Skip to content

Commit fd0d5c9

Browse files
authored
add command parsing model for "commander"
1 parent 653ebf7 commit fd0d5c9

File tree

3 files changed

+108
-8
lines changed

3 files changed

+108
-8
lines changed

javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,34 @@ module IndirectCommandInjection {
9090
)
9191
}
9292

93+
/**
94+
* A Command instance from the `commander` library.
95+
*/
96+
private API::Node commander() {
97+
result = API::moduleImport("commander")
98+
or
99+
// `require("commander").program === require("commander")`
100+
result = commander().getMember("program")
101+
or
102+
result = commander().getMember("Command").getInstance()
103+
or
104+
// lots of chainable methods
105+
result = commander().getAMember().getReturn()
106+
}
107+
108+
/**
109+
* A source of user input from the command-line parsed by the `commander` library.
110+
*/
111+
private class CommanderSource extends Source {
112+
CommanderSource() {
113+
// the parsed commands are stored as properties on the command object.
114+
this = commander().getAMember().getAnImmediateUse()
115+
or
116+
// or the `opts()` method gets a list of them.
117+
this = commander().getMember("opts").getACall()
118+
}
119+
}
120+
93121
/**
94122
* Gets an instance of `yargs`.
95123
* Either directly imported as a module, or through some chained method call.

javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected

Lines changed: 62 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -180,13 +180,37 @@ nodes
180180
| command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
181181
| command-line-parameter-command-injection.js:124:22:124:25 | opts |
182182
| command-line-parameter-command-injection.js:124:22:124:29 | opts.foo |
183-
| command-line-parameter-command-injection.js:127:6:127:38 | opts |
184-
| command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) |
185-
| command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) |
183+
| command-line-parameter-command-injection.js:127:6:127:26 | opts |
184+
| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() |
185+
| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() |
186186
| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
187187
| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
188188
| command-line-parameter-command-injection.js:129:22:129:25 | opts |
189189
| command-line-parameter-command-injection.js:129:22:129:29 | opts.foo |
190+
| command-line-parameter-command-injection.js:133:8:133:41 | program |
191+
| command-line-parameter-command-injection.js:133:10:133:16 | program |
192+
| command-line-parameter-command-injection.js:133:10:133:16 | program |
193+
| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
194+
| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
195+
| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() |
196+
| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() |
197+
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
198+
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
199+
| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
200+
| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
201+
| command-line-parameter-command-injection.js:137:22:137:28 | program |
202+
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType |
203+
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType |
204+
| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
205+
| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
206+
| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() |
207+
| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() |
208+
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
209+
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
210+
| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
211+
| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
212+
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType |
213+
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType |
190214
edges
191215
| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
192216
| command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] |
@@ -345,12 +369,36 @@ edges
345369
| command-line-parameter-command-injection.js:124:22:124:25 | opts | command-line-parameter-command-injection.js:124:22:124:29 | opts.foo |
346370
| command-line-parameter-command-injection.js:124:22:124:29 | opts.foo | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
347371
| command-line-parameter-command-injection.js:124:22:124:29 | opts.foo | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
348-
| command-line-parameter-command-injection.js:127:6:127:38 | opts | command-line-parameter-command-injection.js:129:22:129:25 | opts |
349-
| command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) | command-line-parameter-command-injection.js:127:6:127:38 | opts |
350-
| command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) | command-line-parameter-command-injection.js:127:6:127:38 | opts |
372+
| command-line-parameter-command-injection.js:127:6:127:26 | opts | command-line-parameter-command-injection.js:129:22:129:25 | opts |
373+
| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:127:6:127:26 | opts |
374+
| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:127:6:127:26 | opts |
351375
| command-line-parameter-command-injection.js:129:22:129:25 | opts | command-line-parameter-command-injection.js:129:22:129:29 | opts.foo |
352376
| command-line-parameter-command-injection.js:129:22:129:29 | opts.foo | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
353377
| command-line-parameter-command-injection.js:129:22:129:29 | opts.foo | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
378+
| command-line-parameter-command-injection.js:133:8:133:41 | program | command-line-parameter-command-injection.js:137:22:137:28 | program |
379+
| command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:133:8:133:41 | program |
380+
| command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:133:8:133:41 | program |
381+
| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
382+
| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
383+
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
384+
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
385+
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
386+
| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
387+
| command-line-parameter-command-injection.js:137:22:137:28 | program | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType |
388+
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
389+
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
390+
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
391+
| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
392+
| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
393+
| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
394+
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
395+
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
396+
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
397+
| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
398+
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
399+
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
400+
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
401+
| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
354402
#select
355403
| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument |
356404
| command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument |
@@ -381,4 +429,11 @@ edges
381429
| command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line argument |
382430
| command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line argument |
383431
| command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line argument |
384-
| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) | command-line argument |
432+
| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line argument |
433+
| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line argument |
434+
| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line argument |
435+
| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:133:10:133:16 | program | command-line argument |
436+
| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line argument |
437+
| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line argument |
438+
| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line argument |
439+
| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line argument |

javascript/ql/test/query-tests/Security/CWE-078/command-line-parameter-command-injection.js

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -127,4 +127,21 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
127127
var opts = parser.parse();
128128

129129
cp.exec("cmd.sh " + opts.foo); // NOT OK
130-
})
130+
});
131+
132+
(function () {
133+
const { program } = require('commander');
134+
program.version('0.0.1');
135+
136+
cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK
137+
cp.exec("cmd.sh " + program.pizzaType); // NOT OK
138+
});
139+
140+
(function () {
141+
const { Command } = require('commander');
142+
const program = new Command();
143+
program.version('0.0.1');
144+
145+
cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK
146+
cp.exec("cmd.sh " + program.pizzaType); // NOT OK
147+
});

0 commit comments

Comments
 (0)