hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b19d1e0f57cda568c1ba596493e1d60436e0fcc7
codeql/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected

452 lines
46 KiB
Plaintext
Raw Blame History

#select
| actions.js:9:8:9:22 | `echo ${title}` | actions.js:8:17:8:57 | github. ... t.title | actions.js:9:8:9:22 | `echo ${title}` | This command line depends on a $@. | actions.js:8:17:8:57 | github. ... t.title | user-provided value |
| actions.js:19:14:19:31 | `echo ${head_ref}` | actions.js:18:20:18:63 | github. ... ead.ref | actions.js:19:14:19:31 | `echo ${head_ref}` | This command line depends on a $@. | actions.js:18:20:18:63 | github. ... ead.ref | user-provided value |
| child_process-test.js:17:13:17:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:17:13:17:15 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:18:17:18:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:18:17:18:19 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:19:17:19:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:19:17:19:19 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:20:21:20:23 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:20:21:20:23 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:21:14:21:16 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:21:14:21:16 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:22:18:22:20 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:22:18:22:20 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:23:13:23:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:23:13:23:15 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:39:5:39:31 | cp.spaw ... cmd ]) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:39:26:39:28 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:44:5:44:34 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:54:5:54:39 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:15:53:17 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:56:5:56:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:56:25:56:58 | ['/C', ... , cmd]) | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:56:5:56:59 | cp.spaw ... cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:56:54:56:56 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:57:5:57:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:49 | url.par ... ry.path | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:57:5:57:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:57:25:57:49 | ['/C', ... at(cmd) | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:67:3:67:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:48:15:48:17 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:67:3:67:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:66:19:66:22 | args | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value |
| child_process-test.js:75:29:75:31 | cmd | child_process-test.js:73:25:73:31 | req.url | child_process-test.js:75:29:75:31 | cmd | This command line depends on a $@. | child_process-test.js:73:25:73:31 | req.url | user-provided value |
| child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | This command line depends on a $@. | child_process-test.js:83:19:83:36 | req.query.fileName | user-provided value |
| child_process-test.js:94:11:94:35 | "ping " ... ms.host | child_process-test.js:94:21:94:30 | ctx.params | child_process-test.js:94:11:94:35 | "ping " ... ms.host | This command line depends on a $@. | child_process-test.js:94:21:94:30 | ctx.params | user-provided value |
| command-line-libs.js:14:8:14:18 | options.cmd | command-line-libs.js:9:16:9:23 | req.body | command-line-libs.js:14:8:14:18 | options.cmd | This command line depends on a $@. | command-line-libs.js:9:16:9:23 | req.body | user-provided value |
| command-line-libs.js:15:8:15:18 | program.cmd | command-line-libs.js:9:16:9:23 | req.body | command-line-libs.js:15:8:15:18 | program.cmd | This command line depends on a $@. | command-line-libs.js:9:16:9:23 | req.body | user-provided value |
| command-line-libs.js:21:12:21:17 | script | command-line-libs.js:9:16:9:23 | req.body | command-line-libs.js:21:12:21:17 | script | This command line depends on a $@. | command-line-libs.js:9:16:9:23 | req.body | user-provided value |
| command-line-libs.js:29:10:29:24 | parsed['--cmd'] | command-line-libs.js:27:23:27:30 | req.body | command-line-libs.js:29:10:29:24 | parsed['--cmd'] | This command line depends on a $@. | command-line-libs.js:27:23:27:30 | req.body | user-provided value |
| command-line-libs.js:37:8:37:18 | options.cmd | command-line-libs.js:35:62:35:69 | req.body | command-line-libs.js:37:8:37:18 | options.cmd | This command line depends on a $@. | command-line-libs.js:35:62:35:69 | req.body | user-provided value |
| command-line-libs.js:49:8:49:17 | parsed.cmd | command-line-libs.js:42:16:42:23 | req.body | command-line-libs.js:49:8:49:17 | parsed.cmd | This command line depends on a $@. | command-line-libs.js:42:16:42:23 | req.body | user-provided value |
| exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) | exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:10:40:10:46 | command | This command line depends on a $@. | exec-sh2.js:14:25:14:31 | req.url | user-provided value |
| exec-sh.js:15:12:15:61 | cp.spaw ... ptions) | exec-sh.js:19:25:19:31 | req.url | exec-sh.js:15:44:15:50 | command | This command line depends on a $@. | exec-sh.js:19:25:19:31 | req.url | user-provided value |
| execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command line depends on a $@. | execSeries.js:18:34:18:40 | req.url | user-provided value |
| execa.js:11:15:11:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:11:15:11:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:13:32:13:34 | cmd | execa.js:6:25:6:31 | req.url | execa.js:13:32:13:34 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:14:31:14:33 | cmd | execa.js:6:25:6:31 | req.url | execa.js:14:31:14:33 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:17:14:17:16 | cmd | execa.js:6:25:6:31 | req.url | execa.js:17:14:17:16 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:19:32:19:34 | cmd | execa.js:6:25:6:31 | req.url | execa.js:19:32:19:34 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:20:33:20:35 | cmd | execa.js:6:25:6:31 | req.url | execa.js:20:33:20:35 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:23:17:23:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:23:17:23:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:24:17:24:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:24:17:24:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:25:17:25:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:25:17:25:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:27:15:27:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:27:15:27:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:28:15:28:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:28:15:28:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:30:24:30:47 | cmd + a ... + arg3 | execa.js:6:25:6:31 | req.url | execa.js:30:24:30:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:30:24:30:47 | cmd + a ... + arg3 | execa.js:7:26:7:32 | req.url | execa.js:30:24:30:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
| execa.js:30:24:30:47 | cmd + a ... + arg3 | execa.js:8:26:8:32 | req.url | execa.js:30:24:30:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
| execa.js:30:24:30:47 | cmd + a ... + arg3 | execa.js:9:26:9:32 | req.url | execa.js:30:24:30:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
| execa.js:31:24:31:47 | cmd + a ... + arg3 | execa.js:6:25:6:31 | req.url | execa.js:31:24:31:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:31:24:31:47 | cmd + a ... + arg3 | execa.js:7:26:7:32 | req.url | execa.js:31:24:31:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
| execa.js:31:24:31:47 | cmd + a ... + arg3 | execa.js:8:26:8:32 | req.url | execa.js:31:24:31:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
| execa.js:31:24:31:47 | cmd + a ... + arg3 | execa.js:9:26:9:32 | req.url | execa.js:31:24:31:47 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
| execa.js:33:22:33:45 | cmd + a ... + arg3 | execa.js:6:25:6:31 | req.url | execa.js:33:22:33:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:33:22:33:45 | cmd + a ... + arg3 | execa.js:7:26:7:32 | req.url | execa.js:33:22:33:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
| execa.js:33:22:33:45 | cmd + a ... + arg3 | execa.js:8:26:8:32 | req.url | execa.js:33:22:33:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
| execa.js:33:22:33:45 | cmd + a ... + arg3 | execa.js:9:26:9:32 | req.url | execa.js:33:22:33:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
| execa.js:34:22:34:45 | cmd + a ... + arg3 | execa.js:6:25:6:31 | req.url | execa.js:34:22:34:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
| execa.js:34:22:34:45 | cmd + a ... + arg3 | execa.js:7:26:7:32 | req.url | execa.js:34:22:34:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
| execa.js:34:22:34:45 | cmd + a ... + arg3 | execa.js:8:26:8:32 | req.url | execa.js:34:22:34:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
| execa.js:34:22:34:45 | cmd + a ... + arg3 | execa.js:9:26:9:32 | req.url | execa.js:34:22:34:45 | cmd + a ... + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
| form-parsers.js:9:8:9:39 | "touch ... nalname | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch ... nalname | This command line depends on a $@. | form-parsers.js:9:19:9:26 | req.file | user-provided value |
| form-parsers.js:14:10:14:37 | "touch ... nalname | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:14:10:14:37 | "touch ... nalname | This command line depends on a $@. | form-parsers.js:13:3:13:11 | req.files | user-provided value |
| form-parsers.js:25:10:25:28 | "touch " + filename | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | This command line depends on a $@. | form-parsers.js:24:48:24:55 | filename | user-provided value |
| form-parsers.js:36:10:36:31 | "touch ... ds.name | form-parsers.js:35:25:35:30 | fields | form-parsers.js:36:10:36:31 | "touch ... ds.name | This command line depends on a $@. | form-parsers.js:35:25:35:30 | fields | user-provided value |
| form-parsers.js:41:10:41:31 | "touch ... ds.name | form-parsers.js:40:26:40:31 | fields | form-parsers.js:41:10:41:31 | "touch ... ds.name | This command line depends on a $@. | form-parsers.js:40:26:40:31 | fields | user-provided value |
| form-parsers.js:53:10:53:31 | "touch ... ds.name | form-parsers.js:52:34:52:39 | fields | form-parsers.js:53:10:53:31 | "touch ... ds.name | This command line depends on a $@. | form-parsers.js:52:34:52:39 | fields | user-provided value |
| form-parsers.js:59:10:59:33 | "touch ... ilename | form-parsers.js:58:30:58:33 | part | form-parsers.js:59:10:59:33 | "touch ... ilename | This command line depends on a $@. | form-parsers.js:58:30:58:33 | part | user-provided value |
| other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:9:32:9:34 | cmd | other.js:5:25:5:31 | req.url | other.js:9:32:9:34 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:10:29:10:31 | cmd | other.js:5:25:5:31 | req.url | other.js:10:29:10:31 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:11:29:11:31 | cmd | other.js:5:25:5:31 | req.url | other.js:11:29:11:31 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:12:27:12:29 | cmd | other.js:5:25:5:31 | req.url | other.js:12:27:12:29 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:14:28:14:30 | cmd | other.js:5:25:5:31 | req.url | other.js:14:28:14:30 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:15:34:15:36 | cmd | other.js:5:25:5:31 | req.url | other.js:15:34:15:36 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:16:21:16:23 | cmd | other.js:5:25:5:31 | req.url | other.js:16:21:16:23 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:17:27:17:29 | cmd | other.js:5:25:5:31 | req.url | other.js:17:27:17:29 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:18:22:18:24 | cmd | other.js:5:25:5:31 | req.url | other.js:18:22:18:24 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:19:36:19:38 | cmd | other.js:5:25:5:31 | req.url | other.js:19:36:19:38 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:22:21:22:23 | cmd | other.js:5:25:5:31 | req.url | other.js:22:21:22:23 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:23:28:23:30 | cmd | other.js:5:25:5:31 | req.url | other.js:23:28:23:30 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:26:34:26:36 | cmd | other.js:5:25:5:31 | req.url | other.js:26:34:26:36 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:28:27:28:29 | cmd | other.js:5:25:5:31 | req.url | other.js:28:27:28:29 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:30:33:30:35 | cmd | other.js:5:25:5:31 | req.url | other.js:30:33:30:35 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| other.js:34:44:34:46 | cmd | other.js:5:25:5:31 | req.url | other.js:34:44:34:46 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
| third-party-command-injection.js:6:21:6:27 | command | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | This command line depends on a $@. | third-party-command-injection.js:5:20:5:26 | command | user-provided value |
edges
| actions.js:8:9:8:57 | title | actions.js:9:16:9:20 | title | provenance | |
| actions.js:8:17:8:57 | github. ... t.title | actions.js:8:9:8:57 | title | provenance | |
| actions.js:9:16:9:20 | title | actions.js:9:8:9:22 | `echo ${title}` | provenance | |
| actions.js:18:9:18:63 | head_ref | actions.js:19:22:19:29 | head_ref | provenance | |
| actions.js:18:20:18:63 | github. ... ead.ref | actions.js:18:9:18:63 | head_ref | provenance | |
| actions.js:19:22:19:29 | head_ref | actions.js:19:14:19:31 | `echo ${head_ref}` | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:17:13:17:15 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:18:17:18:19 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:19:17:19:19 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:20:21:20:23 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:21:14:21:16 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:22:18:22:20 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:23:13:23:15 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:25:21:25:23 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:39:26:39:28 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:43:15:43:17 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:48:15:48:17 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:48:15:48:17 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:53:15:53:17 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:56:54:56:56 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:56:54:56:56 | cmd | provenance | |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:57:46:57:48 | cmd | provenance | |
| child_process-test.js:6:15:6:38 | url.par ... , true) | child_process-test.js:6:9:6:49 | cmd | provenance | |
| child_process-test.js:6:15:6:38 | url.par ... , true) | child_process-test.js:6:15:6:49 | url.par ... ry.path | provenance | |
| child_process-test.js:6:15:6:38 | url.par ... , true) | child_process-test.js:6:15:6:49 | url.par ... ry.path | provenance | |
| child_process-test.js:6:15:6:49 | url.par ... ry.path | child_process-test.js:6:9:6:49 | cmd | provenance | |
| child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) | provenance | |
| child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | provenance | |
| child_process-test.js:48:5:48:8 | [post update] args [1] | child_process-test.js:49:15:49:18 | args [1] | provenance | |
| child_process-test.js:48:15:48:17 | cmd | child_process-test.js:48:5:48:8 | [post update] args [1] | provenance | |
| child_process-test.js:49:15:49:18 | args [1] | child_process-test.js:66:19:66:22 | args | provenance | |
| child_process-test.js:56:46:56:57 | ["bar", cmd] [1] | child_process-test.js:56:25:56:58 | ['/C', ... , cmd]) | provenance | |
| child_process-test.js:56:54:56:56 | cmd | child_process-test.js:56:46:56:57 | ["bar", cmd] [1] | provenance | |
| child_process-test.js:57:46:57:48 | cmd | child_process-test.js:57:25:57:49 | ['/C', ... at(cmd) | provenance | |
| child_process-test.js:73:9:73:49 | cmd | child_process-test.js:75:29:75:31 | cmd | provenance | |
| child_process-test.js:73:15:73:38 | url.par ... , true) | child_process-test.js:73:9:73:49 | cmd | provenance | |
| child_process-test.js:73:25:73:31 | req.url | child_process-test.js:73:15:73:38 | url.par ... , true) | provenance | |
| child_process-test.js:94:21:94:30 | ctx.params | child_process-test.js:94:11:94:35 | "ping " ... ms.host | provenance | |
| command-line-libs.js:9:9:9:34 | args | command-line-libs.js:12:17:12:20 | args | provenance | |
| command-line-libs.js:9:9:9:34 | args | command-line-libs.js:23:29:23:32 | args | provenance | |
| command-line-libs.js:9:16:9:23 | req.body | command-line-libs.js:9:9:9:34 | args | provenance | |
| command-line-libs.js:12:17:12:20 | args | command-line-libs.js:13:19:13:32 | program.opts() | provenance | |
| command-line-libs.js:12:17:12:20 | args | command-line-libs.js:15:8:15:18 | program.cmd | provenance | |
| command-line-libs.js:12:17:12:20 | args | command-line-libs.js:20:14:20:19 | script | provenance | |
| command-line-libs.js:13:9:13:32 | options | command-line-libs.js:14:8:14:14 | options | provenance | |
| command-line-libs.js:13:19:13:32 | program.opts() | command-line-libs.js:13:9:13:32 | options | provenance | |
| command-line-libs.js:14:8:14:14 | options | command-line-libs.js:14:8:14:18 | options.cmd | provenance | |
| command-line-libs.js:20:14:20:19 | script | command-line-libs.js:21:12:21:17 | script | provenance | |
| command-line-libs.js:23:29:23:32 | args | command-line-libs.js:20:14:20:19 | script | provenance | |
| command-line-libs.js:27:11:27:41 | argsArray | command-line-libs.js:28:53:28:61 | argsArray | provenance | |
| command-line-libs.js:27:23:27:30 | req.body | command-line-libs.js:27:11:27:41 | argsArray | provenance | |
| command-line-libs.js:28:11:28:64 | parsed | command-line-libs.js:29:10:29:15 | parsed | provenance | |
| command-line-libs.js:28:20:28:64 | arg({ ' ... rray }) | command-line-libs.js:28:11:28:64 | parsed | provenance | |
| command-line-libs.js:28:53:28:61 | argsArray | command-line-libs.js:28:20:28:64 | arg({ ' ... rray }) | provenance | |
| command-line-libs.js:29:10:29:15 | parsed | command-line-libs.js:29:10:29:24 | parsed['--cmd'] | provenance | |
| command-line-libs.js:35:9:35:83 | options | command-line-libs.js:37:8:37:14 | options | provenance | |
| command-line-libs.js:35:19:35:83 | command ... \| [] }) | command-line-libs.js:35:9:35:83 | options | provenance | |
| command-line-libs.js:35:62:35:69 | req.body | command-line-libs.js:35:19:35:83 | command ... \| [] }) | provenance | |
| command-line-libs.js:37:8:37:14 | options | command-line-libs.js:37:8:37:18 | options.cmd | provenance | |
| command-line-libs.js:42:9:42:34 | args | command-line-libs.js:43:24:43:27 | args | provenance | |
| command-line-libs.js:42:16:42:23 | req.body | command-line-libs.js:42:9:42:34 | args | provenance | |
| command-line-libs.js:43:9:47:12 | parsed | command-line-libs.js:49:8:49:13 | parsed | provenance | |
| command-line-libs.js:43:18:43:28 | yargs(args) | command-line-libs.js:43:18:47:4 | yargs(a ... ue\\n }) | provenance | |
| command-line-libs.js:43:18:47:4 | yargs(a ... ue\\n }) | command-line-libs.js:43:18:47:12 | yargs(a ... parse() | provenance | |
| command-line-libs.js:43:18:47:12 | yargs(a ... parse() | command-line-libs.js:43:9:47:12 | parsed | provenance | |
| command-line-libs.js:43:24:43:27 | args | command-line-libs.js:43:18:43:28 | yargs(args) | provenance | |
| command-line-libs.js:49:8:49:13 | parsed | command-line-libs.js:49:8:49:17 | parsed.cmd | provenance | |
| exec-sh2.js:9:17:9:23 | command | exec-sh2.js:10:40:10:46 | command | provenance | |
| exec-sh2.js:14:9:14:49 | cmd | exec-sh2.js:15:12:15:14 | cmd | provenance | |
| exec-sh2.js:14:15:14:38 | url.par ... , true) | exec-sh2.js:14:9:14:49 | cmd | provenance | |
| exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:14:15:14:38 | url.par ... , true) | provenance | |
| exec-sh2.js:15:12:15:14 | cmd | exec-sh2.js:9:17:9:23 | command | provenance | |
| exec-sh.js:13:17:13:23 | command | exec-sh.js:15:44:15:50 | command | provenance | |
| exec-sh.js:19:9:19:49 | cmd | exec-sh.js:20:12:20:14 | cmd | provenance | |
| exec-sh.js:19:15:19:38 | url.par ... , true) | exec-sh.js:19:9:19:49 | cmd | provenance | |
| exec-sh.js:19:25:19:31 | req.url | exec-sh.js:19:15:19:38 | url.par ... , true) | provenance | |
| exec-sh.js:20:12:20:14 | cmd | exec-sh.js:13:17:13:23 | command | provenance | |
| execSeries.js:3:20:3:22 | arr [0] | execSeries.js:5:3:10:4 | (functi ... );\\n }) [arr, 0] | provenance | |
| execSeries.js:3:20:3:22 | arr [0] | execSeries.js:6:14:6:16 | arr [0] | provenance | |
| execSeries.js:5:3:10:4 | (functi ... );\\n }) [arr, 0] | execSeries.js:6:14:6:16 | arr [0] | provenance | |
| execSeries.js:6:14:6:16 | arr [0] | execSeries.js:6:14:6:21 | arr[i++] | provenance | |
| execSeries.js:6:14:6:21 | arr[i++] | execSeries.js:14:24:14:30 | command | provenance | |
| execSeries.js:13:19:13:26 | commands [0] | execSeries.js:14:13:14:20 | commands [0] | provenance | |
| execSeries.js:14:13:14:20 | commands [0] | execSeries.js:3:20:3:22 | arr [0] | provenance | |
| execSeries.js:14:24:14:30 | command | execSeries.js:14:41:14:47 | command | provenance | |
| execSeries.js:18:7:18:58 | cmd | execSeries.js:19:13:19:15 | cmd | provenance | |
| execSeries.js:18:13:18:47 | require ... , true) | execSeries.js:18:7:18:58 | cmd | provenance | |
| execSeries.js:18:34:18:40 | req.url | execSeries.js:18:13:18:47 | require ... , true) | provenance | |
| execSeries.js:19:12:19:16 | [cmd] [0] | execSeries.js:13:19:13:26 | commands [0] | provenance | |
| execSeries.js:19:13:19:15 | cmd | execSeries.js:19:12:19:16 | [cmd] [0] | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:11:15:11:17 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:13:32:13:34 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:14:31:14:33 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:17:14:17:16 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:19:32:19:34 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:20:33:20:35 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:23:17:23:19 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:24:17:24:19 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:25:17:25:19 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:27:15:27:17 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:28:15:28:17 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:30:24:30:26 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:31:24:31:26 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:33:22:33:24 | cmd | provenance | |
| execa.js:6:9:6:54 | cmd | execa.js:34:22:34:24 | cmd | provenance | |
| execa.js:6:15:6:38 | url.par ... , true) | execa.js:6:9:6:54 | cmd | provenance | |
| execa.js:6:25:6:31 | req.url | execa.js:6:15:6:38 | url.par ... , true) | provenance | |
| execa.js:7:9:7:53 | arg1 | execa.js:30:30:30:33 | arg1 | provenance | |
| execa.js:7:9:7:53 | arg1 | execa.js:31:30:31:33 | arg1 | provenance | |
| execa.js:7:9:7:53 | arg1 | execa.js:33:28:33:31 | arg1 | provenance | |
| execa.js:7:9:7:53 | arg1 | execa.js:34:28:34:31 | arg1 | provenance | |
| execa.js:7:16:7:39 | url.par ... , true) | execa.js:7:9:7:53 | arg1 | provenance | |
| execa.js:7:26:7:32 | req.url | execa.js:7:16:7:39 | url.par ... , true) | provenance | |
| execa.js:8:9:8:53 | arg2 | execa.js:30:37:30:40 | arg2 | provenance | |
| execa.js:8:9:8:53 | arg2 | execa.js:31:37:31:40 | arg2 | provenance | |
| execa.js:8:9:8:53 | arg2 | execa.js:33:35:33:38 | arg2 | provenance | |
| execa.js:8:9:8:53 | arg2 | execa.js:34:35:34:38 | arg2 | provenance | |
| execa.js:8:16:8:39 | url.par ... , true) | execa.js:8:9:8:53 | arg2 | provenance | |
| execa.js:8:26:8:32 | req.url | execa.js:8:16:8:39 | url.par ... , true) | provenance | |
| execa.js:9:9:9:53 | arg3 | execa.js:30:44:30:47 | arg3 | provenance | |
| execa.js:9:9:9:53 | arg3 | execa.js:31:44:31:47 | arg3 | provenance | |
| execa.js:9:9:9:53 | arg3 | execa.js:33:42:33:45 | arg3 | provenance | |
| execa.js:9:9:9:53 | arg3 | execa.js:34:42:34:45 | arg3 | provenance | |
| execa.js:9:16:9:39 | url.par ... , true) | execa.js:9:9:9:53 | arg3 | provenance | |
| execa.js:9:26:9:32 | req.url | execa.js:9:16:9:39 | url.par ... , true) | provenance | |
| execa.js:30:24:30:26 | cmd | execa.js:30:24:30:47 | cmd + a ... + arg3 | provenance | |
| execa.js:30:30:30:33 | arg1 | execa.js:30:24:30:47 | cmd + a ... + arg3 | provenance | |
| execa.js:30:37:30:40 | arg2 | execa.js:30:24:30:47 | cmd + a ... + arg3 | provenance | |
| execa.js:30:44:30:47 | arg3 | execa.js:30:24:30:47 | cmd + a ... + arg3 | provenance | |
| execa.js:31:24:31:26 | cmd | execa.js:31:24:31:47 | cmd + a ... + arg3 | provenance | |
| execa.js:31:30:31:33 | arg1 | execa.js:31:24:31:47 | cmd + a ... + arg3 | provenance | |
| execa.js:31:37:31:40 | arg2 | execa.js:31:24:31:47 | cmd + a ... + arg3 | provenance | |
| execa.js:31:44:31:47 | arg3 | execa.js:31:24:31:47 | cmd + a ... + arg3 | provenance | |
| execa.js:33:22:33:24 | cmd | execa.js:33:22:33:45 | cmd + a ... + arg3 | provenance | |
| execa.js:33:28:33:31 | arg1 | execa.js:33:22:33:45 | cmd + a ... + arg3 | provenance | |
| execa.js:33:35:33:38 | arg2 | execa.js:33:22:33:45 | cmd + a ... + arg3 | provenance | |
| execa.js:33:42:33:45 | arg3 | execa.js:33:22:33:45 | cmd + a ... + arg3 | provenance | |
| execa.js:34:22:34:24 | cmd | execa.js:34:22:34:45 | cmd + a ... + arg3 | provenance | |
| execa.js:34:28:34:31 | arg1 | execa.js:34:22:34:45 | cmd + a ... + arg3 | provenance | |
| execa.js:34:35:34:38 | arg2 | execa.js:34:22:34:45 | cmd + a ... + arg3 | provenance | |
| execa.js:34:42:34:45 | arg3 | execa.js:34:22:34:45 | cmd + a ... + arg3 | provenance | |
| form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch ... nalname | provenance | |
| form-parsers.js:13:3:13:11 | req.files | form-parsers.js:13:21:13:24 | file | provenance | |
| form-parsers.js:13:21:13:24 | file | form-parsers.js:14:21:14:24 | file | provenance | |
| form-parsers.js:14:21:14:24 | file | form-parsers.js:14:10:14:37 | "touch ... nalname | provenance | |
| form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:21:25:28 | filename | provenance | |
| form-parsers.js:25:21:25:28 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | provenance | |
| form-parsers.js:35:25:35:30 | fields | form-parsers.js:36:21:36:26 | fields | provenance | |
| form-parsers.js:36:21:36:26 | fields | form-parsers.js:36:10:36:31 | "touch ... ds.name | provenance | |
| form-parsers.js:40:26:40:31 | fields | form-parsers.js:41:21:41:26 | fields | provenance | |
| form-parsers.js:41:21:41:26 | fields | form-parsers.js:41:10:41:31 | "touch ... ds.name | provenance | |
| form-parsers.js:52:34:52:39 | fields | form-parsers.js:53:21:53:26 | fields | provenance | |
| form-parsers.js:53:21:53:26 | fields | form-parsers.js:53:10:53:31 | "touch ... ds.name | provenance | |
| form-parsers.js:58:30:58:33 | part | form-parsers.js:59:21:59:24 | part | provenance | |
| form-parsers.js:59:21:59:24 | part | form-parsers.js:59:10:59:33 | "touch ... ilename | provenance | |
| other.js:5:9:5:49 | cmd | other.js:7:33:7:35 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:8:28:8:30 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:9:32:9:34 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:10:29:10:31 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:11:29:11:31 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:12:27:12:29 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:14:28:14:30 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:15:34:15:36 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:16:21:16:23 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:17:27:17:29 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:18:22:18:24 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:19:36:19:38 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:22:21:22:23 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:23:28:23:30 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:26:34:26:36 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:28:27:28:29 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:30:33:30:35 | cmd | provenance | |
| other.js:5:9:5:49 | cmd | other.js:34:44:34:46 | cmd | provenance | |
| other.js:5:15:5:38 | url.par ... , true) | other.js:5:9:5:49 | cmd | provenance | |
| other.js:5:25:5:31 | req.url | other.js:5:15:5:38 | url.par ... , true) | provenance | |
| third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | provenance | |
nodes
| actions.js:8:9:8:57 | title | semmle.label | title |
| actions.js:8:17:8:57 | github. ... t.title | semmle.label | github. ... t.title |
| actions.js:9:8:9:22 | `echo ${title}` | semmle.label | `echo ${title}` |
| actions.js:9:16:9:20 | title | semmle.label | title |
| actions.js:18:9:18:63 | head_ref | semmle.label | head_ref |
| actions.js:18:20:18:63 | github. ... ead.ref | semmle.label | github. ... ead.ref |
| actions.js:19:14:19:31 | `echo ${head_ref}` | semmle.label | `echo ${head_ref}` |
| actions.js:19:22:19:29 | head_ref | semmle.label | head_ref |
| child_process-test.js:6:9:6:49 | cmd | semmle.label | cmd |
| child_process-test.js:6:15:6:38 | url.par ... , true) | semmle.label | url.par ... , true) |
| child_process-test.js:6:15:6:49 | url.par ... ry.path | semmle.label | url.par ... ry.path |
| child_process-test.js:6:15:6:49 | url.par ... ry.path | semmle.label | url.par ... ry.path |
| child_process-test.js:6:25:6:31 | req.url | semmle.label | req.url |
| child_process-test.js:17:13:17:15 | cmd | semmle.label | cmd |
| child_process-test.js:18:17:18:19 | cmd | semmle.label | cmd |
| child_process-test.js:19:17:19:19 | cmd | semmle.label | cmd |
| child_process-test.js:20:21:20:23 | cmd | semmle.label | cmd |
| child_process-test.js:21:14:21:16 | cmd | semmle.label | cmd |
| child_process-test.js:22:18:22:20 | cmd | semmle.label | cmd |
| child_process-test.js:23:13:23:15 | cmd | semmle.label | cmd |
| child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | semmle.label | "foo" + cmd + "bar" |
| child_process-test.js:25:21:25:23 | cmd | semmle.label | cmd |
| child_process-test.js:39:26:39:28 | cmd | semmle.label | cmd |
| child_process-test.js:43:15:43:17 | cmd | semmle.label | cmd |
| child_process-test.js:48:5:48:8 | [post update] args [1] | semmle.label | [post update] args [1] |
| child_process-test.js:48:15:48:17 | cmd | semmle.label | cmd |
| child_process-test.js:48:15:48:17 | cmd | semmle.label | cmd |
| child_process-test.js:49:15:49:18 | args [1] | semmle.label | args [1] |
| child_process-test.js:53:15:53:17 | cmd | semmle.label | cmd |
| child_process-test.js:56:25:56:58 | ['/C', ... , cmd]) | semmle.label | ['/C', ... , cmd]) |
| child_process-test.js:56:46:56:57 | ["bar", cmd] [1] | semmle.label | ["bar", cmd] [1] |
| child_process-test.js:56:54:56:56 | cmd | semmle.label | cmd |
| child_process-test.js:56:54:56:56 | cmd | semmle.label | cmd |
| child_process-test.js:57:25:57:49 | ['/C', ... at(cmd) | semmle.label | ['/C', ... at(cmd) |
| child_process-test.js:57:46:57:48 | cmd | semmle.label | cmd |
| child_process-test.js:66:19:66:22 | args | semmle.label | args |
| child_process-test.js:73:9:73:49 | cmd | semmle.label | cmd |
| child_process-test.js:73:15:73:38 | url.par ... , true) | semmle.label | url.par ... , true) |
| child_process-test.js:73:25:73:31 | req.url | semmle.label | req.url |
| child_process-test.js:75:29:75:31 | cmd | semmle.label | cmd |
| child_process-test.js:83:19:83:36 | req.query.fileName | semmle.label | req.query.fileName |
| child_process-test.js:94:11:94:35 | "ping " ... ms.host | semmle.label | "ping " ... ms.host |
| child_process-test.js:94:21:94:30 | ctx.params | semmle.label | ctx.params |
| command-line-libs.js:9:9:9:34 | args | semmle.label | args |
| command-line-libs.js:9:16:9:23 | req.body | semmle.label | req.body |
| command-line-libs.js:12:17:12:20 | args | semmle.label | args |
| command-line-libs.js:13:9:13:32 | options | semmle.label | options |
| command-line-libs.js:13:19:13:32 | program.opts() | semmle.label | program.opts() |
| command-line-libs.js:14:8:14:14 | options | semmle.label | options |
| command-line-libs.js:14:8:14:18 | options.cmd | semmle.label | options.cmd |
| command-line-libs.js:15:8:15:18 | program.cmd | semmle.label | program.cmd |
| command-line-libs.js:20:14:20:19 | script | semmle.label | script |
| command-line-libs.js:21:12:21:17 | script | semmle.label | script |
| command-line-libs.js:23:29:23:32 | args | semmle.label | args |
| command-line-libs.js:27:11:27:41 | argsArray | semmle.label | argsArray |
| command-line-libs.js:27:23:27:30 | req.body | semmle.label | req.body |
| command-line-libs.js:28:11:28:64 | parsed | semmle.label | parsed |
| command-line-libs.js:28:20:28:64 | arg({ ' ... rray }) | semmle.label | arg({ ' ... rray }) |
| command-line-libs.js:28:53:28:61 | argsArray | semmle.label | argsArray |
| command-line-libs.js:29:10:29:15 | parsed | semmle.label | parsed |
| command-line-libs.js:29:10:29:24 | parsed['--cmd'] | semmle.label | parsed['--cmd'] |
| command-line-libs.js:35:9:35:83 | options | semmle.label | options |
| command-line-libs.js:35:19:35:83 | command ... \| [] }) | semmle.label | command ... \| [] }) |
| command-line-libs.js:35:62:35:69 | req.body | semmle.label | req.body |
| command-line-libs.js:37:8:37:14 | options | semmle.label | options |
| command-line-libs.js:37:8:37:18 | options.cmd | semmle.label | options.cmd |
| command-line-libs.js:42:9:42:34 | args | semmle.label | args |
| command-line-libs.js:42:16:42:23 | req.body | semmle.label | req.body |
| command-line-libs.js:43:9:47:12 | parsed | semmle.label | parsed |
| command-line-libs.js:43:18:43:28 | yargs(args) | semmle.label | yargs(args) |
| command-line-libs.js:43:18:47:4 | yargs(a ... ue\\n }) | semmle.label | yargs(a ... ue\\n }) |
| command-line-libs.js:43:18:47:12 | yargs(a ... parse() | semmle.label | yargs(a ... parse() |
| command-line-libs.js:43:24:43:27 | args | semmle.label | args |
| command-line-libs.js:49:8:49:13 | parsed | semmle.label | parsed |
| command-line-libs.js:49:8:49:17 | parsed.cmd | semmle.label | parsed.cmd |
| exec-sh2.js:9:17:9:23 | command | semmle.label | command |
| exec-sh2.js:10:40:10:46 | command | semmle.label | command |
| exec-sh2.js:14:9:14:49 | cmd | semmle.label | cmd |
| exec-sh2.js:14:15:14:38 | url.par ... , true) | semmle.label | url.par ... , true) |
| exec-sh2.js:14:25:14:31 | req.url | semmle.label | req.url |
| exec-sh2.js:15:12:15:14 | cmd | semmle.label | cmd |
| exec-sh.js:13:17:13:23 | command | semmle.label | command |
| exec-sh.js:15:44:15:50 | command | semmle.label | command |
| exec-sh.js:19:9:19:49 | cmd | semmle.label | cmd |
| exec-sh.js:19:15:19:38 | url.par ... , true) | semmle.label | url.par ... , true) |
| exec-sh.js:19:25:19:31 | req.url | semmle.label | req.url |
| exec-sh.js:20:12:20:14 | cmd | semmle.label | cmd |
| execSeries.js:3:20:3:22 | arr [0] | semmle.label | arr [0] |
| execSeries.js:5:3:10:4 | (functi ... );\\n }) [arr, 0] | semmle.label | (functi ... );\\n }) [arr, 0] |
| execSeries.js:6:14:6:16 | arr [0] | semmle.label | arr [0] |
| execSeries.js:6:14:6:21 | arr[i++] | semmle.label | arr[i++] |
| execSeries.js:13:19:13:26 | commands [0] | semmle.label | commands [0] |
| execSeries.js:14:13:14:20 | commands [0] | semmle.label | commands [0] |
| execSeries.js:14:24:14:30 | command | semmle.label | command |
| execSeries.js:14:41:14:47 | command | semmle.label | command |
| execSeries.js:18:7:18:58 | cmd | semmle.label | cmd |
| execSeries.js:18:13:18:47 | require ... , true) | semmle.label | require ... , true) |
| execSeries.js:18:34:18:40 | req.url | semmle.label | req.url |
| execSeries.js:19:12:19:16 | [cmd] [0] | semmle.label | [cmd] [0] |
| execSeries.js:19:13:19:15 | cmd | semmle.label | cmd |
| execa.js:6:9:6:54 | cmd | semmle.label | cmd |
| execa.js:6:15:6:38 | url.par ... , true) | semmle.label | url.par ... , true) |
| execa.js:6:25:6:31 | req.url | semmle.label | req.url |
| execa.js:7:9:7:53 | arg1 | semmle.label | arg1 |
| execa.js:7:16:7:39 | url.par ... , true) | semmle.label | url.par ... , true) |
| execa.js:7:26:7:32 | req.url | semmle.label | req.url |
| execa.js:8:9:8:53 | arg2 | semmle.label | arg2 |
| execa.js:8:16:8:39 | url.par ... , true) | semmle.label | url.par ... , true) |
| execa.js:8:26:8:32 | req.url | semmle.label | req.url |
| execa.js:9:9:9:53 | arg3 | semmle.label | arg3 |
| execa.js:9:16:9:39 | url.par ... , true) | semmle.label | url.par ... , true) |
| execa.js:9:26:9:32 | req.url | semmle.label | req.url |
| execa.js:11:15:11:17 | cmd | semmle.label | cmd |
| execa.js:13:32:13:34 | cmd | semmle.label | cmd |
| execa.js:14:31:14:33 | cmd | semmle.label | cmd |
| execa.js:17:14:17:16 | cmd | semmle.label | cmd |
| execa.js:19:32:19:34 | cmd | semmle.label | cmd |
| execa.js:20:33:20:35 | cmd | semmle.label | cmd |
| execa.js:23:17:23:19 | cmd | semmle.label | cmd |
| execa.js:24:17:24:19 | cmd | semmle.label | cmd |
| execa.js:25:17:25:19 | cmd | semmle.label | cmd |
| execa.js:27:15:27:17 | cmd | semmle.label | cmd |
| execa.js:28:15:28:17 | cmd | semmle.label | cmd |
| execa.js:30:24:30:26 | cmd | semmle.label | cmd |
| execa.js:30:24:30:47 | cmd + a ... + arg3 | semmle.label | cmd + a ... + arg3 |
| execa.js:30:30:30:33 | arg1 | semmle.label | arg1 |
| execa.js:30:37:30:40 | arg2 | semmle.label | arg2 |
| execa.js:30:44:30:47 | arg3 | semmle.label | arg3 |
| execa.js:31:24:31:26 | cmd | semmle.label | cmd |
| execa.js:31:24:31:47 | cmd + a ... + arg3 | semmle.label | cmd + a ... + arg3 |
| execa.js:31:30:31:33 | arg1 | semmle.label | arg1 |
| execa.js:31:37:31:40 | arg2 | semmle.label | arg2 |
| execa.js:31:44:31:47 | arg3 | semmle.label | arg3 |
| execa.js:33:22:33:24 | cmd | semmle.label | cmd |
| execa.js:33:22:33:45 | cmd + a ... + arg3 | semmle.label | cmd + a ... + arg3 |
| execa.js:33:28:33:31 | arg1 | semmle.label | arg1 |
| execa.js:33:35:33:38 | arg2 | semmle.label | arg2 |
| execa.js:33:42:33:45 | arg3 | semmle.label | arg3 |
| execa.js:34:22:34:24 | cmd | semmle.label | cmd |
| execa.js:34:22:34:45 | cmd + a ... + arg3 | semmle.label | cmd + a ... + arg3 |
| execa.js:34:28:34:31 | arg1 | semmle.label | arg1 |
| execa.js:34:35:34:38 | arg2 | semmle.label | arg2 |
| execa.js:34:42:34:45 | arg3 | semmle.label | arg3 |
| form-parsers.js:9:8:9:39 | "touch ... nalname | semmle.label | "touch ... nalname |
| form-parsers.js:9:19:9:26 | req.file | semmle.label | req.file |
| form-parsers.js:13:3:13:11 | req.files | semmle.label | req.files |
| form-parsers.js:13:21:13:24 | file | semmle.label | file |
| form-parsers.js:14:10:14:37 | "touch ... nalname | semmle.label | "touch ... nalname |
| form-parsers.js:14:21:14:24 | file | semmle.label | file |
| form-parsers.js:24:48:24:55 | filename | semmle.label | filename |
| form-parsers.js:25:10:25:28 | "touch " + filename | semmle.label | "touch " + filename |
| form-parsers.js:25:21:25:28 | filename | semmle.label | filename |
| form-parsers.js:35:25:35:30 | fields | semmle.label | fields |
| form-parsers.js:36:10:36:31 | "touch ... ds.name | semmle.label | "touch ... ds.name |
| form-parsers.js:36:21:36:26 | fields | semmle.label | fields |
| form-parsers.js:40:26:40:31 | fields | semmle.label | fields |
| form-parsers.js:41:10:41:31 | "touch ... ds.name | semmle.label | "touch ... ds.name |
| form-parsers.js:41:21:41:26 | fields | semmle.label | fields |
| form-parsers.js:52:34:52:39 | fields | semmle.label | fields |
| form-parsers.js:53:10:53:31 | "touch ... ds.name | semmle.label | "touch ... ds.name |
| form-parsers.js:53:21:53:26 | fields | semmle.label | fields |
| form-parsers.js:58:30:58:33 | part | semmle.label | part |
| form-parsers.js:59:10:59:33 | "touch ... ilename | semmle.label | "touch ... ilename |
| form-parsers.js:59:21:59:24 | part | semmle.label | part |
| other.js:5:9:5:49 | cmd | semmle.label | cmd |
| other.js:5:15:5:38 | url.par ... , true) | semmle.label | url.par ... , true) |
| other.js:5:25:5:31 | req.url | semmle.label | req.url |
| other.js:7:33:7:35 | cmd | semmle.label | cmd |
| other.js:8:28:8:30 | cmd | semmle.label | cmd |
| other.js:9:32:9:34 | cmd | semmle.label | cmd |
| other.js:10:29:10:31 | cmd | semmle.label | cmd |
| other.js:11:29:11:31 | cmd | semmle.label | cmd |
| other.js:12:27:12:29 | cmd | semmle.label | cmd |
| other.js:14:28:14:30 | cmd | semmle.label | cmd |
| other.js:15:34:15:36 | cmd | semmle.label | cmd |
| other.js:16:21:16:23 | cmd | semmle.label | cmd |
| other.js:17:27:17:29 | cmd | semmle.label | cmd |
| other.js:18:22:18:24 | cmd | semmle.label | cmd |
| other.js:19:36:19:38 | cmd | semmle.label | cmd |
| other.js:22:21:22:23 | cmd | semmle.label | cmd |
| other.js:23:28:23:30 | cmd | semmle.label | cmd |
| other.js:26:34:26:36 | cmd | semmle.label | cmd |
| other.js:28:27:28:29 | cmd | semmle.label | cmd |
| other.js:30:33:30:35 | cmd | semmle.label | cmd |
| other.js:34:44:34:46 | cmd | semmle.label | cmd |
| third-party-command-injection.js:5:20:5:26 | command | semmle.label | command |
| third-party-command-injection.js:6:21:6:27 | command | semmle.label | command |
subpaths
Reference in New Issue View Git Blame Copy Permalink