argument-injection.js: Minor cleanups

david-a-wheeler · david-a-wheeler · commit 234167843f5b · 2025-01-29T18:05:08.000-05:00
Signed-off-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
diff --git a/docs/labs/argument-injection.js b/docs/labs/argument-injection.js
@@ -3,73 +3,73 @@ info =
   hints: [
     {
       present: String.raw`exec \(`,
-      text: "The `exec` function is vulnerable to command injection. Replace it with `execFile` to improve security.\n"
+      text: "The `exec` function is vulnerable to command injection. Replace it with `execFile` to improve security."
     },
     {
       absent: String.raw`^[\n\r]*\s*execFile\s*\(`,
-      text: "Use the `execFile` function instead of `exec` to avoid shell interpretation. Your line should start with `execFile(`.\n"
+      text: "Use the `execFile` function instead of `exec` to avoid shell interpretation. Your line should start with `execFile(`."
     },
     {
       absent: String.raw`execFile\s*\(\s*['"${BACKQUOTE}]git['"${BACKQUOTE}]\s*,`,
-      text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git' without any of the command arguments.\n"
+      text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git' without any of the command arguments."
     },
     {
       present: String.raw`['"${BACKQUOTE}]git\x20blame['"${BACKQUOTE}]`,
-      text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git', followed by an array with parameters, like this: `execFile('git', ['blame', ...])`.\n"
+      text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git', followed by an array with parameters, like this: `execFile('git', ['blame', ...])`."
     },
     {
       absent: String.raw`\[ ['"${BACKQUOTE}]blame`,
-      text: "Pass the arguments as an array, like this: `execFile('git', ['blame', ...])`.\n"
+      text: "Pass the arguments as an array, like this: `execFile('git', ['blame', ...])`."
     },
     {
       present: "--",
       absent: String.raw`['"${BACKQUOTE}]--['"${BACKQUOTE}]`,
-      text: "To pass `--` you need to pass it as a literal string. Typically this is notated as `'--'` or `\"--\"`.\n"
+      text: "To pass `--` you need to pass it as a literal string. Typically this is notated as `'--'` or `\"--\"`."
     },
     {
       absent: String.raw`\[ ['"${BACKQUOTE}]blame['"${BACKQUOTE}] , ['"${BACKQUOTE}]--['"${BACKQUOTE}] ,`,
-      text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', ...`.\n"
+      text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', ...`."
     },
     {
       present: String.raw`['"${BACKQUOTE}]filePath['"${BACKQUOTE}]`,
-      text: "`filePath` is a variable, use it directly without using quote marks.\n"
+      text: "`filePath` is a variable, use it directly without using quote marks."
     },
     {
       present: String.raw`['"]\$\{filePath\}['"]`,
-      text: "`filePath` is a variable, use it directly without using quote marks. This is simply a constant string beginning with a dollar sign, which is not what you want.\n"
+      text: "`filePath` is a variable, use it directly without using quote marks."
     },
     {
       present: String.raw`${BACKQUOTE}\$\{filePath\}${BACKQUOTE}`,
-      text: "Strictly speaking, using a backquoted template with a single reference to a variable name works. In this case, it's being done to `filePath`. However, this is unnecessarily complicated. When you want to simply refer to a variable's value, use the variable name.\n"
+      text: "Strictly speaking, using a backquoted template with a single reference to a variable name works. In this case, it's being done to `filePath`. However, this is unnecessarily complicated. When you want to simply refer to a variable's value, use the variable name."
     },
     {
       absent: String.raw`\[ ['"${BACKQUOTE}]blame['"${BACKQUOTE}] , ['"${BACKQUOTE}]--['"${BACKQUOTE}] , filePath \]`,
-      text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', filePath]`.\n"
+      text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', filePath]`."
     },
     {
       present: "shell = [fF]alse",
-      text: "When passing options to execFile, you need an option with the options, and those use `:` not `=`. So you should say something like: `{shell: false}`.\n"
+      text: "When passing options to execFile, you need an option with the options, and those use `:` not `=`. So you should say something like: `{shell: false}`."
     },
     {
       present: "[F]alse",
-      text: "JavaScript is case-sensitive. The false value is spelled as `false` and not `False`.\n"
+      text: "JavaScript is case-sensitive. The false value is spelled as `false` and not `False`."
     },
     {
       absent: String.raw`\{ shell : false \}`,
       present: "shell : false",
-      text: "When passing options to execFile, you must provide those options as a JavaScript object. That means you must surround them with `{...}` like this: `{shell: false}`.\n"
+      text: "When passing options to execFile, you must provide those options as a JavaScript object. That means you must surround them with `{...}` like this: `{shell: false}`."
     },
     {
       absent: String.raw`\{ shell : false \}`,
-      text: "We encourage you to explicitly set `shell: false` in the options object to prevent shell interpretation. That is something like this: `execFile('git', ['blame', '--', filePath], { shell: false }, ...`\n"
+      text: "We encourage you to explicitly set `shell: false` in the options object to prevent shell interpretation. That is something like this: `execFile('git', ['blame', '--', filePath], { shell: false }, ...`"
     },
     {
       absent: String.raw`\(\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*\)\s*=>`,
-      text: "Maintain the callback function structure with three parameters (typically named error, stdout, and stderr, but any valid variable names are acceptable).\n"
+      text: "Maintain the callback function structure with three parameters (typically named error, stdout, and stderr, but any valid variable names are acceptable)."
     },
     {
       present: String.raw`\) \) =>`,
-      text: "The `exec` function should be closed in later lines, not here.\n"
+      text: "The `exec` function should be closed in later lines, not here."
     }
   ],
   expected: [

Original file line number	Diff line number	Diff line change
`@@ -3,73 +3,73 @@ info =`
`3`	`3`	`hints: [`
`4`	`4`	`{`
`5`	`5`	present: String.raw`exec \(`,
`6`		- text: "The `exec` function is vulnerable to command injection. Replace it with `execFile` to improve security.\n"
	`6`	+ text: "The `exec` function is vulnerable to command injection. Replace it with `execFile` to improve security."
`7`	`7`	`},`
`8`	`8`	`{`
`9`	`9`	absent: String.raw`^[\n\r]\sexecFile\s*\(`,
`10`		- text: "Use the `execFile` function instead of `exec` to avoid shell interpretation. Your line should start with `execFile(`.\n"
	`10`	+ text: "Use the `execFile` function instead of `exec` to avoid shell interpretation. Your line should start with `execFile(`."
`11`	`11`	`},`
`12`	`12`	`{`
`13`	`13`	absent: String.raw`execFile\s\(\s['"${BACKQUOTE}]git['"${BACKQUOTE}]\s*,`,
`14`		- text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git' without any of the command arguments.\n"
	`14`	+ text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git' without any of the command arguments."
`15`	`15`	`},`
`16`	`16`	`{`
`17`	`17`	present: String.raw`['"${BACKQUOTE}]git\x20blame['"${BACKQUOTE}]`,
`18`		- text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git', followed by an array with parameters, like this: `execFile('git', ['blame', ...])`.\n"
	`18`	+ text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git', followed by an array with parameters, like this: `execFile('git', ['blame', ...])`."
`19`	`19`	`},`
`20`	`20`	`{`
`21`	`21`	absent: String.raw`\[ ['"${BACKQUOTE}]blame`,
`22`		- text: "Pass the arguments as an array, like this: `execFile('git', ['blame', ...])`.\n"
	`22`	+ text: "Pass the arguments as an array, like this: `execFile('git', ['blame', ...])`."
`23`	`23`	`},`
`24`	`24`	`{`
`25`	`25`	`present: "--",`
`26`	`26`	absent: String.raw`['"${BACKQUOTE}]--['"${BACKQUOTE}]`,
`27`		- text: "To pass `--` you need to pass it as a literal string. Typically this is notated as `'--'` or `\"--\"`.\n"
	`27`	+ text: "To pass `--` you need to pass it as a literal string. Typically this is notated as `'--'` or `\"--\"`."
`28`	`28`	`},`
`29`	`29`	`{`
`30`	`30`	absent: String.raw`\[ ['"${BACKQUOTE}]blame['"${BACKQUOTE}] , ['"${BACKQUOTE}]--['"${BACKQUOTE}] ,`,
`31`		- text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', ...`.\n"
	`31`	+ text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', ...`."
`32`	`32`	`},`
`33`	`33`	`{`
`34`	`34`	present: String.raw`['"${BACKQUOTE}]filePath['"${BACKQUOTE}]`,
`35`		- text: "`filePath` is a variable, use it directly without using quote marks.\n"
	`35`	+ text: "`filePath` is a variable, use it directly without using quote marks."
`36`	`36`	`},`
`37`	`37`	`{`
`38`	`38`	present: String.raw`['"]\$\{filePath\}['"]`,
`39`		- text: "`filePath` is a variable, use it directly without using quote marks. This is simply a constant string beginning with a dollar sign, which is not what you want.\n"
	`39`	+ text: "`filePath` is a variable, use it directly without using quote marks."
`40`	`40`	`},`
`41`	`41`	`{`
`42`	`42`	present: String.raw`${BACKQUOTE}\$\{filePath\}${BACKQUOTE}`,
`43`		- text: "Strictly speaking, using a backquoted template with a single reference to a variable name works. In this case, it's being done to `filePath`. However, this is unnecessarily complicated. When you want to simply refer to a variable's value, use the variable name.\n"
	`43`	+ text: "Strictly speaking, using a backquoted template with a single reference to a variable name works. In this case, it's being done to `filePath`. However, this is unnecessarily complicated. When you want to simply refer to a variable's value, use the variable name."
`44`	`44`	`},`
`45`	`45`	`{`
`46`	`46`	absent: String.raw`\[ ['"${BACKQUOTE}]blame['"${BACKQUOTE}] , ['"${BACKQUOTE}]--['"${BACKQUOTE}] , filePath \]`,
`47`		- text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', filePath]`.\n"
	`47`	+ text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', filePath]`."
`48`	`48`	`},`
`49`	`49`	`{`
`50`	`50`	`present: "shell = [fF]alse",`
`51`		- text: "When passing options to execFile, you need an option with the options, and those use `:` not `=`. So you should say something like: `{shell: false}`.\n"
	`51`	+ text: "When passing options to execFile, you need an option with the options, and those use `:` not `=`. So you should say something like: `{shell: false}`."
`52`	`52`	`},`
`53`	`53`	`{`
`54`	`54`	`present: "[F]alse",`
`55`		- text: "JavaScript is case-sensitive. The false value is spelled as `false` and not `False`.\n"
	`55`	+ text: "JavaScript is case-sensitive. The false value is spelled as `false` and not `False`."
`56`	`56`	`},`
`57`	`57`	`{`
`58`	`58`	absent: String.raw`\{ shell : false \}`,
`59`	`59`	`present: "shell : false",`
`60`		- text: "When passing options to execFile, you must provide those options as a JavaScript object. That means you must surround them with `{...}` like this: `{shell: false}`.\n"
	`60`	+ text: "When passing options to execFile, you must provide those options as a JavaScript object. That means you must surround them with `{...}` like this: `{shell: false}`."
`61`	`61`	`},`
`62`	`62`	`{`
`63`	`63`	absent: String.raw`\{ shell : false \}`,
`64`		- text: "We encourage you to explicitly set `shell: false` in the options object to prevent shell interpretation. That is something like this: `execFile('git', ['blame', '--', filePath], { shell: false }, ...`\n"
	`64`	+ text: "We encourage you to explicitly set `shell: false` in the options object to prevent shell interpretation. That is something like this: `execFile('git', ['blame', '--', filePath], { shell: false }, ...`"
`65`	`65`	`},`
`66`	`66`	`{`
`67`	`67`	absent: String.raw`\(\s[a-zA-Z_$][a-zA-Z0-9_$]\s,\s[a-zA-Z_$][a-zA-Z0-9_$]\s,\s[a-zA-Z_$][a-zA-Z0-9_$]\s\)\s=>`,
`68`		`- text: "Maintain the callback function structure with three parameters (typically named error, stdout, and stderr, but any valid variable names are acceptable).\n"`
	`68`	`+ text: "Maintain the callback function structure with three parameters (typically named error, stdout, and stderr, but any valid variable names are acceptable)."`
`69`	`69`	`},`
`70`	`70`	`{`
`71`	`71`	present: String.raw`\) \) =>`,
`72`		- text: "The `exec` function should be closed in later lines, not here.\n"
	`72`	+ text: "The `exec` function should be closed in later lines, not here."
`73`	`73`	`}`
`74`	`74`	`],`
`75`	`75`	`expected: [`