JavaScript: Add example of indirect command injection.

Author: Max Schaefer

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected

@@ -38,6 +38,21 @@ nodes
 | child_process-test.js:55:19:55:22 | args |
 | child_process-test.js:56:12:56:14 | cmd |
 | child_process-test.js:56:17:56:20 | args |
+| execSeries.js:3:20:3:22 | arr |
+| execSeries.js:5:4:5:3 | arr |
+| execSeries.js:6:14:6:16 | arr |
+| execSeries.js:6:14:6:21 | arr[i++] |
+| execSeries.js:13:19:13:26 | commands |
+| execSeries.js:14:13:14:20 | commands |
+| execSeries.js:14:24:14:30 | command |
+| execSeries.js:14:41:14:47 | command |
+| execSeries.js:18:7:18:58 | cmd |
+| execSeries.js:18:13:18:47 | require ... , true) |
+| execSeries.js:18:13:18:53 | require ... ).query |
+| execSeries.js:18:13:18:58 | require ... ry.path |
+| execSeries.js:18:34:18:40 | req.url |
+| execSeries.js:19:12:19:16 | [cmd] |
+| execSeries.js:19:13:19:15 | cmd |
 edges
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:17:13:17:15 | cmd |
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:18:17:18:19 | cmd |
@@ -70,6 +85,21 @@ edges
 | child_process-test.js:48:16:48:17 | [] | child_process-test.js:48:9:48:17 | args |
 | child_process-test.js:55:14:55:16 | cmd | child_process-test.js:56:12:56:14 | cmd |
 | child_process-test.js:55:19:55:22 | args | child_process-test.js:56:17:56:20 | args |
+| execSeries.js:3:20:3:22 | arr | execSeries.js:5:4:5:3 | arr |
+| execSeries.js:5:4:5:3 | arr | execSeries.js:6:14:6:16 | arr |
+| execSeries.js:6:14:6:16 | arr | execSeries.js:6:14:6:21 | arr[i++] |
+| execSeries.js:6:14:6:21 | arr[i++] | execSeries.js:14:24:14:30 | command |
+| execSeries.js:13:19:13:26 | commands | execSeries.js:14:13:14:20 | commands |
+| execSeries.js:14:13:14:20 | commands | execSeries.js:3:20:3:22 | arr |
+| execSeries.js:14:13:14:20 | commands | execSeries.js:14:24:14:30 | command |
+| execSeries.js:14:24:14:30 | command | execSeries.js:14:41:14:47 | command |
+| execSeries.js:18:7:18:58 | cmd | execSeries.js:19:13:19:15 | cmd |
+| execSeries.js:18:13:18:47 | require ... , true) | execSeries.js:18:13:18:53 | require ... ).query |
+| execSeries.js:18:13:18:53 | require ... ).query | execSeries.js:18:13:18:58 | require ... ry.path |
+| execSeries.js:18:13:18:58 | require ... ry.path | execSeries.js:18:7:18:58 | cmd |
+| execSeries.js:18:34:18:40 | req.url | execSeries.js:18:13:18:47 | require ... , true) |
+| execSeries.js:19:12:19:16 | [cmd] | execSeries.js:13:19:13:26 | commands |
+| execSeries.js:19:13:19:15 | cmd | execSeries.js:19:12:19:16 | [cmd] |
 #select
 | child_process-test.js:17:13:17:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:17:13:17:15 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:18:17:18:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:18:17:18:19 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
@@ -83,3 +113,4 @@ edges
 | child_process-test.js:44:5:44:34 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:51:5:51:39 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:50:15:50:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:56:3:56:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
+| execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command depends on $@. | execSeries.js:18:34:18:40 | req.url | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-078/execSeries.js

@@ -0,0 +1,20 @@
+var exec = require('child_process').exec;
+
+function asyncEach(arr, iterator) {
+  var i = 0;
+  (function iterate() {
+    iterator(arr[i++], function () {
+      if (i < arr.length)
+        process.nextTick(iterate);
+    });
+  })();
+}
+
+function execEach(commands) {
+  asyncEach(commands, (command) => exec(command));
+};
+
+require('http').createServer(function(req, res) {
+  let cmd = require('url').parse(req.url, true).query.path;
+  execEach([cmd]);  // NOT OK
+});