jorgectf
diff --git a/‎javascript/change-notes/2021-08-24-tainted-path-cwd.md
Lines changed: 2 additions & 0 deletions b/‎javascript/change-notes/2021-08-24-tainted-path-cwd.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
Lines changed: 12 additions & 0 deletions b/‎javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
Lines changed: 12 additions & 0 deletions
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The `js/tainted-path` query now recognizes the `cwd` option to shell invocations as a sink.
@@ -696,6 +696,18 @@ module TaintedPath {
     }
   }
 
+  /**
+   * The `cwd` option to a shell execution.
+   */
+  private class ShellCwdSink extends TaintedPath::Sink {
+    ShellCwdSink() {
+      exists(SystemCommandExecution sys, API::Node opts |
+        opts.getARhs() = sys.getOptionsArg() and // assuming that an API::Node exists here.
+        this = opts.getMember("cwd").getARhs()
+      )
+    }
+  }
+
   /**
    * Holds if there is a step `src -> dst` mapping `srclabel` to `dstlabel` relevant for path traversal vulnerabilities.
    */
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* The `js/tainted-path` query now recognizes the `cwd` option to shell invocations as a sink.