add command parsing model for "commander"

erik-krogh · web-flow · commit fd0d5c9e4607 · 2020-11-27T09:58:00.000Z
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll
@@ -90,6 +90,34 @@ module IndirectCommandInjection {
     )
   }
 
+  /**
+   * A Command instance from the `commander` library.
+   */
+  private API::Node commander() {
+    result = API::moduleImport("commander")
+    or
+    // `require("commander").program === require("commander")`
+    result = commander().getMember("program")
+    or
+    result = commander().getMember("Command").getInstance()
+    or
+    // lots of chainable methods
+    result = commander().getAMember().getReturn()
+  }
+
+  /**
+   * A source of user input from the command-line parsed by the `commander` library.
+   */
+  private class CommanderSource extends Source {
+    CommanderSource() {
+      // the parsed commands are stored as properties on the command object.
+      this = commander().getAMember().getAnImmediateUse()
+      or
+      // or the `opts()` method gets a list of them.
+      this = commander().getMember("opts").getACall()
+    }
+  }
+
   /**
    * Gets an instance of `yargs`.
    * Either directly imported as a module, or through some chained method call.
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected
@@ -180,13 +180,37 @@ nodes
 | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
 | command-line-parameter-command-injection.js:124:22:124:25 | opts |
 | command-line-parameter-command-injection.js:124:22:124:29 | opts.foo |
-| command-line-parameter-command-injection.js:127:6:127:38 | opts |
-| command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) |
-| command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) |
+| command-line-parameter-command-injection.js:127:6:127:26 | opts |
+| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() |
+| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() |
 | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
 | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
 | command-line-parameter-command-injection.js:129:22:129:25 | opts |
 | command-line-parameter-command-injection.js:129:22:129:29 | opts.foo |
+| command-line-parameter-command-injection.js:133:8:133:41 | program |
+| command-line-parameter-command-injection.js:133:10:133:16 | program |
+| command-line-parameter-command-injection.js:133:10:133:16 | program |
+| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() |
+| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() |
+| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
+| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
+| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:137:22:137:28 | program |
+| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType |
+| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType |
+| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() |
+| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() |
+| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
+| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
+| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType |
+| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType |
 edges
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
 | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] |
@@ -345,12 +369,36 @@ edges
 | command-line-parameter-command-injection.js:124:22:124:25 | opts | command-line-parameter-command-injection.js:124:22:124:29 | opts.foo |
 | command-line-parameter-command-injection.js:124:22:124:29 | opts.foo | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
 | command-line-parameter-command-injection.js:124:22:124:29 | opts.foo | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo |
-| command-line-parameter-command-injection.js:127:6:127:38 | opts | command-line-parameter-command-injection.js:129:22:129:25 | opts |
-| command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) | command-line-parameter-command-injection.js:127:6:127:38 | opts |
-| command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) | command-line-parameter-command-injection.js:127:6:127:38 | opts |
+| command-line-parameter-command-injection.js:127:6:127:26 | opts | command-line-parameter-command-injection.js:129:22:129:25 | opts |
+| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:127:6:127:26 | opts |
+| command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:127:6:127:26 | opts |
 | command-line-parameter-command-injection.js:129:22:129:25 | opts | command-line-parameter-command-injection.js:129:22:129:29 | opts.foo |
 | command-line-parameter-command-injection.js:129:22:129:29 | opts.foo | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
 | command-line-parameter-command-injection.js:129:22:129:29 | opts.foo | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo |
+| command-line-parameter-command-injection.js:133:8:133:41 | program | command-line-parameter-command-injection.js:137:22:137:28 | program |
+| command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:133:8:133:41 | program |
+| command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:133:8:133:41 | program |
+| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
+| command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType |
+| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:137:22:137:28 | program | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType |
+| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
+| command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType |
+| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
+| command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType |
 #select
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument |
 | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument |
@@ -381,4 +429,11 @@ edges
 | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line-parameter-command-injection.js:108:10:108:32 | "cmd.sh ... ons.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:107:18:107:51 | command ... itions) | command-line argument |
 | command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line-parameter-command-injection.js:116:10:116:33 | "cmd.sh ... nput[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:114:14:114:52 | meow(`h ... lags}}) | command-line argument |
 | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line-parameter-command-injection.js:124:10:124:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:122:13:122:46 | dashdas ... tions}) | command-line argument |
-| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:127:13:127:38 | parser. ... s.argv) | command-line argument |
+| command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line-parameter-command-injection.js:129:10:129:29 | "cmd.sh " + opts.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:127:13:127:26 | parser.parse() | command-line argument |
+| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:136:22:136:35 | program.opts() | command-line argument |
+| command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line-parameter-command-injection.js:136:10:136:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:136:22:136:45 | program ... zzaType | command-line argument |
+| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:133:10:133:16 | program | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:133:10:133:16 | program | command-line argument |
+| command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line-parameter-command-injection.js:137:10:137:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:137:22:137:38 | program.pizzaType | command-line argument |
+| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:145:22:145:35 | program.opts() | command-line argument |
+| command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line-parameter-command-injection.js:145:10:145:45 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:145:22:145:45 | program ... zzaType | command-line argument |
+| command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line argument |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/command-line-parameter-command-injection.js b/javascript/ql/test/query-tests/Security/CWE-078/command-line-parameter-command-injection.js
@@ -127,4 +127,21 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
 	var opts = parser.parse();
 	
 	cp.exec("cmd.sh " + opts.foo); // NOT OK
-})
+});
+
+(function () {
+	const { program } = require('commander');
+	program.version('0.0.1');
+
+	cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK
+	cp.exec("cmd.sh " + program.pizzaType); // NOT OK
+});
+
+(function () {
+	const { Command } = require('commander');
+	const program = new Command();
+	program.version('0.0.1');
+
+	cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK
+	cp.exec("cmd.sh " + program.pizzaType); // NOT OK
+});
