change useless cat query to only flag instances that can be re-written to

javascript/ql/test/query-tests/Security/CWE-078/UselessCat.expected

@@ -1,3 +0,0 @@
-| False negative | uselesscat.js:69:42:69:69 | // NOT  ... lagged] |
-| False positive | uselesscat.js:18:70:18:118 | // OK [ ... jection |
-| False positive | uselesscat.js:82:80:82:128 | // OK ( ... / gid)) |

javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.expected

@@ -0,0 +1,20 @@
+readFile
+| uselesscat.js:10:1:10:43 | exec("c ... ut) {}) | fs.readFile("foo/bar", function(err, out) {...}) |
+| uselesscat.js:12:1:14:2 | exec("c ... ut);\\n}) | fs.readFile("/proc/"+id+"/status", function(err, out) {...}) |
+| uselesscat.js:16:1:16:29 | execSyn ... uinfo') | fs.readFileSync("/proc/cpuinfo") |
+| uselesscat.js:18:1:18:26 | execSyn ... path}`) | fs.readFileSync(`${newpath}`) |
+| uselesscat.js:32:1:32:34 | execSyn ... path}`) | fs.readFileSync(`foo/bar/${newpath}`) |
+| uselesscat.js:34:1:34:54 | execSyn ... utf8'}) | fs.readFileSync(`foo/bar/${newpath}`, {encoding: 'utf8'})) |
+| uselesscat.js:51:9:51:31 | execSyn ... + file) | fs.readFileSync(file) |
+| uselesscat.js:59:1:62:2 | execFil ... ut);\\n}) | fs.readFile("pom.xml", function(error, stderr, stdout) {...}) |
+| uselesscat.js:69:1:72:2 | execFil ... ut);\\n}) | fs.readFile("pom.xml", {encoding: 'utf8'}), function(error, stderr, stdout) {...}) |
+| uselesscat.js:74:1:74:60 | execFil ... utf8'}) | fs.readFileSync("pom.xml", {encoding: 'utf8'})) |
+| uselesscat.js:76:1:76:39 | execFil ... xml' ]) | fs.readFileSync("pom.xml") |
+| uselesscat.js:79:1:79:46 | execFil ...   opts) | fs.readFileSync("pom.xml", opts)) |
+| uselesscat.js:82:1:82:90 | execFil ... String) | fs.readFileSync("pom.xml", anOptsFileNameThatIsTooLongToBePrintedByToString)) |
+| uselesscat.js:86:1:86:75 | execFil ... utf8'}) | fs.readFileSync("foo/"+newPath+"bar", {encoding: 'utf8'})) |
+| uselesscat.js:88:1:88:35 | execSyn ...  + foo) | fs.readFileSync("/proc/cpuinfo"+foo) |
+| uselesscat.js:90:1:90:50 | execFil ... th}` ]) | fs.readFileSync(`foo/bar/${newpath}`) |
+#select
+| False negative | uselesscat.js:54:42:54:69 | // NOT  ... lagged] |
+| False negative | uselesscat.js:84:118:84:144 | // NOT  ... lagged] |

javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.ql

@@ -16,3 +16,5 @@ where
     msg = "False positive"
   )
 select msg, comment
+
+query string readFile(UselessCat cat) { result = createReadFileCall(cat) }

javascript/ql/test/query-tests/Security/CWE-078/uselesscat.js

@@ -7,76 +7,86 @@ var spawnSync = child_process.spawnSync;
 var fs = require('fs');
 var app = express();
 
-function readStatus(id) {
-	exec("cat /proc/" + id + "/status", function (err, out) { // NOT OK
-		console.log(out);
-	});
-};
+exec("cat foo/bar", function (err, out) {}); // NOT OK
 
-var basePath = '/foo/bar';
-app.get('/:data', function (req, res) {
-	res.send(execSync('cat ' + basePath + req.params.data).toString()); // OK [but flagged] - caught by command-injection
+exec("cat /proc/" + id + "/status", function (err, out) { // NOT OK
+	console.log(out);
 });
 
-spawn('cat', ['package.json']); // NOT OK
-
-spawn('/bin/cat', ['package.json']); // NOT 
-
-spawn('/bin/cat', [someValue]); // NOT OK
-spawn('sudo /bin/cat', [someValue]); // NOT OK
-spawn('sudo cat', [someValue]); // NOT OK  
-
-child_process.spawnSync('cat', [someValue]); // NOT OK
-
-child_process.execSync('cat package.json | wc -l'); // OK - pipes!
-
-const cat = child_process.spawn('cat') // OK - benign use (usually pipe to and from).
-
-spawn('cat', ['package.json']); // NOT OK.
-
-exec('cat *.js') // OK - wildcard use.
-exec('cat *.js | wc -l') // OK - wildcard use and pipes!
-exec('cat *.js | wc -l', { cwd: './' }, function () { }); // OK - wildcard and pipes
-
-spawnSync('cat', ['/proc/cpuinfo']) // NOT OK.
-
-exec(`cat ${path.join(__dirname, 'package.json')} | sort | uniq`, () => {}); // OK: pipes
-
 execSync('cat /proc/cpuinfo').toString(); // NOT OK.
 
-var cmd = "cat /proc/cpuinfo"
-execSync(cmd); // NOT OK
+execSync(`cat ${newpath}`) // NOT OK
 
-execSync("cat /proc/cpuinfo | grep -c '" + someValue + "'"); // OK - pipes
+child_process.execSync('cat package.json | wc -l'); // OK - pipes!
 
-function cat(file) {
-	return execSync('cat ' + file).toString(); // NOT OK
-}
+execSync('cat /proc/cpuinfo /foo/bar').toString(); // OK multiple files.
 
-execSync(`cat ${files.join(' ')} > ${outFile}`); // OK
+execSync(`cat ${newpath} /foo/bar`).toString(); // OK multiple files.
 
-var cmd = 'cat package.json | grep'
-exec(cmd); // OK - pipes!
+exec(`cat ${newpath} | grep foo`, function (err, out) { }) // OK - pipes
 
-execSync("sudo cat " + newpath + "*.js | grep foo").toString(); // OK - wildcard and pipes
+execSync(`cat ${newpath}`, {uid: 1000}) // OK - non trivial options
 
-execSync(`cat ${newpath}`); // NOT OK
+exec('cat *.js | wc -l', { cwd: './' }, function (err, out) { }); // OK - wildcard and pipes
 
-exec("cat /proc/cpuinfo | grep name"); // OK - pipes
+execSync(`cat foo/bar/${newpath}`); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync)
 
-execSync(`cat ${newpath} | ${othertool}`); // OK - pipes
+execSync(`cat foo/bar/${newpath}`, {encoding: 'utf8'}); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync)
 
-execSync("sh -c 'cat " + newpath + "'"); // NOT OK. [but not flagged]
-
-exec(` cat ${newpath}`) // NOT OK
-
-exec(` cat ${newpath} | grep foo`) // OK - pipes
+execSync("/bin/cat /proc/cpuinfo", { uid: 1000, gid: 1000, encoding: 'utf8'}); // OK (fs.readFileSync cannot emulate uid / gid))
 
 execSync('cat /proc/cpuinfo > foo/bar/baz').toString(); // OK.
 
 execSync(`cat ${newpath} > ${destpath}`).toString(); // OK.
 
-const Opts = {encoding: 'utf8'}
-execSync(`cat foo/bar/${newpath}`, Opts).slice(0, 7); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync)
+execSync(`cat ${files.join(' ')} > ${outFile}`); // OK
 
-execSync("/bin/cat /proc/cpuinfo", { uid: 1000, gid: 1000, encoding: 'utf8'}); // OK (fs.readFileSync cannot emulate uid / gid))
+execSync(`cat ${files.join(' ')}`); // OK - not just a simple file read
+
+exec("cat /proc/cpuinfo | grep name"); // OK - pipes
+
+execSync(`cat ${newpath} | ${othertool}`); // OK - pipes
+
+function cat(file) {
+	return execSync('cat ' + file).toString(); // NOT OK
+}
+
+execSync("sh -c 'cat " + newpath + "'"); // NOT OK. [but not flagged]
+
+var execFile = child_process.execFile;
+var execFileSync = child_process.execFileSync;
+
+execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // NOT OK
+  // Not using stderr
+  console.log(stdout);
+});
+
+execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // OK. - stderr is used.
+  console.log(stderr); 
+});
+
+
+execFile('/bin/cat', [ 'pom.xml' ],  {encoding: 'utf8'}, function(error, stdout, stderr ) { // NOT OK
+  // Not using stderr
+  console.log(stdout);
+});
+
+execFileSync('/bin/cat', [ 'pom.xml' ],  {encoding: 'utf8'}); // NOT OK
+
+execFileSync('/bin/cat', [ 'pom.xml' ]);  // NOT OK
+
+var opts = {encoding: 'utf8'};
+execFileSync('/bin/cat', [ 'pom.xml' ],  opts); // NOT OK
+
+var anOptsFileNameThatIsTooLongToBePrintedByToString = {encoding: 'utf8'};
+execFileSync('/bin/cat', [ 'pom.xml' ],  anOptsFileNameThatIsTooLongToBePrintedByToString); // NOT OK
+
+execFileSync('/bin/cat', [ 'pom.xml' ],  {encoding: 'someEncodingValueThatIsCompletelyBogusAndTooLongForToString'}); // NOT OK [but not flagged]
+
+execFileSync('/bin/cat', [ "foo/" + newPath + "bar" ],  {encoding: 'utf8'}); // NOT OK
+
+execSync('cat /proc/cpuinfo' + foo).toString(); // NOT OK.
+
+execFileSync('/bin/cat', [ `foo/bar/${newpath}` ]); // NOT OK
+
+execFileSync('node', [ `foo/bar/${newpath}` ]); // OK - not a call to cat