add command parsing model for "arg"

erik-krogh · web-flow · commit 45067ee651b3 · 2020-11-27T09:57:05.000Z
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll
@@ -49,6 +49,9 @@ module IndirectCommandInjection {
       or
       // `require('optimist').argv` => `{ _: [], a: ... b: ... }`
       this = DataFlow::moduleMember("optimist", "argv")
+      or
+      // `require("arg")({...spec})` => `{_: [], a: ..., b: ...}`
+      this = DataFlow::moduleImport("arg").getACall()
     }
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected
@@ -115,15 +115,15 @@ nodes
 | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
 | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
 | command-line-parameter-command-injection.js:72:22:72:27 | taint4 |
-| command-line-parameter-command-injection.js:76:8:76:35 | args |
+| command-line-parameter-command-injection.js:76:8:76:35 | argv |
 | command-line-parameter-command-injection.js:76:15:76:26 | process.argv |
 | command-line-parameter-command-injection.js:76:15:76:26 | process.argv |
 | command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) |
-| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gs).foo |
-| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gs).foo |
-| command-line-parameter-command-injection.js:79:22:79:35 | minimist(args) |
-| command-line-parameter-command-injection.js:79:22:79:39 | minimist(args).foo |
-| command-line-parameter-command-injection.js:79:31:79:34 | args |
+| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo |
+| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo |
+| command-line-parameter-command-injection.js:79:22:79:35 | minimist(argv) |
+| command-line-parameter-command-injection.js:79:22:79:39 | minimist(argv).foo |
+| command-line-parameter-command-injection.js:79:31:79:34 | argv |
 | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo |
 | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo |
 | command-line-parameter-command-injection.js:82:22:82:50 | subarg( ... ice(2)) |
@@ -138,14 +138,21 @@ nodes
 | command-line-parameter-command-injection.js:85:34:85:45 | process.argv |
 | command-line-parameter-command-injection.js:85:34:85:45 | process.argv |
 | command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) |
-| command-line-parameter-command-injection.js:88:8:88:39 | flags |
-| command-line-parameter-command-injection.js:88:16:88:39 | args.pa ... s.argv) |
-| command-line-parameter-command-injection.js:88:27:88:38 | process.argv |
-| command-line-parameter-command-injection.js:88:27:88:38 | process.argv |
+| command-line-parameter-command-injection.js:88:6:88:37 | flags |
+| command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) |
+| command-line-parameter-command-injection.js:88:25:88:36 | process.argv |
+| command-line-parameter-command-injection.js:88:25:88:36 | process.argv |
 | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo |
 | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo |
 | command-line-parameter-command-injection.js:89:22:89:26 | flags |
 | command-line-parameter-command-injection.js:89:22:89:30 | flags.foo |
+| command-line-parameter-command-injection.js:91:6:91:38 | flags |
+| command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) |
+| command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) |
+| command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo |
+| command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo |
+| command-line-parameter-command-injection.js:92:22:92:26 | flags |
+| command-line-parameter-command-injection.js:92:22:92:30 | flags.foo |
 edges
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
 | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] |
@@ -248,14 +255,14 @@ edges
 | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line-parameter-command-injection.js:71:6:71:16 | [...taint4] |
 | command-line-parameter-command-injection.js:72:22:72:27 | taint4 | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
 | command-line-parameter-command-injection.js:72:22:72:27 | taint4 | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
-| command-line-parameter-command-injection.js:76:8:76:35 | args | command-line-parameter-command-injection.js:79:31:79:34 | args |
+| command-line-parameter-command-injection.js:76:8:76:35 | argv | command-line-parameter-command-injection.js:79:31:79:34 | argv |
 | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) |
 | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) |
-| command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) | command-line-parameter-command-injection.js:76:8:76:35 | args |
-| command-line-parameter-command-injection.js:79:22:79:35 | minimist(args) | command-line-parameter-command-injection.js:79:22:79:39 | minimist(args).foo |
-| command-line-parameter-command-injection.js:79:22:79:39 | minimist(args).foo | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gs).foo |
-| command-line-parameter-command-injection.js:79:22:79:39 | minimist(args).foo | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gs).foo |
-| command-line-parameter-command-injection.js:79:31:79:34 | args | command-line-parameter-command-injection.js:79:22:79:35 | minimist(args) |
+| command-line-parameter-command-injection.js:76:15:76:35 | process ... lice(2) | command-line-parameter-command-injection.js:76:8:76:35 | argv |
+| command-line-parameter-command-injection.js:79:22:79:35 | minimist(argv) | command-line-parameter-command-injection.js:79:22:79:39 | minimist(argv).foo |
+| command-line-parameter-command-injection.js:79:22:79:39 | minimist(argv).foo | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo |
+| command-line-parameter-command-injection.js:79:22:79:39 | minimist(argv).foo | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo |
+| command-line-parameter-command-injection.js:79:31:79:34 | argv | command-line-parameter-command-injection.js:79:22:79:35 | minimist(argv) |
 | command-line-parameter-command-injection.js:82:22:82:50 | subarg( ... ice(2)) | command-line-parameter-command-injection.js:82:22:82:54 | subarg( ... 2)).foo |
 | command-line-parameter-command-injection.js:82:22:82:54 | subarg( ... 2)).foo | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo |
 | command-line-parameter-command-injection.js:82:22:82:54 | subarg( ... 2)).foo | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo |
@@ -268,13 +275,19 @@ edges
 | command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) |
 | command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) |
 | command-line-parameter-command-injection.js:85:34:85:54 | process ... lice(2) | command-line-parameter-command-injection.js:85:22:85:55 | yargsPa ... ice(2)) |
-| command-line-parameter-command-injection.js:88:8:88:39 | flags | command-line-parameter-command-injection.js:89:22:89:26 | flags |
-| command-line-parameter-command-injection.js:88:16:88:39 | args.pa ... s.argv) | command-line-parameter-command-injection.js:88:8:88:39 | flags |
-| command-line-parameter-command-injection.js:88:27:88:38 | process.argv | command-line-parameter-command-injection.js:88:16:88:39 | args.pa ... s.argv) |
-| command-line-parameter-command-injection.js:88:27:88:38 | process.argv | command-line-parameter-command-injection.js:88:16:88:39 | args.pa ... s.argv) |
+| command-line-parameter-command-injection.js:88:6:88:37 | flags | command-line-parameter-command-injection.js:89:22:89:26 | flags |
+| command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) | command-line-parameter-command-injection.js:88:6:88:37 | flags |
+| command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) |
+| command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line-parameter-command-injection.js:88:14:88:37 | args.pa ... s.argv) |
 | command-line-parameter-command-injection.js:89:22:89:26 | flags | command-line-parameter-command-injection.js:89:22:89:30 | flags.foo |
 | command-line-parameter-command-injection.js:89:22:89:30 | flags.foo | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo |
 | command-line-parameter-command-injection.js:89:22:89:30 | flags.foo | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo |
+| command-line-parameter-command-injection.js:91:6:91:38 | flags | command-line-parameter-command-injection.js:92:22:92:26 | flags |
+| command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:91:6:91:38 | flags |
+| command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:91:6:91:38 | flags |
+| command-line-parameter-command-injection.js:92:22:92:26 | flags | command-line-parameter-command-injection.js:92:22:92:30 | flags.foo |
+| command-line-parameter-command-injection.js:92:22:92:30 | flags.foo | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo |
+| command-line-parameter-command-injection.js:92:22:92:30 | flags.foo | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo |
 #select
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument |
 | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument |
@@ -296,7 +309,8 @@ edges
 | command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest | command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line argument |
 | command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 | command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line argument |
 | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line argument |
-| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gs).foo | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gs).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line argument |
+| command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line-parameter-command-injection.js:79:10:79:39 | "cmd.sh ... gv).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:76:15:76:26 | process.argv | command-line argument |
 | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo | command-line-parameter-command-injection.js:82:29:82:40 | process.argv | command-line-parameter-command-injection.js:82:10:82:54 | "cmd.sh ... 2)).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:82:29:82:40 | process.argv | command-line argument |
 | command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo | command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line-parameter-command-injection.js:85:10:85:59 | "cmd.sh ... 2)).foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:85:34:85:45 | process.argv | command-line argument |
-| command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:88:27:88:38 | process.argv | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:88:27:88:38 | process.argv | command-line argument |
+| command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line-parameter-command-injection.js:89:10:89:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:88:25:88:36 | process.argv | command-line argument |
+| command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line-parameter-command-injection.js:92:10:92:30 | "cmd.sh ... ags.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:91:14:91:38 | require ... .spec}) | command-line argument |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/command-line-parameter-command-injection.js b/javascript/ql/test/query-tests/Security/CWE-078/command-line-parameter-command-injection.js
@@ -73,10 +73,10 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
 });
 
 (function () {
-	const args = process.argv.slice(2);
+	const argv = process.argv.slice(2);
 
 	var minimist = require("minimist");
-	cp.exec("cmd.sh " + minimist(args).foo); // NOT OK
+	cp.exec("cmd.sh " + minimist(argv).foo); // NOT OK
 
 	var subarg = require('subarg');
 	cp.exec("cmd.sh " + subarg(process.argv.slice(2)).foo); // NOT OK
@@ -85,6 +85,9 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
 	cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // NOT OK
 
 	import args from 'args'
-	const flags = args.parse(process.argv);
+	var flags = args.parse(process.argv);
+	cp.exec("cmd.sh " + flags.foo); // NOT OK
+
+	var flags = require('arg')({...spec});
 	cp.exec("cmd.sh " + flags.foo); // NOT OK
 })

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,9 @@ module IndirectCommandInjection {`
`49`	`49`	`or`
`50`	`50`	// `require('optimist').argv` => `{ _: [], a: ... b: ... }`
`51`	`51`	`this = DataFlow::moduleMember("optimist", "argv")`
	`52`	`+ or`
	`53`	+ // `require("arg")({...spec})` => `{_: [], a: ..., b: ...}`
	`54`	`+ this = DataFlow::moduleImport("arg").getACall()`
`52`	`55`	`}`
`53`	`56`	`}`
`54`	`57`