CodeQL library for JavaScript/TypeScript
codeql/javascript-all 2.0.3-dev (changelog, source)
Search

Module UnsafeShellCommandConstruction

Module containing sources, sinks, and sanitizers for shell command constructed from library input.

Import path

import semmle.javascript.security.dataflow.UnsafeShellCommandConstructionCustomizations

Imports

IndirectCommandArgument

Provides predicates for reasoning about indirect command arguments.

Predicates

executesArrayAsShell

Holds if the arguments array given to sys is joined as a string because shell is set to true.

Classes

ArrayAppendEndingInCommandExecutinSink

An element pushed to an array, where the array is later used to execute a shell command.

ChainSanitizer

A chain of replace calls that replaces all unsafe chars for shell-commands.

ExternalInputSource

A parameter of an exported function, seen as a source for shell command constructed from library input.

FormatedStringInCommandExecutionSink

A formatted string that is later executed as a shell command.

JoinedPathEndingInCommandExecutionSink

A joined path (path.{resolve/join}(..)) that is later executed as a shell command. Joining a path is similar to string concatenation that automatically inserts slashes.

NumberGuard

A guard that checks whether x is a number.

PathExistsSanitizerGuard

A sanitizer that sanitizers paths that exist in the file-system. For example: x is sanitized in fs.existsSync(x) or fs.existsSync(x + "/suffix/path").

ReplaceQuotesSanitizer

A sanitizer like: “’”+name.replace(/‘/g,"’\’‘“)+”’" Which sanitizes on Unix. The sanitizer is only safe if sorounded by single-quotes, which is assumed.

SanitizedChar

A sanitizer for a single character, where the character cannot be an unsafe shell character.

Sanitizer

A sanitizer for shell command constructed from library input.

ShellTrueCommandExecutionSink

An argument to a command invocation where the shell option is set to true.

Sink

A data flow sink for shell command constructed from library input.

Source

A data flow source for shell command constructed from library input.

StringConcatEndingInCommandExecutionSink

A string concatenation that is later executed as a shell command.

TypeOfSanitizer

A guard of the form typeof x === "<T>", where <T> is “number”, or “boolean”, which sanitizes x in its “then” branch.

Aliases

IncompleteBlacklistSanitizer

Provides classes and predicates for working with incomplete blacklist sanitizers.