Merge pull request #5653 from erik-krogh/givenCommand

codeql-ci · web-flow · commit 63f087a8e94a · 2021-04-12T02:01:32.000-07:00
Approved by asgerf
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -53,7 +53,12 @@ module UnsafeShellCommandConstruction {
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
     ExternalInputSource() {
       this = Exports::getALibraryInputParameter() and
-      not this.getName() = ["cmd", "command"] // looks to be on purpose.
+      not (
+        // looks to be on purpose.
+        this.getName() = ["cmd", "command"]
+        or
+        this.getName().regexpMatch(".*(Cmd|Command)$") // ends with "Cmd" or "Command"
+      )
     }
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -483,4 +483,9 @@ module.exports.splitConcat = function (name) {
 	let args = ' my name is ' + name; // NOT OK
 	let cmd = 'echo';
 	cp.exec(cmd + args);
+}
+
+module.exports.myCommand = function (myCommand) {
+	let cmd = `cd ${cwd} ; ${myCommand}`; // OK - the parameter name suggests that it is purposely a shell command.
+	cp.exec(cmd);
 }

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,12 @@ module UnsafeShellCommandConstruction {`
`53`	`53`	`class ExternalInputSource extends Source, DataFlow::ParameterNode {`
`54`	`54`	`ExternalInputSource() {`
`55`	`55`	`this = Exports::getALibraryInputParameter() and`
`56`		`- not this.getName() = ["cmd", "command"] // looks to be on purpose.`
	`56`	`+ not (`
	`57`	`+ // looks to be on purpose.`
	`58`	`+ this.getName() = ["cmd", "command"]`
	`59`	`+ or`
	`60`	`+ this.getName().regexpMatch(".*(Cmd\|Command)$") // ends with "Cmd" or "Command"`
	`61`	`+ )`
`57`	`62`	`}`
`58`	`63`	`}`
`59`	`64`