Merge pull request #752 from ossf/argument_injections_no_yaml

david-a-wheeler · web-flow · commit c2466e41fcfa · 2025-01-29T18:17:58.000-05:00
Argument injections no yaml
diff --git a/docs/labs/argument-injection.html b/docs/labs/argument-injection.html
@@ -7,142 +7,9 @@
 <link rel="stylesheet" href="checker.css">
 <script src="js-yaml.min.js"></script>
 <script src="checker.js"></script>
+<script src="argument-injection.js"></script>
 <link rel="license" href="https://creativecommons.org/licenses/by/4.0/">
 
-<!-- expected answer -->
-<script id="expected0" type="plain/text">
-  execFile('git', ['blame', '--', filePath], { shell: false }, (error, stdout, stderr) => {
-</script>
-
-<script id="correct0" type="plain/text">
-\s* execFile \(
- ('git'|"git"|`git`) ,
- \[ ('blame'|"blame"|`blame`) , ('--'|"--"|`--`) , filePath \] ,
- (\{ (shell : false)? \} ,)?
- \( [a-zA-Z_$][a-zA-Z0-9_$]* ,
-    [a-zA-Z_$][a-zA-Z0-9_$]* , [a-zA-Z_$][a-zA-Z0-9_$]* \) => \{ \s*
-</script>
-
-<script id="info" type="application/yaml">
----
-hints:
-- present: exec \(
-  text: >
-    The `exec` function is vulnerable to command injection. Replace it
-    with `execFile` to improve security.
-- absent: |-
-    ^[\n\r]*\s*execFile\s*\(
-  text: >
-    Use the `execFile` function instead of `exec` to avoid shell interpretation.
-    Your line should start with `execFile(`.
-- absent: |-
-    execFile\s*\(\s*['"\`]git['"`]\s*,
-  text: >
-    Separate the command and its arguments. The first argument to `execFile`
-    should be the command 'git' without any of the command arguments.
-- present: |-
-    ['"\`]git\x20blame['"\`]
-  text: >
-    Separate the command and its arguments. The first argument to `execFile`
-    should be the command 'git', followed by an array with parameters,
-    like this:
-    `execFile('git', ['blame', ...])`.
-- absent: |-
-    \[ ['"`]blame
-  text: >
-    Pass the arguments as an array, like this:
-    `execFile('git', ['blame', ...])`.
-- present: |-
-    --
-  absent: |-
-    ['"\`]--['"`]
-  text: >
-    To pass `--` you need to pass it as a literal string. Typically this
-    is notated as `'--'` or `"--"`.
-- absent: |-
-    \[ ['"\`]blame['"`] , ['"\`]--['"`] ,
-  text: >
-    Pass the arguments as an array. Include '--' before the file path to
-    prevent argument injection. Your array should look like
-    `['blame', '--', ...`.
-- present: |-
-    ['"\`]filePath['"\`]
-  text: >
-    `filePath` is a variable, use it directly without using quote marks.
-- present: |-
-    ['"]\$\{filePath\}['"]
-  text: >
-    `filePath` is a variable, use it directly without using quote marks.
-    This is simply a constant string beginning with a dollar sign, which
-    is not what you want.
-- present: |-
-    \`\$\{filePath\}\`
-  text: >
-    Strictly speaking, using a backquoted template with a single
-    reference to a variable name works. In this case, it's being done to
-    `filePath`. However, this is unnecessarily complicated.
-    When you want to simply refer to a variable's value, use the variable name.
-- absent: |-
-    \[ ['"\`]blame['"`] , ['"\`]--['"`] , filePath \]
-  text: >
-    Pass the arguments as an array. Include '--' before the file path to
-    prevent argument injection. Your array should look like
-    `['blame', '--', filePath]`.
-- present: |-
-    shell = [fF]alse
-  text: >
-    When passing options to execFile, you need an option with the options,
-    and those use `:` not `=`. So you should say something like:
-    `{shell: false}`.
-# Represent the term "False" specially, to avoid YAML parsing problems.
-- present: |-
-    [F]alse
-  text: >
-    JavaScript is case-sensitive. The false value is spelled
-    as `false` and not `False`.
-- absent: |-
-    \{ shell : false \}
-  present: |-
-    shell : false
-  text: >
-    When passing options to execFile, you must provide those options as
-    a JavaScript object. That means you must surround them with `{...}`
-    like this: `{shell: false}`.
-- absent: |-
-    \{ shell : false \}
-  text: >
-    We encourage you to explicitly set `shell: false` in the options
-    object to prevent shell interpretation. That is something like this:
-    `execFile('git', ['blame', '--', filePath], { shell: false }, ...`
-- absent: |-
-    \(\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*\)\s*=>
-  text: >
-    Maintain the callback function structure with three parameters
-    (typically named error, stdout, and stderr, but any valid variable
-    names are acceptable).
-- present: |-
-    \) \) =>
-  text: >
-    The `exec` function should be closed in later lines, not here.
-successes:
--
-  - "    execFile('git', ['blame', '--', filePath], { shell: false }, (error, stdout, stderr) => {"
-  # Allow omitting shell:false since that is the default
-  - "    execFile('git', ['blame', '--', filePath], (error, stdout, stderr) => {"
-  # Allow empty options, since shell:false is the default
-  - "    execFile('git', ['blame', '--', filePath], {}, (error, stdout, stderr) => {"
-failures:
-# Using exec instead of execFile
--
-  - "    exec(`git blame ${filePath}`, (error, stdout, stderr) => {"
-# Missing '--' argument
--
-  - "    execFile('git', ['blame', filePath], { shell: false }, (error, stdout, stderr) => {"
-# Incorrect argument order
--
-  - "    execFile('git blame', [filePath], { shell: false }, (error, stdout, stderr) => {"
-</script>
-
 </head>
 <body>
 <!-- For GitHub Pages formatting: -->
diff --git a/docs/labs/argument-injection.js b/docs/labs/argument-injection.js
@@ -0,0 +1,105 @@
+info =
+{
+  hints: [
+    {
+      present: String.raw`exec \(`,
+      text: "The `exec` function is vulnerable to command injection. Replace it with `execFile` to improve security."
+    },
+    {
+      absent: String.raw`^[\n\r]*\s*execFile\s*\(`,
+      text: "Use the `execFile` function instead of `exec` to avoid shell interpretation. Your line should start with `execFile(`."
+    },
+    {
+      absent: String.raw`execFile\s*\(\s*['"${BACKQUOTE}]git['"${BACKQUOTE}]\s*,`,
+      text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git' without any of the command arguments."
+    },
+    {
+      present: String.raw`['"${BACKQUOTE}]git\x20blame['"${BACKQUOTE}]`,
+      text: "Separate the command and its arguments. The first argument to `execFile` should be the command 'git', followed by an array with parameters, like this: `execFile('git', ['blame', ...])`."
+    },
+    {
+      absent: String.raw`\[ ['"${BACKQUOTE}]blame`,
+      text: "Pass the arguments as an array, like this: `execFile('git', ['blame', ...])`."
+    },
+    {
+      present: "--",
+      absent: String.raw`['"${BACKQUOTE}]--['"${BACKQUOTE}]`,
+      text: "To pass `--` you need to pass it as a literal string. Typically this is notated as `'--'` or `\"--\"`."
+    },
+    {
+      absent: String.raw`\[ ['"${BACKQUOTE}]blame['"${BACKQUOTE}] , ['"${BACKQUOTE}]--['"${BACKQUOTE}] ,`,
+      text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', ...`."
+    },
+    {
+      present: String.raw`['"${BACKQUOTE}]filePath['"${BACKQUOTE}]`,
+      text: "`filePath` is a variable, use it directly without using quote marks."
+    },
+    {
+      present: String.raw`['"]\$\{filePath\}['"]`,
+      text: "`filePath` is a variable, use it directly without using quote marks."
+    },
+    {
+      present: String.raw`${BACKQUOTE}\$\{filePath\}${BACKQUOTE}`,
+      text: "Strictly speaking, using a backquoted template with a single reference to a variable name works. In this case, it's being done to `filePath`. However, this is unnecessarily complicated. When you want to simply refer to a variable's value, use the variable name."
+    },
+    {
+      absent: String.raw`\[ ['"${BACKQUOTE}]blame['"${BACKQUOTE}] , ['"${BACKQUOTE}]--['"${BACKQUOTE}] , filePath \]`,
+      text: "Pass the arguments as an array. Include '--' before the file path to prevent argument injection. Your array should look like `['blame', '--', filePath]`."
+    },
+    {
+      present: "shell = [fF]alse",
+      text: "When passing options to execFile, you need an option with the options, and those use `:` not `=`. So you should say something like: `{shell: false}`."
+    },
+    {
+      present: "[F]alse",
+      text: "JavaScript is case-sensitive. The false value is spelled as `false` and not `False`."
+    },
+    {
+      absent: String.raw`\{ shell : false \}`,
+      present: "shell : false",
+      text: "When passing options to execFile, you must provide those options as a JavaScript object. That means you must surround them with `{...}` like this: `{shell: false}`."
+    },
+    {
+      absent: String.raw`\{ shell : false \}`,
+      text: "We encourage you to explicitly set `shell: false` in the options object to prevent shell interpretation. That is something like this: `execFile('git', ['blame', '--', filePath], { shell: false }, ...`"
+    },
+    {
+      absent: String.raw`\(\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*\)\s*=>`,
+      text: "Maintain the callback function structure with three parameters (typically named error, stdout, and stderr, but any valid variable names are acceptable)."
+    },
+    {
+      present: String.raw`\) \) =>`,
+      text: "The `exec` function should be closed in later lines, not here."
+    }
+  ],
+  expected: [
+    `execFile('git', ['blame', '--', filePath], { shell: false }, (error, stdout, stderr) => {`
+  ],
+  correct: [
+    String.raw`\s* execFile \(
+      ('git'|"git"|${BACKQUOTE}git${BACKQUOTE}) ,
+      \[ ('blame'|"blame"|${BACKQUOTE}blame${BACKQUOTE}) ,
+         ('--'|"--"|${BACKQUOTE}--${BACKQUOTE}) , filePath \] ,
+      (\{ (shell : false)? \} ,)?
+      \( [a-zA-Z_$][a-zA-Z0-9_$]* ,
+         [a-zA-Z_$][a-zA-Z0-9_$]* , [a-zA-Z_$][a-zA-Z0-9_$]* \) => \{ \s*`
+  ],
+  successes: [
+    [
+      "    execFile('git', ['blame', '--', filePath], { shell: false }, (error, stdout, stderr) => {",
+      "    execFile('git', ['blame', '--', filePath], (error, stdout, stderr) => {",
+      "    execFile('git', ['blame', '--', filePath], {}, (error, stdout, stderr) => {"
+    ]
+  ],
+  failures: [
+    [
+      "    exec(`git blame ${filePath}`, (error, stdout, stderr) => {"
+    ],
+    [
+      "    execFile('git', ['blame', filePath], { shell: false }, (error, stdout, stderr) => {"
+    ],
+    [
+      "    execFile('git blame', [filePath], { shell: false }, (error, stdout, stderr) => {"
+    ]
+  ]
+}
