add command parsing model for command-line-args

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll

@@ -60,6 +60,9 @@ module IndirectCommandInjection {
             .getInstance()
             .getMember("parse_args")
             .getACall()
+      or
+      // `require('command-line-args')({...spec})` => `{a: ..., b: ...}`
+      this = DataFlow::moduleImport("command-line-args").getACall()
     }
   }
 

javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected

@@ -158,6 +158,13 @@ nodes
 | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() |
 | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() |
 | command-line-parameter-command-injection.js:102:22:102:44 | parser. ... s().foo |
+| command-line-parameter-command-injection.js:107:8:107:51 | options |
+| command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) |
+| command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) |
+| command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo |
+| command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo |
+| command-line-parameter-command-injection.js:108:22:108:28 | options |
+| command-line-parameter-command-injection.js:108:22:108:32 | options.foo |
 edges
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
 | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] |
@@ -297,6 +304,12 @@ edges
 | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line-parameter-command-injection.js:102:22:102:44 | parser. ... s().foo |
 | command-line-parameter-command-injection.js:102:22:102:44 | parser. ... s().foo | command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo |
 | command-line-parameter-command-injection.js:102:22:102:44 | parser. ... s().foo | command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo |
+| command-line-parameter-command-injection.js:107:8:107:51 | options | command-line-parameter-command-injection.js:108:22:108:28 | options |
+| command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line-parameter-command-injection.js:107:8:107:51 | options |
+| command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line-parameter-command-injection.js:107:8:107:51 | options |
+| command-line-parameter-command-injection.js:108:22:108:28 | options | command-line-parameter-command-injection.js:108:22:108:32 | options.foo |
+| command-line-parameter-command-injection.js:108:22:108:32 | options.foo | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo |
+| command-line-parameter-command-injection.js:108:22:108:32 | options.foo | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo |
 #select
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument |
 | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument |
@@ -324,3 +337,4 @@ edges
 | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line argument |
 | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line argument |
 | command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line-parameter-command-injection.js:102:10:102:44 | "cmd.sh ... s().foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:102:22:102:40 | parser.parse_args() | command-line argument |
+| command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line argument |

javascript/ql/test/query-tests/Security/CWE-078/command-line-parameter-command-injection.js

@@ -100,4 +100,10 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
 	parser.add_argument('-f', '--foo', { help: 'foo bar' });
 
 	cp.exec("cmd.sh " + parser.parse_args().foo); // NOT OK
-})
+});
+
+(function () {
+	const commandLineArgs = require('command-line-args');
+	const options = commandLineArgs(optionDefinitions);
+	cp.exec("cmd.sh " + options.foo); // NOT OK
+});