Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit cd33d35

Browse files
author
Max Schaefer
committed
JavaScript: Add a test showing a false positive from UnsafeShellCommandConstruction due to infeasible paths.
The path from the API entry point to the sink contains a "return" step. A client of the library cannot match that step, resulting in an infeasible path.
1 parent 6440db7 commit cd33d35

2 files changed

Lines changed: 20 additions & 1 deletion

File tree

javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -180,6 +180,11 @@ nodes
180180
| lib/lib.js:324:40:324:42 | arg |
181181
| lib/lib.js:325:49:325:51 | arg |
182182
| lib/lib.js:325:49:325:51 | arg |
183+
| lib/lib.js:329:13:329:13 | x |
184+
| lib/lib.js:329:13:329:13 | x |
185+
| lib/lib.js:330:9:330:9 | x |
186+
| lib/lib.js:336:22:336:31 | id("test") |
187+
| lib/lib.js:336:22:336:31 | id("test") |
183188
edges
184189
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
185190
| lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
@@ -396,6 +401,10 @@ edges
396401
| lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg |
397402
| lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg |
398403
| lib/lib.js:324:40:324:42 | arg | lib/lib.js:325:49:325:51 | arg |
404+
| lib/lib.js:329:13:329:13 | x | lib/lib.js:330:9:330:9 | x |
405+
| lib/lib.js:329:13:329:13 | x | lib/lib.js:330:9:330:9 | x |
406+
| lib/lib.js:330:9:330:9 | x | lib/lib.js:336:22:336:31 | id("test") |
407+
| lib/lib.js:330:9:330:9 | x | lib/lib.js:336:22:336:31 | id("test") |
399408
#select
400409
| lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | $@ based on library input is later used in $@. | lib/lib2.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command |
401410
| lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | $@ based on library input is later used in $@. | lib/lib2.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command |

javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -324,4 +324,14 @@ module.exports.typeofcheck = function (name) {
324324
module.exports.typeofcheck = function (arg) {
325325
var cmd = "MyWindowCommand | findstr /i /c:" + arg; // NOT OK
326326
cp.exec(cmd);
327-
}
327+
}
328+
329+
function id(x) {
330+
return x;
331+
}
332+
333+
module.exports.id = id;
334+
335+
module.exports.unproblematic = function() {
336+
cp.exec("rm -rf " + id("test")); // OK [INCONSISTENCY]
337+
};

0 commit comments

Comments
 (0)