JavaScript: Add model for foreground-child.

>1M weekly downloads, so seems worth doing.

Author: Max Schaefer

change-notes/1.25/analysis-javascript.md

@@ -9,6 +9,7 @@
   - [execa](https://www.npmjs.com/package/execa)
   - [fancy-log](https://www.npmjs.com/package/fancy-log)
   - [fastify](https://www.npmjs.com/package/fastify)
+  - [foreground-child](https://www.npmjs.com/package/foreground-child)
   - [fstream](https://www.npmjs.com/package/fstream)
   - [jGrowl](https://github.com/stanlemon/jGrowl)
   - [jQuery](https://jquery.com/)

javascript/ql/src/semmle/javascript/frameworks/SystemCommandExecutors.qll

@@ -65,6 +65,12 @@ private class SystemCommandExecutors extends SystemCommandExecution, DataFlow::I
     |
       this = callee.getACall()
     )
+    or
+    this = DataFlow::moduleImport("foreground-child").getACall() and
+    cmdArg = 0 and
+    optionsArg = 1 and
+    shell = false and
+    sync = true
   }
 
   override DataFlow::Node getACommandArgument() { result = getArgument(cmdArg) }

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected

@@ -111,6 +111,8 @@ nodes
 | other.js:26:34:26:36 | cmd |
 | other.js:28:27:28:29 | cmd |
 | other.js:28:27:28:29 | cmd |
+| other.js:30:33:30:35 | cmd |
+| other.js:30:33:30:35 | cmd |
 | third-party-command-injection.js:5:20:5:26 | command |
 | third-party-command-injection.js:5:20:5:26 | command |
 | third-party-command-injection.js:6:21:6:27 | command |
@@ -217,6 +219,8 @@ edges
 | other.js:5:9:5:49 | cmd | other.js:26:34:26:36 | cmd |
 | other.js:5:9:5:49 | cmd | other.js:28:27:28:29 | cmd |
 | other.js:5:9:5:49 | cmd | other.js:28:27:28:29 | cmd |
+| other.js:5:9:5:49 | cmd | other.js:30:33:30:35 | cmd |
+| other.js:5:9:5:49 | cmd | other.js:30:33:30:35 | cmd |
 | other.js:5:15:5:38 | url.par ... , true) | other.js:5:15:5:44 | url.par ... ).query |
 | other.js:5:15:5:44 | url.par ... ).query | other.js:5:15:5:49 | url.par ... ry.path |
 | other.js:5:15:5:49 | url.par ... ry.path | other.js:5:9:5:49 | cmd |
@@ -266,4 +270,5 @@ edges
 | other.js:23:28:23:30 | cmd | other.js:5:25:5:31 | req.url | other.js:23:28:23:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:26:34:26:36 | cmd | other.js:5:25:5:31 | req.url | other.js:26:34:26:36 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:28:27:28:29 | cmd | other.js:5:25:5:31 | req.url | other.js:28:27:28:29 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
+| other.js:30:33:30:35 | cmd | other.js:5:25:5:31 | req.url | other.js:30:33:30:35 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | third-party-command-injection.js:6:21:6:27 | command | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | This command depends on $@. | third-party-command-injection.js:5:20:5:26 | command | a server-provided value |

javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.expected

@@ -56,6 +56,7 @@ syncCommand
 | other.js:7:5:7:36 | require ... nc(cmd) |
 | other.js:9:5:9:35 | require ... nc(cmd) |
 | other.js:12:5:12:30 | require ... nc(cmd) |
+| other.js:30:5:30:36 | require ... ")(cmd) |
 | third-party-command-injection.js:6:9:6:28 | cp.execSync(command) |
 | tst_shell-command-injection-from-environment.js:4:2:4:62 | cp.exec ... emp")]) |
 | tst_shell-command-injection-from-environment.js:5:2:5:54 | cp.exec ... temp")) |

javascript/ql/test/query-tests/Security/CWE-078/other.js

@@ -26,4 +26,6 @@ var server = http.createServer(function(req, res) {
     new SSH2Stream().exec(false, cmd); // NOT OK
 
     require("execa").node(cmd); // NOT OK
+
+    require("foreground-child")(cmd); // NOT OK
 });