add test cases for js/shell-command-constructed-from-input

Author: erik-krogh

javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected

@@ -0,0 +1 @@
+Security/CWE-078/UnsafeShellCommandConstruction.ql

javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.qlref

@@ -1,4 +1,8 @@
 readFile
+| lib/lib.js:71:2:71:32 | cp.exec ... + name) | fs.readFile("/foO/BAR/" + name) |
+| lib/lib.js:73:2:73:32 | cp.exec ... + "\\"") | fs.readFile(""" + name + """) |
+| lib/lib.js:75:2:75:30 | cp.exec ...  + "'") | fs.readFile("'" + name + "'") |
+| lib/lib.js:77:2:77:38 | cp.exec ...  + "'") | fs.readFile("'/foo/bar" + name + "'") |
 | uselesscat.js:10:1:10:43 | exec("c ... ut) {}) | fs.readFile("foo/bar", function(err, out) {...}) |
 | uselesscat.js:12:1:14:2 | exec("c ... ut);\\n}) | fs.readFile("/proc/" + id + "/status", function(err, out) {...}) |
 | uselesscat.js:16:1:16:29 | execSyn ... uinfo') | fs.readFileSync("/proc/cpuinfo") |
@@ -89,6 +93,9 @@ options
 | child_process-test.js:53:5:53:59 | cp.spaw ...  cmd])) | child_process-test.js:53:25:53:58 | ['/C',  ... , cmd]) |
 | child_process-test.js:54:5:54:50 | cp.spaw ... t(cmd)) | child_process-test.js:54:25:54:49 | ['/C',  ... at(cmd) |
 | child_process-test.js:64:3:64:21 | cp.spawn(cmd, args) | child_process-test.js:64:17:64:20 | args |
+| lib/lib.js:152:2:152:23 | cp.spaw ... gs, cb) | lib/lib.js:152:21:152:22 | cb |
+| lib/lib.js:159:2:159:23 | cp.spaw ... gs, cb) | lib/lib.js:159:21:159:22 | cb |
+| lib/lib.js:163:2:167:2 | cp.spaw ... t' }\\n\\t) | lib/lib.js:166:3:166:22 | { stdio: 'inherit' } |
 | uselesscat.js:28:1:28:39 | execSyn ...  1000}) | uselesscat.js:28:28:28:38 | {uid: 1000} |
 | uselesscat.js:30:1:30:64 | exec('c ... t) { }) | uselesscat.js:30:26:30:38 | { cwd: './' } |
 | uselesscat.js:34:1:34:54 | execSyn ... utf8'}) | uselesscat.js:34:36:34:53 | {encoding: 'utf8'} |

javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.expected

@@ -0,0 +1,273 @@
+var cp = require("child_process")
+
+module.exports = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+
+	cp.execFile(name, [name]); // OK
+	cp.execFile(name, name); // OK
+};
+
+module.exports.foo = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+}
+
+module.exports.foo.bar = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+}
+
+function cla() { }
+cla.prototype.method = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+}
+module.exports = new cla();
+
+
+function cla2() { }
+cla2.prototype.method = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+}
+module.exports.bla = new cla2();
+
+module.exports.lib2 = require("./lib2.js")
+
+class Cla3 {
+	constructor(name) {
+		cp.exec("rm -rf " + name); // NOT OK
+	}
+	static foo(name) {
+		cp.exec("rm -rf " + name); // NOT OK
+	}
+	bar(name) {
+		cp.exec("rm -rf " + name); // NOT OK
+
+		cp.exec("rm -rf " + notASource); // OK
+	}
+}
+
+module.exports.cla3 = Cla3;
+
+module.exports.mz = function (name) {
+	require("mz/child_process").exec("rm -rf " + name); // NOT OK.
+}
+
+module.exports.flow = function (name) {
+	var cmd1 = "rm -rf " + name;
+	cp.exec(cmd1); // NOT OK.
+
+	var cmd2 = "rm -rf " + name;
+	function myExec(cmd) {
+		cp.exec(cmd); // NOT OK.
+	}
+	myExec(cmd2);
+}
+
+module.exports.stringConcat = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK.
+
+	cp.exec(name); // OK.
+
+	cp.exec("for foo in (" + name + ") do bla end"); // OK.
+
+	cp.exec("cat /foO/BAR/" + name) // NOT OK.
+
+	cp.exec("cat \"" + name + "\"") // NOT OK.
+
+	cp.exec("cat '" + name + "'") // NOT OK.
+
+	cp.exec("cat '/foo/bar" + name + "'") // NOT OK.
+
+	cp.exec(name + " some file") // OK.    
+}
+
+module.exports.arrays = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK.
+
+	var args1 = ["node"];
+	args1.push(name);
+	cp.exec(args1.join(" ")); // NOT OK.
+
+	cp.exec(["rm -rf", name].join(" ")); // NOT OK.
+
+	cp.exec(["rm -rf", "\"" + name + "\""].join(" ")); // NOT OK.
+
+	cp.execFile("rm", ["-rf", name]); // OK
+}
+
+var util = require("util");
+module.exports.format = function (name) {
+	cp.exec(util.format("rm -rf %s", name)); // NOT OK
+
+	cp.exec(util.format("rm -rf '%s'", name)); // NOT OK
+
+	cp.exec(util.format("rm -rf '/foo/bar/%s'", name)); // NOT OK
+
+	cp.exec(util.format("%s foo/bar", name)); // OK
+
+	cp.exec(util.format("for foo in (%s) do bar end", name)); // OK
+
+	cp.exec(require("printf")('rm -rf %s', name)); // NOT OK
+}
+
+module.exports.valid = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+
+	if (!isValidName(name)) {
+		return;
+	}
+	cp.exec("rm -rf " + name); // OK
+}
+
+module.exports.safe = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+
+	if (!isSafeName(name)) {
+		return;
+	}
+	cp.exec("rm -rf " + name); // OK
+}
+
+class Cla4 {
+	wha(name) {
+		cp.exec("rm -rf " + name); // NOT OK
+	}
+
+	static bla(name) {
+		cp.exec("rm -rf " + name); // OK - not exported
+	}
+	constructor(name) {
+		cp.exec("rm -rf " + name); // OK - not exported
+	}
+}
+module.exports.cla4 = new Cla4();
+
+function Cla5(name) {
+	cp.exec("rm -rf " + name); // OK - not exported
+}
+module.exports.cla5 = new Cla5();
+
+module.exports.indirect = function (name) {
+	let cmd = "rm -rf " + name;
+	let sh = "sh";
+	let args = ["-c", cmd];
+	cp.spawn(sh, args, cb); // NOT OK
+}
+
+module.exports.indirect2 = function (name) {
+	let cmd = name;
+	let sh = "sh";
+	let args = ["-c", cmd];
+	cp.spawn(sh, args, cb); // OK
+
+	let cmd2 = "rm -rf " + name;
+	var args2 = [cmd2];
+	cp.spawn(
+		'cmd.exe',
+		['/C', editor].concat(args2),
+		{ stdio: 'inherit' }
+	);
+}
+
+module.exports.cmd = function (command, name) {
+	cp.exec("fo | " + command); // OK
+
+	cp.exec("fo | " + name); // NOT OK
+
+}
+
+module.exports.sanitizer = function (name) {
+	var sanitized = "'" + name.replace(/'/g, "'\\''") + "'"
+	cp.exec("rm -rf " + sanitized); // OK
+
+	var broken = "'" + name.replace(/'/g, "'\''") + "'"
+	cp.exec("rm -rf " + broken); // NOT OK
+}
+
+var path = require("path");
+module.exports.guard = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+
+	if (!path.exist(name)) {
+		cp.exec("rm -rf " + name); // NOT OK
+		return;
+	}
+	cp.exec("rm -rf " + name); // OK
+}
+
+module.exports.blacklistOfChars = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+
+	if (/[^A-Za-z0-9_\/:=-]/.test(name)) {
+		cp.exec("rm -rf " + name); // NOT OK
+	} else {
+		cp.exec("rm -rf " + name); // OK
+	}
+}
+
+module.exports.whitelistOfChars = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+
+	if (/^[A-Za-z0-9_\/:=-]$/.test(name)) {
+		cp.exec("rm -rf " + name); // OK
+	} else {
+		cp.exec("rm -rf " + name); // NOT OK
+	}
+}
+
+module.exports.blackList2 = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+
+	if (!/^([a-zA-Z0-9]+))?$/.test(name)) {
+		cp.exec("rm -rf " + name); // NOT OK
+		process.exit(-1);
+	}
+
+	cp.exec("rm -rf " + name); // OK - but FP due to tracking flow through `process.exit()`. 
+}
+
+module.exports.accessSync = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+
+	try {
+		path.accessSync(name);
+	} catch (e) {
+		return;
+	}
+
+	cp.exec("rm -rf " + name); // OK - but FP due to `path.accessSync` not being recognized as a sanitizer.
+}
+
+var cleanInput = function (s) {
+	if (/[^A-Za-z0-9_\/:=-]/.test(s)) {
+		s = "'" + s.replace(/'/g, "'\\''") + "'";
+		s = s.replace(/^(?:'')+/g, '') // unduplicate single-quote at the beginning
+			.replace(/\\'''/g, "\\'"); // remove non-escaped single-quote if there are enclosed between 2 escaped
+	}
+	return s;
+}
+
+module.exports.goodSanitizer = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+
+	var cleaned = cleanInput(name);
+
+	cp.exec("rm -rf " + cleaned); // OK
+}
+
+var fs = require("fs");
+module.exports.guard2 = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+
+	if (!fs.existsSync("prefix/" + name)) {
+		cp.exec("rm -rf prefix/" + name); // NOT OK
+		return;
+	}
+	cp.exec("rm -rf prefix/" + name); // OK
+}
+
+module.exports.sanitizerProperty = function (obj) {
+	cp.exec("rm -rf " + obj.version); // NOT OK
+
+	obj.version = "";
+
+	cp.exec("rm -rf " + obj.version); // OK - but FP
+}

javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js

@@ -0,0 +1,9 @@
+var cp = require("child_process")
+
+module.exports = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK - is imported from main module.
+};
+
+module.exports.foo = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK - is imported from main module.
+}; 

javascript/ql/test/query-tests/Security/CWE-078/lib/lib2.js

@@ -0,0 +1,5 @@
+var cp = require("child_process")
+
+module.exports = function (name) {
+	cp.exec("rm -rf " + name); // OK, is not exported to a main-module. 
+};

javascript/ql/test/query-tests/Security/CWE-078/lib/other.js

@@ -0,0 +1,5 @@
+var cp = require("child_process")
+
+module.exports = function (name) {
+	cp.exec("rm -rf " + name); // OK - this file belongs in a sub-"module", and is not the primary exported module.
+};

javascript/ql/test/query-tests/Security/CWE-078/lib/subLib/index.js

@@ -0,0 +1,5 @@
+{
+  "name": "mySubLib",
+  "version": "0.0.7",
+  "main": "./index.js"
+}

javascript/ql/test/query-tests/Security/CWE-078/lib/subLib/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "myLib",
+  "version": "0.0.7",
+  "main": "./lib/lib.js"
+}