Skip to content

Commit 79e161e

Browse files
erik-krogherik-krogh
committed
slightly broaden the regular expression that recognizes bad string-concats used as shell commands
1 parent 16cd148 commit 79e161e

File tree

3 files changed

+12
-2
lines changed

3 files changed

+12
-2
lines changed

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ module UnsafeShellCommandConstruction {
9393
this = root.getALeaf() and
9494
root = isExecutedAsShellCommand(DataFlow::TypeBackTracker::end(), sys) and
9595
exists(string prev | prev = this.getPreviousLeaf().getStringValue() |
96-
prev.regexpMatch(".* ('|\")?[0-9a-zA-Z/:_-]*")
96+
prev.regexpMatch(".*\\s*('|\")?[0-9a-zA-Z/:_-]*")
9797
)
9898
}
9999

javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,8 @@ nodes
5757
| lib/lib.js:64:41:64:44 | name |
5858
| lib/lib.js:65:22:65:25 | name |
5959
| lib/lib.js:65:22:65:25 | name |
60+
| lib/lib.js:69:27:69:30 | name |
61+
| lib/lib.js:69:27:69:30 | name |
6062
| lib/lib.js:71:28:71:31 | name |
6163
| lib/lib.js:71:28:71:31 | name |
6264
| lib/lib.js:73:21:73:24 | name |
@@ -116,6 +118,7 @@ nodes
116118
| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" |
117119
| lib/lib.js:181:21:181:24 | name |
118120
| lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
121+
| lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
119122
| lib/lib.js:182:22:182:27 | broken |
120123
| lib/lib.js:182:22:182:27 | broken |
121124
| lib/lib.js:186:34:186:37 | name |
@@ -377,6 +380,10 @@ edges
377380
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
378381
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
379382
| lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name |
383+
| lib/lib.js:64:41:64:44 | name | lib/lib.js:69:27:69:30 | name |
384+
| lib/lib.js:64:41:64:44 | name | lib/lib.js:69:27:69:30 | name |
385+
| lib/lib.js:64:41:64:44 | name | lib/lib.js:69:27:69:30 | name |
386+
| lib/lib.js:64:41:64:44 | name | lib/lib.js:69:27:69:30 | name |
380387
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
381388
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
382389
| lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name |
@@ -455,6 +462,7 @@ edges
455462
| lib/lib.js:181:6:181:52 | broken | lib/lib.js:182:22:182:27 | broken |
456463
| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" | lib/lib.js:181:6:181:52 | broken |
457464
| lib/lib.js:181:21:181:24 | name | lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
465+
| lib/lib.js:181:21:181:24 | name | lib/lib.js:181:21:181:46 | name.re ... "'\\''") |
458466
| lib/lib.js:181:21:181:46 | name.re ... "'\\''") | lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" |
459467
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
460468
| lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name |
@@ -708,6 +716,7 @@ edges
708716
| lib/lib.js:54:13:54:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:54:25:54:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:53:33:53:36 | name | library input | lib/lib.js:55:2:55:14 | cp.exec(cmd1) | shell command |
709717
| lib/lib.js:57:13:57:28 | "rm -rf " + name | lib/lib.js:53:33:53:36 | name | lib/lib.js:57:25:57:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:53:33:53:36 | name | library input | lib/lib.js:59:3:59:14 | cp.exec(cmd) | shell command |
710718
| lib/lib.js:65:10:65:25 | "rm -rf " + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:65:22:65:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:65:2:65:26 | cp.exec ... + name) | shell command |
719+
| lib/lib.js:69:10:69:47 | "for fo ... la end" | lib/lib.js:64:41:64:44 | name | lib/lib.js:69:27:69:30 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:69:2:69:48 | cp.exec ... a end") | shell command |
711720
| lib/lib.js:71:10:71:31 | "cat /f ... + name | lib/lib.js:64:41:64:44 | name | lib/lib.js:71:28:71:31 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:71:2:71:32 | cp.exec ... + name) | shell command |
712721
| lib/lib.js:73:10:73:31 | "cat \\" ... + "\\"" | lib/lib.js:64:41:64:44 | name | lib/lib.js:73:21:73:24 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:73:2:73:32 | cp.exec ... + "\\"") | shell command |
713722
| lib/lib.js:75:10:75:29 | "cat '" + name + "'" | lib/lib.js:64:41:64:44 | name | lib/lib.js:75:20:75:23 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:64:41:64:44 | name | library input | lib/lib.js:75:2:75:30 | cp.exec ... + "'") | shell command |
@@ -726,6 +735,7 @@ edges
726735
| lib/lib.js:149:12:149:27 | "rm -rf " + name | lib/lib.js:148:37:148:40 | name | lib/lib.js:149:24:149:27 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:148:37:148:40 | name | library input | lib/lib.js:152:2:152:23 | cp.spaw ... gs, cb) | shell command |
727736
| lib/lib.js:161:13:161:28 | "rm -rf " + name | lib/lib.js:155:38:155:41 | name | lib/lib.js:161:25:161:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:155:38:155:41 | name | library input | lib/lib.js:163:2:167:2 | cp.spaw ... t' }\\n\\t) | shell command |
728737
| lib/lib.js:173:10:173:23 | "fo \| " + name | lib/lib.js:170:41:170:44 | name | lib/lib.js:173:20:173:23 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:170:41:170:44 | name | library input | lib/lib.js:173:2:173:24 | cp.exec ... + name) | shell command |
738+
| lib/lib.js:181:15:181:52 | "'" + n ... ) + "'" | lib/lib.js:177:38:177:41 | name | lib/lib.js:181:21:181:46 | name.re ... "'\\''") | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:177:38:177:41 | name | library input | lib/lib.js:182:2:182:28 | cp.exec ... broken) | shell command |
729739
| lib/lib.js:182:10:182:27 | "rm -rf " + broken | lib/lib.js:177:38:177:41 | name | lib/lib.js:182:22:182:27 | broken | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:177:38:177:41 | name | library input | lib/lib.js:182:2:182:28 | cp.exec ... broken) | shell command |
730740
| lib/lib.js:187:10:187:25 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:187:22:187:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:186:34:186:37 | name | library input | lib/lib.js:187:2:187:26 | cp.exec ... + name) | shell command |
731741
| lib/lib.js:190:11:190:26 | "rm -rf " + name | lib/lib.js:186:34:186:37 | name | lib/lib.js:190:23:190:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:186:34:186:37 | name | library input | lib/lib.js:190:3:190:27 | cp.exec ... + name) | shell command |

javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ module.exports.stringConcat = function (name) {
6666

6767
cp.exec(name); // OK.
6868

69-
cp.exec("for foo in (" + name + ") do bla end"); // OK.
69+
cp.exec("for foo in (" + name + ") do bla end"); // NOT OK.
7070

7171
cp.exec("cat /foO/BAR/" + name) // NOT OK.
7272

0 commit comments

Comments
 (0)