.sanitizer2 = function (name) {
cp.exec("rm -rf " + name); // NOT OK
var sanitized = sanitizeShellString(name);
cp.exec("rm -rf " + sanitized); // OK
}

9
javascript/ql/test/query-tests/Security/CWE-078/lib/lib2.js Normal file
View File

@@ -0,0 +1,9 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // NOT OK - is imported from main module.
};
module.exports.foo = function (name) {
cp.exec("rm -rf " + name); // NOT OK - is imported from main module.
};

5
javascript/ql/test/query-tests/Security/CWE-078/lib/other.js Normal file
View File

@@ -0,0 +1,5 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // OK, is not exported to a main-module.
};

5
javascript/ql/test/query-tests/Security/CWE-078/lib/subLib/index.js Normal file
View File

@@ -0,0 +1,5 @@
var cp = require("child_process")
module.exports = function (name) {
cp.exec("rm -rf " + name); // OK - this file belongs in a sub-"module", and is not the primary exported module.
};

5
javascript/ql/test/query-tests/Security/CWE-078/lib/subLib/package.json Normal file
View File

@@ -0,0 +1,5 @@
{
"name": "mySubLib",
"version": "0.0.7",
"main": "./index.js"
}

5
javascript/ql/test/query-tests/Security/CWE-078/package.json Normal file
View File

@@ -0,0 +1,5 @@
{
"name": "myLib",
"version": "0.0.7",
"main": "./lib/lib.js"
}