add model for "meow"

erik-krogh · web-flow · commit 269de4919628 · 2020-11-27T09:57:05.000Z
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll
@@ -63,6 +63,9 @@ module IndirectCommandInjection {
       or
       // `require('command-line-args')({...spec})` => `{a: ..., b: ...}`
       this = DataFlow::moduleImport("command-line-args").getACall()
+      or
+      // `require('meow')(help, {...spec})` => `{a: ..., b: ....}`
+      this = DataFlow::moduleImport("meow").getACall()
     }
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected
@@ -165,6 +165,14 @@ nodes
 | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo |
 | command-line-parameter-command-injection.js:108:22:108:28 | options |
 | command-line-parameter-command-injection.js:108:22:108:32 | options.foo |
+| command-line-parameter-command-injection.js:114:8:114:52 | cli |
+| command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) |
+| command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) |
+| command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] |
+| command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] |
+| command-line-parameter-command-injection.js:116:22:116:24 | cli |
+| command-line-parameter-command-injection.js:116:22:116:30 | cli.input |
+| command-line-parameter-command-injection.js:116:22:116:33 | cli.input[0] |
 edges
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
 | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] |
@@ -310,6 +318,13 @@ edges
 | command-line-parameter-command-injection.js:108:22:108:28 | options | command-line-parameter-command-injection.js:108:22:108:32 | options.foo |
 | command-line-parameter-command-injection.js:108:22:108:32 | options.foo | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo |
 | command-line-parameter-command-injection.js:108:22:108:32 | options.foo | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo |
+| command-line-parameter-command-injection.js:114:8:114:52 | cli | command-line-parameter-command-injection.js:116:22:116:24 | cli |
+| command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line-parameter-command-injection.js:114:8:114:52 | cli |
+| command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line-parameter-command-injection.js:114:8:114:52 | cli |
+| command-line-parameter-command-injection.js:116:22:116:24 | cli | command-line-parameter-command-injection.js:116:22:116:30 | cli.input |
+| command-line-parameter-command-injection.js:116:22:116:30 | cli.input | command-line-parameter-command-injection.js:116:22:116:33 | cli.input[0] |
+| command-line-parameter-command-injection.js:116:22:116:33 | cli.input[0] | command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] |
+| command-line-parameter-command-injection.js:116:22:116:33 | cli.input[0] | command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] |
 #select
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument |
 | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument |
@@ -338,3 +353,4 @@ edges
 | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line argument |
 | command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line argument |
 | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line argument |
+| command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line argument |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/command-line-parameter-command-injection.js b/javascript/ql/test/query-tests/Security/CWE-078/command-line-parameter-command-injection.js
@@ -106,4 +106,12 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
 	const commandLineArgs = require('command-line-args');
 	const options = commandLineArgs(optionDefinitions);
 	cp.exec("cmd.sh " + options.foo); // NOT OK
+});
+
+(function () {
+	const meow = require('meow');
+	 
+	const cli = meow(`helpstring`, {flags: {...flags}});
+
+	cp.exec("cmd.sh " + cli.input[0]); // NOT OK
 });

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,9 @@ module IndirectCommandInjection {`
`63`	`63`	`or`
`64`	`64`	// `require('command-line-args')({...spec})` => `{a: ..., b: ...}`
`65`	`65`	`this = DataFlow::moduleImport("command-line-args").getACall()`
	`66`	`+ or`
	`67`	+ // `require('meow')(help, {...spec})` => `{a: ..., b: ....}`
	`68`	`+ this = DataFlow::moduleImport("meow").getACall()`
`66`	`69`	`}`
`67`	`70`	`}`
`68`	`71`