hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
This commit is contained in:
Erik Krogh Kristensen
2020-02-27 12:38:06 +01:00
committed by GitHub
parent c83c27cbc4
commit bb911bbbf1
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/src/semmle/javascript/security/UselessUseOfCat.qll
View File

@@ -78,8 +78,8 @@ private class CommandCall extends DataFlow::InvokeNode {
* Holds if the input `str` contains some character that might be interpreted in a non-trivial way by a shell.
*/
bindingset[str]
predicate containsNonTrivialBashChar(string str) {
exists(str.regexpFind("\\*|\\||>|<| |\\$|&|,|\\`| ", _, _))
private predicate containsNonTrivialShellChar(string str) {
exists(str.regexpFind("\\*|\\||>|<| |\\$|&|,|\\`| |;", _, _))
}
/**
@@ -142,7 +142,7 @@ class UselessCat extends CommandCall {
/**
* Gets a string used to call `cat`.
*/
string getACatExecuteable() {
private string getACatExecuteable() {
result = "cat" or result = "/bin/cat"
}
@@ -173,6 +173,7 @@ module PrettyPrintCatCall {
callback = "" and not exists(cat.getCallback())
) and
fileArg = createFileArgument(cat).trim() and
// sanity check in case of surprising `toString` results, other uses of `containsNonTrivialBashChar` should ensure that this conjunct will hold most of the time
not(containsNonTrivialBashChar(fileArg.regexpReplaceAll("\\$|\\`| ", ""))) // string concat might contain " ", template strings might contain "$" or `, and that is OK.
|
result =