Skip to content

Commit 2f84204

Browse files
author
Max Schaefer
committed
JavaScript: Model another execa function relevant for command injection.
1 parent 2e5af67 commit 2f84204

File tree

4 files changed

+14
-0
lines changed

4 files changed

+14
-0
lines changed

change-notes/1.25/analysis-javascript.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
- [Promise](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise)
77
- [bluebird](http://bluebirdjs.com/)
88
- [express](https://www.npmjs.com/package/express)
9+
- [execa](https://www.npmjs.com/package/execa)
910
- [fancy-log](https://www.npmjs.com/package/fancy-log)
1011
- [fastify](https://www.npmjs.com/package/fastify)
1112
- [fstream](https://www.npmjs.com/package/fstream)

javascript/ql/src/semmle/javascript/frameworks/SystemCommandExecutors.qll

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,12 @@ private class SystemCommandExecutors extends SystemCommandExecution, DataFlow::I
3232
(method = "command" or method = "commandSync")
3333
) and
3434
cmdArg = 0
35+
or
36+
mod = "execa" and
37+
method = "node" and
38+
cmdArg = 0 and
39+
optionsArg = 1 and
40+
shell = false
3541
|
3642
callee = DataFlow::moduleMember(mod, method) and
3743
sync = getSync(method)

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,8 @@ nodes
109109
| other.js:23:28:23:30 | cmd |
110110
| other.js:26:34:26:36 | cmd |
111111
| other.js:26:34:26:36 | cmd |
112+
| other.js:28:27:28:29 | cmd |
113+
| other.js:28:27:28:29 | cmd |
112114
| third-party-command-injection.js:5:20:5:26 | command |
113115
| third-party-command-injection.js:5:20:5:26 | command |
114116
| third-party-command-injection.js:6:21:6:27 | command |
@@ -213,6 +215,8 @@ edges
213215
| other.js:5:9:5:49 | cmd | other.js:23:28:23:30 | cmd |
214216
| other.js:5:9:5:49 | cmd | other.js:26:34:26:36 | cmd |
215217
| other.js:5:9:5:49 | cmd | other.js:26:34:26:36 | cmd |
218+
| other.js:5:9:5:49 | cmd | other.js:28:27:28:29 | cmd |
219+
| other.js:5:9:5:49 | cmd | other.js:28:27:28:29 | cmd |
216220
| other.js:5:15:5:38 | url.par ... , true) | other.js:5:15:5:44 | url.par ... ).query |
217221
| other.js:5:15:5:44 | url.par ... ).query | other.js:5:15:5:49 | url.par ... ry.path |
218222
| other.js:5:15:5:49 | url.par ... ry.path | other.js:5:9:5:49 | cmd |
@@ -261,4 +265,5 @@ edges
261265
| other.js:22:21:22:23 | cmd | other.js:5:25:5:31 | req.url | other.js:22:21:22:23 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
262266
| other.js:23:28:23:30 | cmd | other.js:5:25:5:31 | req.url | other.js:23:28:23:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
263267
| other.js:26:34:26:36 | cmd | other.js:5:25:5:31 | req.url | other.js:26:34:26:36 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
268+
| other.js:28:27:28:29 | cmd | other.js:5:25:5:31 | req.url | other.js:28:27:28:29 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
264269
| third-party-command-injection.js:6:21:6:27 | command | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | This command depends on $@. | third-party-command-injection.js:5:20:5:26 | command | a server-provided value |

javascript/ql/test/query-tests/Security/CWE-078/other.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,4 +24,6 @@ var server = http.createServer(function(req, res) {
2424

2525
const SSH2Stream = require("ssh2-streams").SSH2Stream;
2626
new SSH2Stream().exec(false, cmd); // NOT OK
27+
28+
require("execa").node(cmd); // NOT OK
2729
});

0 commit comments

Comments
 (0)