Added a step from parse to opts for commander js

Author: Napalys

javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll

@@ -95,6 +95,11 @@ private class ArgsParseStep extends TaintTracking::SharedTaintStep {
       pred = call.getArgument(0)
     )
     or
+    exists(API::Node commanderNode | commanderNode = commander() |
+      pred = commanderNode.getMember("parse").getACall().getAnArgument() and
+      succ = commanderNode.getMember("opts").getACall()
+    )
+    or
     exists(DataFlow::MethodCallNode methodCall | methodCall = yargs() |
       pred = methodCall.getReceiver() and
       succ = methodCall

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected

@@ -21,6 +21,7 @@
 | child_process-test.js:75:29:75:31 | cmd | child_process-test.js:73:25:73:31 | req.url | child_process-test.js:75:29:75:31 | cmd | This command line depends on a $@. | child_process-test.js:73:25:73:31 | req.url | user-provided value |
 | child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | This command line depends on a $@. | child_process-test.js:83:19:83:36 | req.query.fileName | user-provided value |
 | child_process-test.js:94:11:94:35 | "ping " ... ms.host | child_process-test.js:94:21:94:30 | ctx.params | child_process-test.js:94:11:94:35 | "ping " ... ms.host | This command line depends on a $@. | child_process-test.js:94:21:94:30 | ctx.params | user-provided value |
+| command-line-libs.js:14:8:14:18 | options.cmd | command-line-libs.js:9:16:9:23 | req.body | command-line-libs.js:14:8:14:18 | options.cmd | This command line depends on a $@. | command-line-libs.js:9:16:9:23 | req.body | user-provided value |
 | command-line-libs.js:40:8:40:17 | parsed.cmd | command-line-libs.js:33:16:33:23 | req.body | command-line-libs.js:40:8:40:17 | parsed.cmd | This command line depends on a $@. | command-line-libs.js:33:16:33:23 | req.body | user-provided value |
 | exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) | exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:10:40:10:46 | command | This command line depends on a $@. | exec-sh2.js:14:25:14:31 | req.url | user-provided value |
 | exec-sh.js:15:12:15:61 | cp.spaw ... ptions) | exec-sh.js:19:25:19:31 | req.url | exec-sh.js:15:44:15:50 | command | This command line depends on a $@. | exec-sh.js:19:25:19:31 | req.url | user-provided value |
@@ -117,6 +118,12 @@ edges
 | child_process-test.js:73:15:73:38 | url.par ... , true) | child_process-test.js:73:9:73:49 | cmd | provenance |  |
 | child_process-test.js:73:25:73:31 | req.url | child_process-test.js:73:15:73:38 | url.par ... , true) | provenance |  |
 | child_process-test.js:94:21:94:30 | ctx.params | child_process-test.js:94:11:94:35 | "ping " ... ms.host | provenance |  |
+| command-line-libs.js:9:9:9:34 | args | command-line-libs.js:12:17:12:20 | args | provenance |  |
+| command-line-libs.js:9:16:9:23 | req.body | command-line-libs.js:9:9:9:34 | args | provenance |  |
+| command-line-libs.js:12:17:12:20 | args | command-line-libs.js:13:19:13:32 | program.opts() | provenance |  |
+| command-line-libs.js:13:9:13:32 | options | command-line-libs.js:14:8:14:14 | options | provenance |  |
+| command-line-libs.js:13:19:13:32 | program.opts() | command-line-libs.js:13:9:13:32 | options | provenance |  |
+| command-line-libs.js:14:8:14:14 | options | command-line-libs.js:14:8:14:18 | options.cmd | provenance |  |
 | command-line-libs.js:33:9:33:34 | args | command-line-libs.js:34:24:34:27 | args | provenance |  |
 | command-line-libs.js:33:16:33:23 | req.body | command-line-libs.js:33:9:33:34 | args | provenance |  |
 | command-line-libs.js:34:9:38:12 | parsed | command-line-libs.js:40:8:40:13 | parsed | provenance |  |
@@ -278,6 +285,13 @@ nodes
 | child_process-test.js:83:19:83:36 | req.query.fileName | semmle.label | req.query.fileName |
 | child_process-test.js:94:11:94:35 | "ping " ... ms.host | semmle.label | "ping " ... ms.host |
 | child_process-test.js:94:21:94:30 | ctx.params | semmle.label | ctx.params |
+| command-line-libs.js:9:9:9:34 | args | semmle.label | args |
+| command-line-libs.js:9:16:9:23 | req.body | semmle.label | req.body |
+| command-line-libs.js:12:17:12:20 | args | semmle.label | args |
+| command-line-libs.js:13:9:13:32 | options | semmle.label | options |
+| command-line-libs.js:13:19:13:32 | program.opts() | semmle.label | program.opts() |
+| command-line-libs.js:14:8:14:14 | options | semmle.label | options |
+| command-line-libs.js:14:8:14:18 | options.cmd | semmle.label | options.cmd |
 | command-line-libs.js:33:9:33:34 | args | semmle.label | args |
 | command-line-libs.js:33:16:33:23 | req.body | semmle.label | req.body |
 | command-line-libs.js:34:9:38:12 | parsed | semmle.label | parsed |

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js

@@ -6,12 +6,12 @@ const app = express();
 app.use(express.json());
 
 app.post('/Command', (req, res) => {
-  const args = req.body.args || []; // $ MISSING: Source
+  const args = req.body.args || []; // $ Source
   const program = new Command();
   program.option('--cmd <value>', 'Command to execute');
   program.parse(args, { from: 'user' });
   const options = program.opts();
-  exec(options.cmd); // $ MISSING: Alert
+  exec(options.cmd); // $ Alert
 });
 
 app.post('/arg', (req, res) => {