Added support for shelljs.cmd and async-shelljs.asyncExec

Napalys · Napalys · commit 18cea2d6a5de · 2025-04-30T13:37:02.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ShellJS.qll b/javascript/ql/lib/semmle/javascript/frameworks/ShellJS.qll
@@ -15,7 +15,7 @@ module ShellJS {
           .getMember([
               "exec", "cd", "cp", "touch", "chmod", "pushd", "find", "ls", "ln", "mkdir", "mv",
               "rm", "cat", "head", "sort", "tail", "uniq", "grep", "sed", "to", "toEnd", "echo",
-              "which",
+              "which", "cmd", "asyncExec"
             ])
           .getReturn()
   }
@@ -154,16 +154,27 @@ module ShellJS {
   }
 
   /**
-   * A call to `shelljs.exec()` modeled as command execution.
+   * A call to `shelljs.exec()`, `shelljs.cmd()`, or `async-shelljs.asyncExec()` modeled as command execution.
    */
   private class ShellJSExec extends SystemCommandExecution, ShellJSCall {
-    ShellJSExec() { name = "exec" }
-
-    override DataFlow::Node getACommandArgument() { result = this.getArgument(0) }
+    ShellJSExec() { name = ["exec", "cmd", "asyncExec"] }
+
+    override DataFlow::Node getACommandArgument() {
+      if name = "cmd"
+      then
+        result = this.getArgument(_) and
+        not (
+          result = this.getLastArgument() and
+          exists(this.getOptionsArg())
+        )
+      else
+        // For exec/asyncExec: only first argument is command
+        result = this.getArgument(0)
+    }
 
     override predicate isShellInterpreted(DataFlow::Node arg) { arg = this.getACommandArgument() }
 
-    override predicate isSync() { none() }
+    override predicate isSync() { name = "cmd" }
 
     override DataFlow::Node getOptionsArg() {
       result = this.getLastArgument() and
diff --git a/javascript/ql/test/library-tests/frameworks/Shelljs/ShellJS.expected b/javascript/ql/test/library-tests/frameworks/Shelljs/ShellJS.expected
@@ -61,6 +61,9 @@ test_SystemCommandExecution
 | tst.js:14:1:14:27 | shelljs ... ts, cb) |
 | tst.js:60:1:60:51 | shelljs ... ec(cmd) |
 | tst.js:61:1:61:27 | shelljs ... ec(cmd) |
+| tst.js:63:1:63:37 | shelljs ... ptions) |
+| tst.js:64:1:64:16 | shelljs.cmd(cmd) |
+| tst.js:68:1:68:36 | shelljs ... ts, cb) |
 test_FileNameSource
 | tst.js:15:1:15:26 | shelljs ...  file2) |
 | tst.js:24:1:24:16 | shelljs.ls(file) |
