CodeQL library for JavaScript
Search

Module UnsafeShellCommandConstruction

Module containing sources, sinks, and sanitizers for shell command constructed from library input.

Import path

import semmle.javascript.security.dataflow.UnsafeShellCommandConstructionCustomizations

Imports

IndirectCommandArgument

Provides predicates for reasoning about indirect command arguments.

Classes

ArrayAppendEndingInCommandExecutinSink

An element pushed to an array, where the array is later used to execute a shell command.

ChainSanitizer

A chain of replace calls that replaces all unsafe chars for shell-commands.

ExternalInputSource

A parameter of an exported function, seen as a source for shell command constructed from library input.

FormatedStringInCommandExecutionSink

A formatted string that is later executed as a shell command.

PathExistsSanitizerGuard

A sanitizer that sanitizers paths that exist in the file-system. For example: x is sanitized in fs.existsSync(x) or fs.existsSync(x + "/suffix/path").

ReplaceQuotesSanitizer

A sanitizer like: “’”+name.replace(/‘/g,"’\’‘“)+”’" Which sanitizes on Unix. The sanitizer is only safe if sorounded by single-quotes, which is assumed.

SanitizedChar

A sanitizer for a single character, where the character cannot be an unsafe shell character.

Sanitizer

A sanitizer for shell command constructed from library input.

Sink

A data flow sink for shell command constructed from library input.

Source

A data flow source for shell command constructed from library input.

StringConcatEndingInCommandExecutionSink

A string concatenation that is later executed as a shell command.

TypeOfSanitizer

A guard of the form typeof x === "<T>", where is “number”, or “boolean”, which sanitizes x in its “then” branch.

Aliases

IncompleteBlacklistSanitizer

Provides classes and predicates for working with incomplete blacklist sanitizers.