change commandExecution sink to CodeInjection sink

am0o0 · am0o0 · commit 344869f0d760 · 2023-09-22T19:37:17.000+10:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -6,6 +6,7 @@ import javascript
 import semmle.javascript.frameworks.HTTP
 import semmle.javascript.security.SensitiveActions
 private import semmle.javascript.dataflow.internal.PreCallGraphStep
+private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
 
 module NodeJSLib {
   private GlobalVariable processVariable() { variables(result, "process", any(GlobalScope sc)) }
@@ -763,16 +764,8 @@ module NodeJSLib {
   /**
    * The dynamic import expression input can be a `data:` URL which loads any module from that data
    */
-  class DynamicImport extends SystemCommandExecution, DataFlow::ExprNode {
+  class DynamicImport extends CodeInjection::Sink, DataFlow::ExprNode {
     DynamicImport() { this = any(DynamicImportExpr e).getAChildExpr().flow() }
-
-    override DataFlow::Node getACommandArgument() { result = this }
-
-    override predicate isShellInterpreted(DataFlow::Node arg) { arg = this }
-
-    override predicate isSync() { none() }
-
-    override DataFlow::Node getOptionsArg() { none() }
   }
 
   /**
diff --git a/javascript/ql/test/library-tests/frameworks/NodeJSLib/CodeInjectionSink.qll b/javascript/ql/test/library-tests/frameworks/NodeJSLib/CodeInjectionSink.qll
@@ -0,0 +1,4 @@
+import javascript
+private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
+
+query predicate test_CodeInjectionSink(CodeInjection::Sink cmd, DataFlow::Node res) { res = cmd }
diff --git a/javascript/ql/test/library-tests/frameworks/NodeJSLib/tests.expected b/javascript/ql/test/library-tests/frameworks/NodeJSLib/tests.expected
@@ -230,7 +230,6 @@ test_SystemCommandExecution
 | exec.js:5:1:5:23 | cp.fork ... "arg"]) | exec.js:5:9:5:13 | "foo" |
 | exec.js:6:1:6:28 | cp.spaw ... "], cb) | exec.js:6:10:6:15 | "echo" |
 | exec.js:7:1:7:37 | cp.spaw ... here"]) | exec.js:7:14:7:19 | "echo" |
-| exec.js:10:14:10:58 | 'data:t ... lo!");' | exec.js:10:14:10:58 | 'data:t ... lo!");' |
 test_HeaderDefinition_defines
 | src/http.js:13:3:13:44 | res.set ... /html') | content-type | text/html |
 | src/https.js:13:3:13:44 | res.set ... /html') | content-type | text/html |
@@ -418,3 +417,5 @@ test_SystemCommandExecution_getAnArgumentForCommand
 | exec.js:5:1:5:23 | cp.fork ... "arg"]) | exec.js:5:16:5:22 | ["arg"] |
 | exec.js:6:1:6:28 | cp.spaw ... "], cb) | exec.js:6:18:6:23 | ["Hi"] |
 | exec.js:7:1:7:37 | cp.spaw ... here"]) | exec.js:7:22:7:36 | ["Hi", "there"] |
+test_CodeInjectionSink
+| exec.js:10:14:10:58 | 'data:t ... lo!");' | exec.js:10:14:10:58 | 'data:t ... lo!");' |
diff --git a/javascript/ql/test/library-tests/frameworks/NodeJSLib/tests.ql b/javascript/ql/test/library-tests/frameworks/NodeJSLib/tests.ql
@@ -22,3 +22,4 @@ import RequestExpr
 import SystemCommandExecution_getAnArgumentForCommand
 import Credentials
 import RouteHandler_getARequestExpr
+import CodeInjectionSink
