CMDiTest/child_process-test.js at main · mem0verwrite/CMDiTest · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
var cp = require("child_process"),
    http = require('http'),
    url = require('url');

var server = http.createServer(function(req, res) {
    let cmd = url.parse(req.url, true).query.path;

    cp.exec("foo"); // OK
    cp.execSync("foo"); // OK
    cp.execFile("foo"); // OK
    cp.execFileSync("foo"); // OK
    cp.spawn("foo"); // OK
    cp.spawnSync("foo"); // OK
    cp.fork("foo"); // OK


    cp.exec(cmd); // NOT OK
    cp.execSync(cmd); // NOT OK
    cp.execFile(cmd); // NOT OK
    cp.execFileSync(cmd); // NOT OK
    cp.spawn(cmd); // NOT OK
    cp.spawnSync(cmd); // NOT OK
    cp.fork(cmd); // NOT OK

    cp.exec("foo" + cmd + "bar"); // NOT OK

    // These are technically NOT OK, but they are more likely as false positives
    cp.exec("foo", {shell: cmd}); // OK
    cp.exec("foo", {env: {PATH: cmd}}); // OK
    cp.exec("foo", {cwd: cmd}); // OK
    cp.exec("foo", {uid: cmd}); // OK
    cp.exec("foo", {gid: cmd}); // OK

    let sh, flag;
    if (process.platform == 'win32')
      sh = 'cmd.exe', flag = '/c';
    else
      sh = '/bin/sh', flag = '-c';
    cp.spawn(sh, [ flag, cmd ]); // NOT OK

    let args = [];
    args[0] = "-c";
    args[1] = cmd;  // NOT OK
    cp.execFile("/bin/bash", args);

    let args = [];
    args[0] = "-c";
    args[1] = cmd;  // NOT OK
    run("sh", args);

    let args = [];
    args[0] = `-` + "c";
    args[1] = cmd; // NOT OK
    cp.execFile(`/bin` + "/bash", args);

    cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // NOT OK
    cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // NOT OK

	let myArgs = [];
    myArgs.push(`-` + "c");
    myArgs.push(cmd);
    cp.execFile(`/bin` + "/bash", args); // NOT OK - but no support for `[].push()` for indirect arguments [INCONSISTENCY]

});

function run(cmd, args) {
  cp.spawn(cmd, args); // OK - the alert happens where `args` is build.
}

var util = require("util")

http.createServer(function(req, res) {
    let cmd = url.parse(req.url, true).query.path;

    util.promisify(cp.exec)(cmd); // NOT OK
});


const webpackDevServer = require('webpack-dev-server');
new webpackDevServer(compiler, {
    before: function (app) {
        app.use(function (req, res, next) {
          cp.exec(req.query.fileName); // NOT OK

          require("my-sub-lib").foo(req.query.fileName); // calls lib/subLib/index.js#foo
        });
    }
});