github
diff --git a/‎javascript/ql/lib/semmle/javascript/frameworks/Execa.qll
Lines changed: 13 additions & 7 deletions b/‎javascript/ql/lib/semmle/javascript/frameworks/Execa.qll
Lines changed: 13 additions & 7 deletions
@@ -125,21 +125,22 @@ module Execa {
   class ExecaScript extends SystemCommandExecution, ExecaScriptCall {
     ExecaScript() { isSync = [false, true] }
 
-    override DataFlow::Node getACommandArgument() { result = this.getParameter(1).asSink() }
+    override DataFlow::Node getACommandArgument() {
+      result = this.getParameter(1).asSink() and
+      not isTaggedTemplateFirstChildAnElement(this.getParameter(1).asSink().asExpr().getParent())
+    }
 
     override predicate isShellInterpreted(DataFlow::Node arg) {
       isExecaShellEnable(this.getParameter(0)) and
       arg = this.getAParameter().asSink()
     }
 
     override DataFlow::Node getArgumentList() {
-      result = this.getParameter(any(int i | i > 2)).asSink() and
-      // here I should check if the first parameter of Template literal is the rightmost string of this Template literal then the arguments of this command execution will be the second and third and .. parameters
-      not exists(string s | this.getACall().getArgument(0).mayHaveStringValue(s) | s.matches(""))
+      result = this.getParameter(any(int i | i >= 1)).asSink() and
+      isTaggedTemplateFirstChildAnElement(this.getParameter(1).asSink().asExpr().getParent())
       or
-      result = this.getParameter(any(int i | i > 1)).asSink() and
-      // here I should check if the first parameter of Template literal is a constant which is the command, then the arguments of this command execution will be the first, second and third and .. parameters
-      not exists(string s | this.getACall().getArgument(0).mayHaveStringValue(s) | s.matches(""))
+      result = this.getParameter(any(int i | i >= 2)).asSink() and
+      not isTaggedTemplateFirstChildAnElement(this.getParameter(1).asSink().asExpr().getParent())
     }
 
     override DataFlow::Node getOptionsArg() { result = this.getParameter(0).asSink() }
@@ -196,6 +197,11 @@ module Execa {
     }
   }
 
+  /** Gets a TemplateLiteral and check if first child is a template element */
+  private predicate isTaggedTemplateFirstChildAnElement(TemplateLiteral templateLit) {
+    exists(templateLit.getChildExpr(0).(TemplateElement))
+  }
+
   /**
    * Holds whether Execa has shell enabled options or not, get Parameter responsible for options
    */