Merge pull request #1196 from asger-semmle/shelljs

Max Schaefer · web-flow · commit cb2219237889 · 2019-04-05T16:45:45.000+01:00
JS: Add model for shelljs
diff --git a/change-notes/1.21/analysis-javascript.md b/change-notes/1.21/analysis-javascript.md
@@ -8,6 +8,7 @@
   - [Node.js](http://nodejs.org)
   - [Firebase](https://firebase.google.com/)
   - [Express](https://expressjs.com/)
+  - [shelljs](https://www.npmjs.com/package/shelljs)
 
 * The security queries now track data flow through Base64 decoders such as the Node.js `Buffer` class, the DOM function `atob`, and a number of npm packages intcluding [`abab`](https://www.npmjs.com/package/abab), [`atob`](https://www.npmjs.com/package/atob), [`btoa`](https://www.npmjs.com/package/btoa), [`base-64`](https://www.npmjs.com/package/base-64), [`js-base64`](https://www.npmjs.com/package/js-base64), [`Base64.js`](https://www.npmjs.com/package/Base64) and [`base64-js`](https://www.npmjs.com/package/base64-js).
 
diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
@@ -80,6 +80,7 @@ import semmle.javascript.frameworks.PropertyProjection
 import semmle.javascript.frameworks.React
 import semmle.javascript.frameworks.ReactNative
 import semmle.javascript.frameworks.Request
+import semmle.javascript.frameworks.ShellJS
 import semmle.javascript.frameworks.SQL
 import semmle.javascript.frameworks.SocketIO
 import semmle.javascript.frameworks.StringFormatters
diff --git a/javascript/ql/src/semmle/javascript/frameworks/ShellJS.qll b/javascript/ql/src/semmle/javascript/frameworks/ShellJS.qll
@@ -0,0 +1,182 @@
+/**
+ * Models the `shelljs` library in terms of `FileSystemAccess` and `SystemCommandExecution`.
+ */
+import javascript
+
+module ShellJS {
+  /**
+   * Gets an import of the `shelljs` or `async-shelljs` module.
+   */
+  DataFlow::SourceNode shelljs() {
+    result = DataFlow::moduleImport("shelljs") or
+    result = DataFlow::moduleImport("async-shelljs")
+  }
+
+  /** A member of the `shelljs` library. */
+  class Member extends DataFlow::SourceNode {
+    Member::Range range;
+
+    Member() { this = range }
+
+    /** Gets the name of `shelljs` member being referenced, such as `cat` in `shelljs.cat`. */
+    string getName() { result = range.getName() }
+  }
+
+  module Member {
+    /**
+     * A member of the `shelljs` library.
+     *
+     * Can be subclassed to recognize additional values as `shelljs` member functions.
+     */
+    abstract class Range extends DataFlow::SourceNode {
+      abstract string getName();
+    }
+
+    private class DefaultRange extends Range {
+      string name;
+
+      DefaultRange() { this = shelljs().getAPropertyRead(name) }
+
+      override string getName() { result = name }
+    }
+
+    /** The `shelljs.exec` library modelled as a `shelljs` member. */
+    private class ShellJsExec extends Range {
+      ShellJsExec() { this = DataFlow::moduleImport("shelljs.exec") }
+
+      override string getName() { result = "exec" }
+    }
+  }
+
+  /**
+   * A call to one of the functions exported from the `shelljs` library.
+   */
+  class ShellJSCall extends DataFlow::CallNode {
+    string name;
+
+    ShellJSCall() {
+      exists(Member member |
+        this = member.getACall() and
+        name = member.getName()
+      )
+    }
+
+    /** Gets the name of the exported function, such as `rm` in `shelljs.rm()`. */
+    string getName() { result = name }
+
+    /** Holds if the first argument starts with a `-`, indicating it is an option. */
+    predicate hasOptionsArg() {
+      exists(string val |
+        getArgument(0).mayHaveStringValue(val) and
+        val.matches("-%")
+      )
+    }
+
+    /** Gets the `n`th argument after the initial options argument, if any. */
+    DataFlow::Node getTranslatedArgument(int n) {
+      if hasOptionsArg() then result = getArgument(n + 1) else result = getArgument(n)
+    }
+  }
+
+  /**
+   * A file system access that can't be modelled as a read or a write.
+   */
+  private class ShellJSGenericFileAccess extends FileSystemAccess, ShellJSCall {
+    ShellJSGenericFileAccess() {
+      name = "cd" or
+      name = "cp" or
+      name = "chmod" or
+      name = "pushd" or
+      name = "find" or
+      name = "ls" or
+      name = "ln" or
+      name = "mkdir" or
+      name = "mv" or
+      name = "rm" or
+      name = "touch"
+    }
+
+    override DataFlow::Node getAPathArgument() { result = getAnArgument() }
+  }
+
+  /**
+   * A `shelljs` call that returns names of existing files.
+   */
+  private class ShellJSFilenameSource extends FileNameSource, ShellJSCall {
+    ShellJSFilenameSource() {
+      name = "find" or
+      name = "ls"
+    }
+  }
+
+  /**
+   * A file system access that returns the contents of a file.
+   */
+  private class ShellJSRead extends FileSystemReadAccess, ShellJSCall {
+    ShellJSRead() {
+      name = "cat" or
+      name = "head" or
+      name = "sort" or
+      name = "tail" or
+      name = "uniq"
+    }
+
+    override DataFlow::Node getAPathArgument() { result = getAnArgument() }
+
+    override DataFlow::Node getADataNode() { result = this }
+  }
+
+  /**
+   * A file system access that returns the contents of a file, but where certain arguemnts
+   * should be treated as patterns, not filenames.
+   */
+  private class ShellJSPatternRead extends FileSystemReadAccess, ShellJSCall {
+    int offset;
+
+    ShellJSPatternRead() {
+      name = "grep" and offset = 1
+      or
+      name = "sed" and offset = 2
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      // Do not treat regex patterns as filenames.
+      exists(int arg |
+        arg >= offset and
+        result = getTranslatedArgument(arg)
+      )
+    }
+
+    override DataFlow::Node getADataNode() { result = this }
+  }
+
+  /**
+   * A call to `shelljs.exec()` modelled as command execution.
+   */
+  private class ShellJSExec extends SystemCommandExecution, ShellJSCall {
+    ShellJSExec() { name = "exec" }
+
+    override DataFlow::Node getACommandArgument() { result = getArgument(0) }
+  }
+
+  /**
+   * A call to `to()` or `toEnd()` on the `ShellString` object returned from another `shelljs` call,
+   * such as `shelljs.cat(file1).to(file2)`.
+   */
+  private class ShellJSPipe extends FileSystemWriteAccess, DataFlow::CallNode {
+    ShellJSPipe() {
+      exists(string name | this = any(ShellJSCall inner).getAMethodCall(name) |
+        name = "to" or
+        name = "toEnd"
+      )
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result = getArgument(0)
+    }
+
+    override DataFlow::Node getADataNode() {
+      result = getReceiver()
+    }
+  }
+}
diff --git a/javascript/ql/test/library-tests/frameworks/Shelljs/ShellJS.expected b/javascript/ql/test/library-tests/frameworks/Shelljs/ShellJS.expected
@@ -0,0 +1,63 @@
+test_FileSystemAccess
+| tst.js:3:1:3:17 | shelljs.cat(file) |
+| tst.js:4:1:4:25 | shelljs ...  file2) |
+| tst.js:5:1:5:16 | shelljs.cd(file) |
+| tst.js:6:1:6:25 | shelljs ... , file) |
+| tst.js:7:1:7:31 | shelljs ... , file) |
+| tst.js:8:1:8:24 | shelljs ...  file2) |
+| tst.js:9:1:9:30 | shelljs ...  file2) |
+| tst.js:10:1:10:37 | shelljs ...  file3) |
+| tst.js:11:1:11:19 | shelljs.pushd(file) |
+| tst.js:12:1:12:25 | shelljs ... , file) |
+| tst.js:15:1:15:26 | shelljs ...  file2) |
+| tst.js:16:1:16:25 | shelljs ... , file) |
+| tst.js:17:1:17:31 | shelljs ... , file) |
+| tst.js:18:1:18:39 | shelljs ...  file2) |
+| tst.js:19:1:19:18 | shelljs.head(file) |
+| tst.js:20:1:20:24 | shelljs ... , file) |
+| tst.js:21:1:21:32 | shelljs ...  file2) |
+| tst.js:22:1:22:24 | shelljs ...  file2) |
+| tst.js:23:1:23:30 | shelljs ...  file2) |
+| tst.js:24:1:24:16 | shelljs.ls(file) |
+| tst.js:25:1:25:22 | shelljs ... , file) |
+| tst.js:26:1:26:30 | shelljs ...  file2) |
+| tst.js:27:1:27:24 | shelljs ...  file2) |
+| tst.js:28:1:28:19 | shelljs.mkdir(file) |
+| tst.js:29:1:29:25 | shelljs ... , file) |
+| tst.js:30:1:30:33 | shelljs ...  file2) |
+| tst.js:31:1:31:24 | shelljs ...  file2) |
+| tst.js:32:1:32:30 | shelljs ...  file2) |
+| tst.js:33:1:33:17 | shelljs.rm(file1) |
+| tst.js:34:1:34:24 | shelljs ...  file2) |
+| tst.js:35:1:35:30 | shelljs ...  file2) |
+| tst.js:36:1:36:37 | shelljs ... , file) |
+| tst.js:37:1:37:45 | shelljs ...  file2) |
+| tst.js:38:1:38:43 | shelljs ... , file) |
+| tst.js:39:1:39:51 | shelljs ...  file2) |
+| tst.js:40:1:40:18 | shelljs.sort(file) |
+| tst.js:41:1:41:24 | shelljs ... , file) |
+| tst.js:42:1:42:32 | shelljs ...  file2) |
+| tst.js:43:1:43:18 | shelljs.tail(file) |
+| tst.js:44:1:44:24 | shelljs ... , file) |
+| tst.js:45:1:45:32 | shelljs ...  file2) |
+| tst.js:46:1:46:26 | shelljs ...  file2) |
+| tst.js:48:1:48:18 | shelljs.cat(file1) |
+| tst.js:48:1:48:28 | shelljs ... (file2) |
+| tst.js:49:1:49:18 | shelljs.cat(file1) |
+| tst.js:49:1:49:31 | shelljs ... (file2) |
+| tst.js:51:1:51:19 | shelljs.touch(file) |
+| tst.js:52:1:52:25 | shelljs ... , file) |
+| tst.js:53:1:53:33 | shelljs ...  file2) |
+| tst.js:54:1:54:27 | shelljs ...  file2) |
+| tst.js:56:1:56:18 | shelljs.uniq(file) |
+| tst.js:57:1:57:26 | shelljs ...  file2) |
+| tst.js:58:1:58:32 | shelljs ...  file2) |
+test_MissingFileSystemAccess
+test_SystemCommandExecution
+| tst.js:14:1:14:27 | shelljs ... ts, cb) |
+test_FileNameSource
+| tst.js:15:1:15:26 | shelljs ...  file2) |
+| tst.js:24:1:24:16 | shelljs.ls(file) |
+| tst.js:25:1:25:22 | shelljs ... , file) |
+| tst.js:26:1:26:30 | shelljs ...  file2) |
+| tst.js:27:1:27:24 | shelljs ...  file2) |
diff --git a/javascript/ql/test/library-tests/frameworks/Shelljs/ShellJS.ql b/javascript/ql/test/library-tests/frameworks/Shelljs/ShellJS.ql
@@ -0,0 +1,12 @@
+import javascript
+
+query predicate test_FileSystemAccess(FileSystemAccess access) { any() }
+
+query predicate test_MissingFileSystemAccess(VarAccess var) {
+  var.getName().matches("file%") and
+  not exists(FileSystemAccess access | access.getAPathArgument().asExpr() = var)
+}
+
+query predicate test_SystemCommandExecution(SystemCommandExecution exec) { any() }
+
+query predicate test_FileNameSource(FileNameSource exec) { any() }
diff --git a/javascript/ql/test/library-tests/frameworks/Shelljs/tst.js b/javascript/ql/test/library-tests/frameworks/Shelljs/tst.js
@@ -0,0 +1,58 @@
+import shelljs from 'shelljs';
+
+shelljs.cat(file);
+shelljs.cat(file1, file2);
+shelljs.cd(file);
+shelljs.chmod(mode, file);
+shelljs.chmod(opts, mode, file);
+shelljs.cp(file1, file2);
+shelljs.cp(opts, file1, file2);
+shelljs.cp(opts, file1, file2, file3);
+shelljs.pushd(file);
+shelljs.pushd(opts, file);
+shelljs.popd(opts);
+shelljs.exec(cmd, opts, cb);
+shelljs.find(file1, file2);
+shelljs.grep(regex, file);
+shelljs.grep(opts, regex, file);
+shelljs.grep(opts, regex, file1, file2);
+shelljs.head(file);
+shelljs.head(opts, file);
+shelljs.head(opts, file1, file2);
+shelljs.ln(file1, file2);
+shelljs.ln(opts, file1, file2);
+shelljs.ls(file);
+shelljs.ls(opts, file);
+shelljs.ls(opts, file1, file2);
+shelljs.ls(file1, file2);
+shelljs.mkdir(file);
+shelljs.mkdir(opts, file);
+shelljs.mkdir(opts, file1, file2);
+shelljs.mv(file1, file2);
+shelljs.mv(opts, file1, file2);
+shelljs.rm(file1);
+shelljs.rm(file1, file2);
+shelljs.rm(opts, file1, file2);
+shelljs.sed(regex, replacement, file);
+shelljs.sed(regex, replacement, file1, file2);
+shelljs.sed(opts, regex, replacement, file);
+shelljs.sed(opts, regex, replacement, file1, file2);
+shelljs.sort(file);
+shelljs.sort(opts, file);
+shelljs.sort(opts, file1, file2);
+shelljs.tail(file);
+shelljs.tail(opts, file);
+shelljs.tail(opts, file1, file2);
+shelljs.tail(file1, file2);
+
+shelljs.cat(file1).to(file2);
+shelljs.cat(file1).toEnd(file2);
+
+shelljs.touch(file);
+shelljs.touch(opts, file);
+shelljs.touch(opts, file1, file2);
+shelljs.touch(file1, file2);
+
+shelljs.uniq(file);
+shelljs.uniq(file1, file2);
+shelljs.uniq(opts, file1, file2);
