add support for util.promisify with child_process calls

2026-04-26 01:05:15 +02:00 · 2020-04-15 14:06:16 +02:00
parent bfd80b42a7
commit e8dc77d508
3 changed files with 33 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -594,6 +594,14 @@ module NodeJSLib {

    ChildProcessMethodCall() {
      this = DataFlow::moduleMember("child_process", methodName).getACall()
+      or
+      exists(DataFlow::CallNode promisify |
+        promisify = DataFlow::moduleMember("util", "promisify").getACall()
+      |
+        this = promisify.getACall() and
+        promisify.getArgument(0).getALocalSource() =
+          DataFlow::moduleMember("child_process", methodName)
+      )
    }

    private DataFlow::Node getACommandArgument(boolean shell) {