JS: ShellCommandInjection

d10c · d10c · commit 15bd72426a09 · 2025-07-07T17:51:53.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
@@ -30,16 +30,12 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
 
   predicate observeDiffInformedIncrementalMode() { any() }
 
-  Location getASelectedSourceLocation(DataFlow::Node source) {
-    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql@30:8:30:16)
-  }
-
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    exists(DataFlow::Node node |
-      isSinkWithHighlight(sink, node) and
-      result = node.getLocation()
+    exists(DataFlow::Node highlight | result = highlight.getLocation() |
+      if isSinkWithHighlight(sink, _)
+      then isSinkWithHighlight(sink, highlight)
+      else highlight = sink
     )
-    // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql@30:8:30:16)
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -30,16 +30,12 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig`
`30`	`30`
`31`	`31`	`predicate observeDiffInformedIncrementalMode() { any() }`
`32`	`32`
`33`		`- Location getASelectedSourceLocation(DataFlow::Node source) {`
`34`		`- none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql@30:8:30:16)`
`35`		`- }`
`36`		`-`
`37`	`33`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`38`		`- exists(DataFlow::Node node \|`
`39`		`- isSinkWithHighlight(sink, node) and`
`40`		`- result = node.getLocation()`
	`34`	`+ exists(DataFlow::Node highlight \| result = highlight.getLocation() \|`
	`35`	`+ if isSinkWithHighlight(sink, _)`
	`36`	`+ then isSinkWithHighlight(sink, highlight)`
	`37`	`+ else highlight = sink`
`41`	`38`	`)`
`42`		`- // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql@30:8:30:16)`
`43`	`39`	`}`
`44`	`40`	`}`
`45`	`41`