Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JS: New Command Execution Sinks #14198

Closed
wants to merge 7 commits into from
Closed

JS: New Command Execution Sinks #14198

wants to merge 7 commits into from

Conversation

am0o0
Copy link
Contributor

@am0o0 am0o0 commented Sep 13, 2023
edited
Loading

Execa package before version 5 has already been modeled but newer versions up to 8 have many new APIs that I've implemented now.
Shelljs package also have a piping feature which I've updated the current shelljs module to support piping too.
Also, dynamic import in nodejs support URLs starts with data: which is dangerous.
There is another nodejs API that accepts the data: URL which is:

const {Worker} = require('node:worker_threads');
new Worker(new URL('data:text/javascript,console.log("hello!");'))

but it needs to be a URL Type as input, not any string value that starts with data:, I'm not sure what is the best way to implement it.

@github-actions github-actions bot added the JS label Sep 13, 2023
@am0o0 am0o0 mentioned this pull request Sep 20, 2023
Closed
2 tasks
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 21, 2023
View reviewed changes
javascript/ql/lib/semmle/javascript/frameworks/Execa.qll Outdated
}
}

// Holds if left parameter is the the left child of a template literal and returns the template literal

Check warning

Code scanning / CodeQL

Comment has repeated word

The comment repeats the.
javascript/ql/lib/semmle/javascript/frameworks/Execa.qll Outdated
// Holds whether Execa has shell enabled options or not, get Parameter responsible for options
private predicate isExecaShellEnable(API::Node n) {
n.getMember("shell").asSink().asExpr().(BooleanLiteral).getValue() = "true" and
exists(n.getMember("shell"))

Check warning

Code scanning / CodeQL

Superfluous 'exists' conjunct.

This conjunct is superfluous as the existence is implied by [this conjunct](1).
@am0o0
Copy link
Contributor Author

am0o0 commented Sep 22, 2023

@eric

@am0o0 am0o0 closed this Sep 22, 2023
@am0o0
Copy link
Contributor Author

am0o0 commented Sep 22, 2023

forked to:
#14291
#14293
#14294

@am0o0 am0o0 deleted the amammad-js-CodeInjection branch September 14, 2024 11:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@am0o0