JS: fixup for execa.shell and execa.shellSync models

esbena · esbena · commit ab4f3ea25975 · 2020-12-22T09:06:18.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/SystemCommandExecutors.qll b/javascript/ql/src/semmle/javascript/frameworks/SystemCommandExecutors.qll
@@ -18,15 +18,18 @@ private predicate execApi(string mod, string fn, int cmdArg, int optionsArg, boo
     shell = false and
     (
       fn = "node" or
-      fn = "shell" or
-      fn = "shellSync" or
       fn = "stdout" or
       fn = "stderr" or
       fn = "sync"
     )
     or
     shell = true and
-    (fn = "command" or fn = "commandSync")
+    (
+      fn = "command" or
+      fn = "commandSync" or
+      fn = "shell" or
+      fn = "shellSync"
+    )
   ) and
   cmdArg = 0
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-078/Consistency.expected
@@ -1,2 +0,0 @@
-| query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js:8 | expected an alert, but found none | NOT OK | ComandInjection |
-| query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js:9 | expected an alert, but found none | NOT OK | ComandInjection |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment.expected b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment.expected
@@ -4,10 +4,30 @@ nodes
 | tst_shell-command-injection-from-environment.js:6:26:6:53 | path.jo ... "temp") |
 | tst_shell-command-injection-from-environment.js:6:36:6:44 | __dirname |
 | tst_shell-command-injection-from-environment.js:6:36:6:44 | __dirname |
+| tst_shell-command-injection-from-environment.js:8:14:8:53 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:14:8:53 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:26:8:53 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:36:8:44 | __dirname |
+| tst_shell-command-injection-from-environment.js:8:36:8:44 | __dirname |
+| tst_shell-command-injection-from-environment.js:9:18:9:57 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:18:9:57 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:30:9:57 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:40:9:48 | __dirname |
+| tst_shell-command-injection-from-environment.js:9:40:9:48 | __dirname |
 edges
 | tst_shell-command-injection-from-environment.js:6:26:6:53 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:6:14:6:53 | 'rm -rf ... "temp") |
 | tst_shell-command-injection-from-environment.js:6:26:6:53 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:6:14:6:53 | 'rm -rf ... "temp") |
 | tst_shell-command-injection-from-environment.js:6:36:6:44 | __dirname | tst_shell-command-injection-from-environment.js:6:26:6:53 | path.jo ... "temp") |
 | tst_shell-command-injection-from-environment.js:6:36:6:44 | __dirname | tst_shell-command-injection-from-environment.js:6:26:6:53 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:26:8:53 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:8:14:8:53 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:26:8:53 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:8:14:8:53 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:36:8:44 | __dirname | tst_shell-command-injection-from-environment.js:8:26:8:53 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:8:36:8:44 | __dirname | tst_shell-command-injection-from-environment.js:8:26:8:53 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:30:9:57 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:9:18:9:57 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:30:9:57 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:9:18:9:57 | 'rm -rf ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:40:9:48 | __dirname | tst_shell-command-injection-from-environment.js:9:30:9:57 | path.jo ... "temp") |
+| tst_shell-command-injection-from-environment.js:9:40:9:48 | __dirname | tst_shell-command-injection-from-environment.js:9:30:9:57 | path.jo ... "temp") |
 #select
 | tst_shell-command-injection-from-environment.js:6:14:6:53 | 'rm -rf ... "temp") | tst_shell-command-injection-from-environment.js:6:36:6:44 | __dirname | tst_shell-command-injection-from-environment.js:6:14:6:53 | 'rm -rf ... "temp") | This shell command depends on an uncontrolled $@. | tst_shell-command-injection-from-environment.js:6:36:6:44 | __dirname | absolute path |
+| tst_shell-command-injection-from-environment.js:8:14:8:53 | 'rm -rf ... "temp") | tst_shell-command-injection-from-environment.js:8:36:8:44 | __dirname | tst_shell-command-injection-from-environment.js:8:14:8:53 | 'rm -rf ... "temp") | This shell command depends on an uncontrolled $@. | tst_shell-command-injection-from-environment.js:8:36:8:44 | __dirname | absolute path |
+| tst_shell-command-injection-from-environment.js:9:18:9:57 | 'rm -rf ... "temp") | tst_shell-command-injection-from-environment.js:9:40:9:48 | __dirname | tst_shell-command-injection-from-environment.js:9:18:9:57 | 'rm -rf ... "temp") | This shell command depends on an uncontrolled $@. | tst_shell-command-injection-from-environment.js:9:40:9:48 | __dirname | absolute path |

Original file line number	Diff line number	Diff line change
`@@ -1,2 +0,0 @@`
`1`		`-\| query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js:8 \| expected an alert, but found none \| NOT OK \| ComandInjection \|`
`2`		`-\| query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js:9 \| expected an alert, but found none \| NOT OK \| ComandInjection \|`