Clarify that splitting arguments on space is not safe.

Max Schaefer · Max Schaefer · commit 5fb6b5810fb8 · 2023-07-04T15:58:37.000+01:00
diff --git a/javascript/ql/src/Security/CWE-078/CommandInjection.inc.qhelp b/javascript/ql/src/Security/CWE-078/CommandInjection.inc.qhelp
@@ -20,6 +20,13 @@ then add code to verify that the user input string is safe before using it.</p>
 <p>If possible, prefer APIs that run the commands directly rather than via a
 shell, and that accept command arguments as an array of strings rather than a
 single concatenated string. This is both safer and more portable.</p>
+
+<p>In the latter case, if you are given the arguments as a single string, note
+that it is not safe to simply split the string on whitespace, since an argument
+may contain quoted whitespace which would cause it to be split into multiple
+arguments. Instead, use a library such as <code>shell-quote</code> to parse the
+string into an array of arguments.</p>
+
 </recommendation>
 
 <example>
@@ -46,6 +53,10 @@ default:</p>
 OWASP:
 <a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
 </li>
+<li>
+npm:
+<a href="https://www.npmjs.com/package/shell-quote">shell-quote</a>.
+</li>
 <!--  LocalWords:  CWE untrusted unsanitized Runtime
  -->
 </references>
diff --git a/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.qhelp b/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.qhelp
@@ -51,6 +51,17 @@
 
 		</p>
 
+		<p>
+
+			In the latter case, if you are given the arguments as a single
+			string, note that it is not safe to simply split the string on
+			whitespace, since an argument may contain quoted whitespace which
+			would cause it to be split into multiple arguments. Instead, use a
+			library such as <code>shell-quote</code> to parse the string into an
+			array of arguments.
+
+		</p>
+
 	</recommendation>
 	<example>
 
@@ -100,6 +111,11 @@
 			<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
 		</li>
 
+		<li>
+			npm:
+			<a href="https://www.npmjs.com/package/shell-quote">shell-quote</a>.
+		</li>
+
 	</references>
 
 </qhelp>
diff --git a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp
@@ -26,6 +26,16 @@
 		interpretation by the shell.
 	</p>
 
+	<p>
+
+		Note, however, that if you are given the arguments as a single string,
+		it is not safe to simply split the string on whitespace, since an
+		argument may contain quoted whitespace which would cause it to be split
+		into multiple arguments. Instead, use a library such as
+		<code>shell-quote</code> to parse the string into an array of arguments.
+
+	</p>
+
 	<p>
 		Alternatively, if the shell command must be constructed
 		dynamically, then add code to ensure that special characters 
@@ -71,5 +81,10 @@
 		<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
 	</li>
 
+	<li>
+		npm:
+		<a href="https://www.npmjs.com/package/shell-quote">shell-quote</a>.
+	</li>
+
 </references>
 </qhelp>
