|
24 | 24 | [a-zA-Z_$][a-zA-Z0-9_$]* , [a-zA-Z_$][a-zA-Z0-9_$]* \) => \{ \s* |
25 | 25 | </script> |
26 | 26 |
|
27 | | -<script id="info" type="application/yaml"> |
28 | | ---- |
29 | | -hints: |
30 | | -- present: exec \( |
31 | | - text: > |
32 | | - The `exec` function is vulnerable to command injection. Replace it |
33 | | - with `execFile` to improve security. |
34 | | -- absent: |- |
35 | | - ^[\n\r]*\s*execFile\s*\( |
36 | | - text: > |
37 | | - Use the `execFile` function instead of `exec` to avoid shell interpretation. |
38 | | - Your line should start with `execFile(`. |
39 | | -- absent: |- |
40 | | - execFile\s*\(\s*['"`]git['"`]\s*, |
41 | | - text: > |
42 | | - Separate the command and its arguments. The first argument to `execFile` |
43 | | - should be the command 'git' without any of the command arguments. |
44 | | -- present: |- |
45 | | - ['"`]git\x20blame['"`] |
46 | | - text: > |
47 | | - Separate the command and its arguments. The first argument to `execFile` |
48 | | - should be the command 'git', followed by an array with parameters, |
49 | | - like this: |
50 | | - `execFile('git', ['blame', ...])`. |
51 | | -- absent: |- |
52 | | - \[ ['"`]blame |
53 | | - text: > |
54 | | - Pass the arguments as an array, like this: |
55 | | - `execFile('git', ['blame', ...])`. |
56 | | -- present: |- |
57 | | - -- |
58 | | - absent: |- |
59 | | - ['"`]--['"`] |
60 | | - text: > |
61 | | - To pass `--` you need to pass it as a literal string. Typically this |
62 | | - is notated as `'--'` or `"--"`. |
63 | | -- absent: |- |
64 | | - \[ ['"`]blame['"`] , ['"`]--['"`] , |
65 | | - text: > |
66 | | - Pass the arguments as an array. Include '--' before the file path to |
67 | | - prevent argument injection. Your array should look like |
68 | | - `['blame', '--', ...`. |
69 | | -- present: |- |
70 | | - ['"`]filePath['"`] |
71 | | - text: > |
72 | | - `filePath` is a variable, use it directly without using quote marks. |
73 | | -- present: |- |
74 | | - ['"]\$\{filePath\}['"] |
75 | | - text: > |
76 | | - `filePath` is a variable, use it directly without using quote marks. |
77 | | - This is simply a constant string beginning with a dollar sign, which |
78 | | - is not what you want. |
79 | | -- present: |- |
80 | | - `\$\{filePath\}` |
81 | | - text: > |
82 | | - Strictly speaking, using a backquoted template with a single |
83 | | - reference to a variable name works. In this case, it's being done to |
84 | | - `filePath`. However, this is unnecessarily complicated. |
85 | | - When you want to simply refer to a variable's value, use the variable name. |
86 | | -- absent: |- |
87 | | - \[ ['"`]blame['"`] , ['"`]--['"`] , filePath \] |
88 | | - text: > |
89 | | - Pass the arguments as an array. Include '--' before the file path to |
90 | | - prevent argument injection. Your array should look like |
91 | | - `['blame', '--', filePath]`. |
92 | | -- present: |- |
93 | | - shell = [fF]alse |
94 | | - text: > |
95 | | - When passing options to execFile, you need an option with the options, |
96 | | - and those use `:` not `=`. So you should say something like: |
97 | | - `{shell: false}`. |
98 | | -# Represent the term "False" specially, to avoid YAML parsing problems. |
99 | | -- present: |- |
100 | | - [F]alse |
101 | | - text: > |
102 | | - JavaScript is case-sensitive. The false value is spelled |
103 | | - as `false` and not `False`. |
104 | | -- absent: |- |
105 | | - \{ shell : false \} |
106 | | - present: |- |
107 | | - shell : false |
108 | | - text: > |
109 | | - When passing options to execFile, you must provide those options as |
110 | | - a JavaScript object. That means you must surround them with `{...}` |
111 | | - like this: `{shell: false}`. |
112 | | -- absent: |- |
113 | | - \{ shell : false \} |
114 | | - text: > |
115 | | - We encourage you to explicitly set `shell: false` in the options |
116 | | - object to prevent shell interpretation. That is something like this: |
117 | | - `execFile('git', ['blame', '--', filePath], { shell: false }, ...` |
118 | | -- absent: |- |
119 | | - \(\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*\)\s*=> |
120 | | - text: > |
121 | | - Maintain the callback function structure with three parameters |
122 | | - (typically named error, stdout, and stderr, but any valid variable |
123 | | - names are acceptable). |
124 | | -- present: |- |
125 | | - \) \) => |
126 | | - text: > |
127 | | - The `exec` function should be closed in later lines, not here. |
128 | | -successes: |
129 | | -- |
130 | | - - " execFile('git', ['blame', '--', filePath], { shell: false }, (error, stdout, stderr) => {" |
131 | | - # Allow omitting shell:false since that is the default |
132 | | - - " execFile('git', ['blame', '--', filePath], (error, stdout, stderr) => {" |
133 | | - # Allow empty options, since shell:false is the default |
134 | | - - " execFile('git', ['blame', '--', filePath], {}, (error, stdout, stderr) => {" |
135 | | -failures: |
136 | | -# Using exec instead of execFile |
137 | | -- |
138 | | - - " exec(`git blame ${filePath}`, (error, stdout, stderr) => {" |
139 | | -# Missing '--' argument |
140 | | -- |
141 | | - - " execFile('git', ['blame', filePath], { shell: false }, (error, stdout, stderr) => {" |
142 | | -# Incorrect argument order |
143 | | -- |
144 | | - - " execFile('git blame', [filePath], { shell: false }, (error, stdout, stderr) => {" |
145 | | -</script> |
146 | | - |
147 | 27 | </head> |
148 | 28 | <body> |
149 | 29 | <!-- For GitHub Pages formatting: --> |
|
0 commit comments