Merge pull request #19422 from Napalys/js/shelljs

JS: Modeling of `ShellJS` functions
2026-04-27 01:35:13 +02:00 · 2025-05-02 14:18:44 +02:00
parent 74669cb0cb 871e93d9fe
commit d1e769ba54
10 changed files with 63 additions and 11 deletions
--- a/javascript/ql/lib/change-notes/2025-04-30-shelljs.md
+++ b/javascript/ql/lib/change-notes/2025-04-30-shelljs.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved modeling of the [`shelljs`](https://www.npmjs.com/package/shelljs) and [`async-shelljs`](https://www.npmjs.com/package/async-shelljs) libraries by adding support for the `which`, `cmd`, `asyncExec` and `env`.
--- a/javascript/ql/lib/ext/shelljs.model.yml
+++ b/javascript/ql/lib/ext/shelljs.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all 
+      extensible: sourceModel
+    data:
+      - ["shelljs", "Member[env]", "environment"]
--- a/javascript/ql/lib/semmle/javascript/frameworks/ShellJS.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/ShellJS.qll
@@ -14,7 +14,8 @@ module ShellJS {
      shellJSMember()
          .getMember([
              "exec", "cd", "cp", "touch", "chmod", "pushd", "find", "ls", "ln", "mkdir", "mv",
-              "rm", "cat", "head", "sort", "tail", "uniq", "grep", "sed", "to", "toEnd", "echo"
+              "rm", "cat", "head", "sort", "tail", "uniq", "grep", "sed", "to", "toEnd", "echo",
+              "which", "cmd", "asyncExec"
            ])
          .getReturn()
  }
@@ -99,7 +100,8 @@ module ShellJS {
   */
  private class ShellJSGenericFileAccess extends FileSystemAccess, ShellJSCall {
    ShellJSGenericFileAccess() {
-      name = ["cd", "cp", "touch", "chmod", "pushd", "find", "ls", "ln", "mkdir", "mv", "rm"]
+      name =
+        ["cd", "cp", "touch", "chmod", "pushd", "find", "ls", "ln", "mkdir", "mv", "rm", "which"]
    }

    override DataFlow::Node getAPathArgument() { result = this.getAnArgument() }
@@ -111,7 +113,8 @@ module ShellJS {
  private class ShellJSFilenameSource extends FileNameSource, ShellJSCall {
    ShellJSFilenameSource() {
      name = "find" or
-      name = "ls"
+      name = "ls" or
+      name = "which"
    }
  }

@@ -151,16 +154,24 @@ module ShellJS {
  }

  /**
-   * A call to `shelljs.exec()` modeled as command execution.
+   * A call to `shelljs.exec()`, `shelljs.cmd()`, or `async-shelljs.asyncExec()` modeled as command execution.
   */
  private class ShellJSExec extends SystemCommandExecution, ShellJSCall {
-    ShellJSExec() { name = "exec" }
+    ShellJSExec() { name = ["exec", "cmd", "asyncExec"] }

-    override DataFlow::Node getACommandArgument() { result = this.getArgument(0) }
+    override DataFlow::Node getACommandArgument() {
+      if name = "cmd"
+      then
+        result = this.getArgument(_) and
+        not result = this.getOptionsArg()
+      else
+        // For exec/asyncExec: only first argument is command
+        result = this.getArgument(0)
+    }

    override predicate isShellInterpreted(DataFlow::Node arg) { arg = this.getACommandArgument() }

-    override predicate isSync() { none() }
+    override predicate isSync() { name = "cmd" }

    override DataFlow::Node getOptionsArg() {
      result = this.getLastArgument() and
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -171,7 +171,7 @@ module CleartextLogging {

  /** An access to the sensitive object `process.env`. */
  class ProcessEnvSource extends Source {
-    ProcessEnvSource() { this = NodeJSLib::process().getAPropertyRead("env") }
+    ProcessEnvSource() { this.(ThreatModelSource).getThreatModel() = "environment" }

    override string describe() { result = "process environment" }
  }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll
@@ -29,7 +29,7 @@ module IndirectCommandInjection {
   * A read of `process.env`, considered as a flow source for command injection.
   */
  private class ProcessEnvAsSource extends Source {
-    ProcessEnvAsSource() { this = NodeJSLib::process().getAPropertyRead("env") }
+    ProcessEnvAsSource() { this.(ThreatModelSource).getThreatModel() = "environment" }

    override string describe() { result = "environment variable" }
  }
@@ -37,7 +37,7 @@ module IndirectCommandInjection {
  /** Gets a data flow node referring to `process.env`. */
  private DataFlow::SourceNode envObject(DataFlow::TypeTracker t) {
    t.start() and
-    result = NodeJSLib::process().getAPropertyRead("env")
+    result.(ThreatModelSource).getThreatModel() = "environment"
    or
    exists(DataFlow::TypeTracker t2 | result = envObject(t2).track(t2, t))
  }