hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
6b4e34dd39b994b181b9ac13d2249961e47986e8
codeql/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js
Napalys Klicius 6b4e34dd39 Added a step from parse to opts for commander js
2025-08-01 13:12:43 +02:00

42 lines
1.3 KiB
JavaScript
Raw Blame History

import express from 'express';
import { Command } from 'commander';
import { exec } from 'child_process';
import arg from 'arg';
const app = express();
app.use(express.json());
app.post('/Command', (req, res) => {
const args = req.body.args || []; // $ Source
const program = new Command();
program.option('--cmd <value>', 'Command to execute');
program.parse(args, { from: 'user' });
const options = program.opts();
exec(options.cmd); // $ Alert
});
app.post('/arg', (req, res) => {
const argsArray = req.body.args || []; // $ MISSING: Source
const parsed = arg({ '--cmd': String }, { argv: argsArray });
exec(parsed['--cmd']); // $ MISSING: Alert
});
app.post('/commandLineArgs', (req, res) => {
const commandLineArgs = require('command-line-args');
const optionDefinitions = [{ name: 'cmd', type: String }];
const options = commandLineArgs(optionDefinitions, { argv: req.body.args || [] }); // $ MISSING: Source
if (!options.cmd) return res.status(400).send({ error: 'Missing --cmd' });
exec(options.cmd); // $ MISSING: Alert
});
app.post('/yargs', (req, res) => {
const yargs = require('yargs/yargs');
const args = req.body.args || []; // $ Source
const parsed = yargs(args).option('cmd', {
type: 'string',
describe: 'Command to execute',
demandOption: true
}).parse();
exec(parsed.cmd); // $ Alert
});
Reference in New Issue View Git Blame Copy Permalink