add taint flow for arg/command-line-args with custom argv option

Author: Napalys

javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll

@@ -113,6 +113,17 @@ private class ArgsParseStep extends TaintTracking::SharedTaintStep {
       pred = methodCall.getReceiver() and
       succ = methodCall
     )
+    or
+    exists(DataFlow::CallNode call, DataFlow::Node options |
+      call = DataFlow::moduleImport(["arg", "command-line-args"]).getACall() and
+      succ = call and
+      options = call.getArgument(1) and
+      exists(DataFlow::PropWrite write |
+        write.getBase() = options and
+        write.getPropertyName() = "argv" and
+        pred = write.getRhs()
+      )
+    )
   }
 }
 

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected

@@ -24,6 +24,8 @@
 | command-line-libs.js:14:8:14:18 | options.cmd | command-line-libs.js:9:16:9:23 | req.body | command-line-libs.js:14:8:14:18 | options.cmd | This command line depends on a $@. | command-line-libs.js:9:16:9:23 | req.body | user-provided value |
 | command-line-libs.js:15:8:15:18 | program.cmd | command-line-libs.js:9:16:9:23 | req.body | command-line-libs.js:15:8:15:18 | program.cmd | This command line depends on a $@. | command-line-libs.js:9:16:9:23 | req.body | user-provided value |
 | command-line-libs.js:21:12:21:17 | script | command-line-libs.js:9:16:9:23 | req.body | command-line-libs.js:21:12:21:17 | script | This command line depends on a $@. | command-line-libs.js:9:16:9:23 | req.body | user-provided value |
+| command-line-libs.js:29:10:29:24 | parsed['--cmd'] | command-line-libs.js:27:23:27:30 | req.body | command-line-libs.js:29:10:29:24 | parsed['--cmd'] | This command line depends on a $@. | command-line-libs.js:27:23:27:30 | req.body | user-provided value |
+| command-line-libs.js:37:8:37:18 | options.cmd | command-line-libs.js:35:62:35:69 | req.body | command-line-libs.js:37:8:37:18 | options.cmd | This command line depends on a $@. | command-line-libs.js:35:62:35:69 | req.body | user-provided value |
 | command-line-libs.js:49:8:49:17 | parsed.cmd | command-line-libs.js:42:16:42:23 | req.body | command-line-libs.js:49:8:49:17 | parsed.cmd | This command line depends on a $@. | command-line-libs.js:42:16:42:23 | req.body | user-provided value |
 | exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) | exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:10:40:10:46 | command | This command line depends on a $@. | exec-sh2.js:14:25:14:31 | req.url | user-provided value |
 | exec-sh.js:15:12:15:61 | cp.spaw ... ptions) | exec-sh.js:19:25:19:31 | req.url | exec-sh.js:15:44:15:50 | command | This command line depends on a $@. | exec-sh.js:19:25:19:31 | req.url | user-provided value |
@@ -131,6 +133,16 @@ edges
 | command-line-libs.js:14:8:14:14 | options | command-line-libs.js:14:8:14:18 | options.cmd | provenance |  |
 | command-line-libs.js:20:14:20:19 | script | command-line-libs.js:21:12:21:17 | script | provenance |  |
 | command-line-libs.js:23:29:23:32 | args | command-line-libs.js:20:14:20:19 | script | provenance |  |
+| command-line-libs.js:27:11:27:41 | argsArray | command-line-libs.js:28:53:28:61 | argsArray | provenance |  |
+| command-line-libs.js:27:23:27:30 | req.body | command-line-libs.js:27:11:27:41 | argsArray | provenance |  |
+| command-line-libs.js:28:11:28:64 | parsed | command-line-libs.js:29:10:29:15 | parsed | provenance |  |
+| command-line-libs.js:28:20:28:64 | arg({ ' ... rray }) | command-line-libs.js:28:11:28:64 | parsed | provenance |  |
+| command-line-libs.js:28:53:28:61 | argsArray | command-line-libs.js:28:20:28:64 | arg({ ' ... rray }) | provenance |  |
+| command-line-libs.js:29:10:29:15 | parsed | command-line-libs.js:29:10:29:24 | parsed['--cmd'] | provenance |  |
+| command-line-libs.js:35:9:35:83 | options | command-line-libs.js:37:8:37:14 | options | provenance |  |
+| command-line-libs.js:35:19:35:83 | command ... \| [] }) | command-line-libs.js:35:9:35:83 | options | provenance |  |
+| command-line-libs.js:35:62:35:69 | req.body | command-line-libs.js:35:19:35:83 | command ... \| [] }) | provenance |  |
+| command-line-libs.js:37:8:37:14 | options | command-line-libs.js:37:8:37:18 | options.cmd | provenance |  |
 | command-line-libs.js:42:9:42:34 | args | command-line-libs.js:43:24:43:27 | args | provenance |  |
 | command-line-libs.js:42:16:42:23 | req.body | command-line-libs.js:42:9:42:34 | args | provenance |  |
 | command-line-libs.js:43:9:47:12 | parsed | command-line-libs.js:49:8:49:13 | parsed | provenance |  |
@@ -303,6 +315,18 @@ nodes
 | command-line-libs.js:20:14:20:19 | script | semmle.label | script |
 | command-line-libs.js:21:12:21:17 | script | semmle.label | script |
 | command-line-libs.js:23:29:23:32 | args | semmle.label | args |
+| command-line-libs.js:27:11:27:41 | argsArray | semmle.label | argsArray |
+| command-line-libs.js:27:23:27:30 | req.body | semmle.label | req.body |
+| command-line-libs.js:28:11:28:64 | parsed | semmle.label | parsed |
+| command-line-libs.js:28:20:28:64 | arg({ ' ... rray }) | semmle.label | arg({ ' ... rray }) |
+| command-line-libs.js:28:53:28:61 | argsArray | semmle.label | argsArray |
+| command-line-libs.js:29:10:29:15 | parsed | semmle.label | parsed |
+| command-line-libs.js:29:10:29:24 | parsed['--cmd'] | semmle.label | parsed['--cmd'] |
+| command-line-libs.js:35:9:35:83 | options | semmle.label | options |
+| command-line-libs.js:35:19:35:83 | command ... \| [] }) | semmle.label | command ... \| [] }) |
+| command-line-libs.js:35:62:35:69 | req.body | semmle.label | req.body |
+| command-line-libs.js:37:8:37:14 | options | semmle.label | options |
+| command-line-libs.js:37:8:37:18 | options.cmd | semmle.label | options.cmd |
 | command-line-libs.js:42:9:42:34 | args | semmle.label | args |
 | command-line-libs.js:42:16:42:23 | req.body | semmle.label | req.body |
 | command-line-libs.js:43:9:47:12 | parsed | semmle.label | parsed |

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js

@@ -24,17 +24,17 @@ app.post('/Command', async (req, res) => {
 });
 
 app.post('/arg', (req, res) => {
-    const argsArray = req.body.args || []; // $ MISSING: Source
+    const argsArray = req.body.args || []; // $ Source
     const parsed = arg({ '--cmd': String }, { argv: argsArray });
-    exec(parsed['--cmd']); // $ MISSING: Alert
+    exec(parsed['--cmd']); // $ Alert
 });
 
 app.post('/commandLineArgs', (req, res) => {
   const commandLineArgs = require('command-line-args');
   const optionDefinitions = [{ name: 'cmd', type: String }];
-  const options = commandLineArgs(optionDefinitions, { argv: req.body.args || [] }); // $ MISSING: Source
+  const options = commandLineArgs(optionDefinitions, { argv: req.body.args || [] }); // $ Source
   if (!options.cmd) return res.status(400).send({ error: 'Missing --cmd' });
-  exec(options.cmd); // $ MISSING: Alert
+  exec(options.cmd); // $ Alert
 });
 
 app.post('/yargs', (req, res) => {