Skip to content

Commit a0df33c

Browse files
NapalysNapalys
committed
JS: UnsafeShellCommand Using unknown flags in the RegExp object is no longer flagged as bad sanitization to reduce false positives.
1 parent 155f1fc commit a0df33c

File tree

4 files changed

+2
-20
lines changed

4 files changed

+2
-20
lines changed

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -245,7 +245,7 @@ module UnsafeShellCommandConstruction {
245245
class ReplaceQuotesSanitizer extends Sanitizer, StringReplaceCall {
246246
ReplaceQuotesSanitizer() {
247247
this.getAReplacedString() = "'" and
248-
this.isGlobal() and
248+
this.maybeGlobal() and
249249
this.getRawReplacement().mayHaveStringValue(["'\\''", ""])
250250
}
251251
}

javascript/ql/test/query-tests/Security/CWE-078/Consistency.expected

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +0,0 @@
1-
| UnsafeShellCommandConstruction/lib/lib.js:640 | did not expect an alert, but found an alert for UnsafeShellCommandConstruction | OK -- Currently this is flagged as a bad sanitization, but it is not certain that it is bad. | ComandInjection |

javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected

Lines changed: 0 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -328,13 +328,6 @@ nodes
328328
| lib/lib.js:633:24:633:62 | name.re ... '\\\\''") |
329329
| lib/lib.js:634:22:634:30 | sanitized |
330330
| lib/lib.js:634:22:634:30 | sanitized |
331-
| lib/lib.js:639:6:639:84 | sanitized |
332-
| lib/lib.js:639:18:639:84 | "'" + n ... ) + "'" |
333-
| lib/lib.js:639:24:639:27 | name |
334-
| lib/lib.js:639:24:639:78 | name.re ... '\\\\''") |
335-
| lib/lib.js:639:24:639:78 | name.re ... '\\\\''") |
336-
| lib/lib.js:640:22:640:30 | sanitized |
337-
| lib/lib.js:640:22:640:30 | sanitized |
338331
| lib/subLib2/compiled-file.ts:3:26:3:29 | name |
339332
| lib/subLib2/compiled-file.ts:3:26:3:29 | name |
340333
| lib/subLib2/compiled-file.ts:4:25:4:28 | name |
@@ -767,20 +760,12 @@ edges
767760
| lib/lib.js:608:42:608:45 | name | lib/lib.js:629:25:629:28 | name |
768761
| lib/lib.js:632:38:632:41 | name | lib/lib.js:633:24:633:27 | name |
769762
| lib/lib.js:632:38:632:41 | name | lib/lib.js:633:24:633:27 | name |
770-
| lib/lib.js:632:38:632:41 | name | lib/lib.js:639:24:639:27 | name |
771-
| lib/lib.js:632:38:632:41 | name | lib/lib.js:639:24:639:27 | name |
772763
| lib/lib.js:633:6:633:68 | sanitized | lib/lib.js:634:22:634:30 | sanitized |
773764
| lib/lib.js:633:6:633:68 | sanitized | lib/lib.js:634:22:634:30 | sanitized |
774765
| lib/lib.js:633:18:633:68 | "'" + n ... ) + "'" | lib/lib.js:633:6:633:68 | sanitized |
775766
| lib/lib.js:633:24:633:27 | name | lib/lib.js:633:24:633:62 | name.re ... '\\\\''") |
776767
| lib/lib.js:633:24:633:27 | name | lib/lib.js:633:24:633:62 | name.re ... '\\\\''") |
777768
| lib/lib.js:633:24:633:62 | name.re ... '\\\\''") | lib/lib.js:633:18:633:68 | "'" + n ... ) + "'" |
778-
| lib/lib.js:639:6:639:84 | sanitized | lib/lib.js:640:22:640:30 | sanitized |
779-
| lib/lib.js:639:6:639:84 | sanitized | lib/lib.js:640:22:640:30 | sanitized |
780-
| lib/lib.js:639:18:639:84 | "'" + n ... ) + "'" | lib/lib.js:639:6:639:84 | sanitized |
781-
| lib/lib.js:639:24:639:27 | name | lib/lib.js:639:24:639:78 | name.re ... '\\\\''") |
782-
| lib/lib.js:639:24:639:27 | name | lib/lib.js:639:24:639:78 | name.re ... '\\\\''") |
783-
| lib/lib.js:639:24:639:78 | name.re ... '\\\\''") | lib/lib.js:639:18:639:84 | "'" + n ... ) + "'" |
784769
| lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
785770
| lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
786771
| lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
@@ -913,8 +898,6 @@ edges
913898
| lib/lib.js:629:13:629:28 | "rm -rf " + name | lib/lib.js:608:42:608:45 | name | lib/lib.js:629:25:629:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:608:42:608:45 | name | library input | lib/lib.js:629:5:629:29 | cp.exec ... + name) | shell command |
914899
| lib/lib.js:633:18:633:68 | "'" + n ... ) + "'" | lib/lib.js:632:38:632:41 | name | lib/lib.js:633:24:633:62 | name.re ... '\\\\''") | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:632:38:632:41 | name | library input | lib/lib.js:634:2:634:31 | cp.exec ... itized) | shell command |
915900
| lib/lib.js:634:10:634:30 | "rm -rf ... nitized | lib/lib.js:632:38:632:41 | name | lib/lib.js:634:22:634:30 | sanitized | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:632:38:632:41 | name | library input | lib/lib.js:634:2:634:31 | cp.exec ... itized) | shell command |
916-
| lib/lib.js:639:18:639:84 | "'" + n ... ) + "'" | lib/lib.js:632:38:632:41 | name | lib/lib.js:639:24:639:78 | name.re ... '\\\\''") | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:632:38:632:41 | name | library input | lib/lib.js:640:2:640:31 | cp.exec ... itized) | shell command |
917-
| lib/lib.js:640:10:640:30 | "rm -rf ... nitized | lib/lib.js:632:38:632:41 | name | lib/lib.js:640:22:640:30 | sanitized | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:632:38:632:41 | name | library input | lib/lib.js:640:2:640:31 | cp.exec ... itized) | shell command |
918901
| lib/subLib2/compiled-file.ts:4:13:4:28 | "rm -rf " + name | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/compiled-file.ts:3:26:3:29 | name | library input | lib/subLib2/compiled-file.ts:4:5:4:29 | cp.exec ... + name) | shell command |
919902
| lib/subLib2/special-file.js:4:10:4:25 | "rm -rf " + name | lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/special-file.js:3:28:3:31 | name | library input | lib/subLib2/special-file.js:4:2:4:26 | cp.exec ... + name) | shell command |
920903
| lib/subLib3/my-file.ts:4:10:4:25 | "rm -rf " + name | lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib3/my-file.ts:3:28:3:31 | name | library input | lib/subLib3/my-file.ts:4:2:4:26 | cp.exec ... + name) | shell command |

javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -637,5 +637,5 @@ module.exports.sanitizer = function (name) {
637637
cp.exec("rm -rf " + sanitized); // OK
638638

639639
var sanitized = "'" + name.replace(new RegExp("\'", unknownFlags()), "'\\''") + "'"
640-
cp.exec("rm -rf " + sanitized); // OK -- Currently this is flagged as a bad sanitization, but it is not certain that it is bad.
640+
cp.exec("rm -rf " + sanitized); // OK -- Most likely should be okay and not flagged to reduce false positives.
641641
}

0 commit comments

Comments
 (0)