JS/CommandInjectionQuery

d10c · d10c · commit 54597fdba349 · 2025-10-10T17:30:59.000+02:00
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql

javascript/ql/src/Security/CWE-078/CommandInjection.ql
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll
@@ -34,8 +34,9 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    exists(DataFlow::Node node |
-      isSinkWithHighlight(sink, node) and
+    exists(DataFlow::Node node | isSinkWithHighlight(sink, node) |
+      result = sink.getLocation()
+      or
       result = node.getLocation()
     )
   }

Original file line number	Diff line number	Diff line change
`@@ -34,8 +34,9 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {`
`34`	`34`	`predicate observeDiffInformedIncrementalMode() { any() }`
`35`	`35`
`36`	`36`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`37`		`- exists(DataFlow::Node node \|`
`38`		`- isSinkWithHighlight(sink, node) and`
	`37`	`+ exists(DataFlow::Node node \| isSinkWithHighlight(sink, node) \|`
	`38`	`+ result = sink.getLocation()`
	`39`	`+ or`
`39`	`40`	`result = node.getLocation()`
`40`	`41`	`)`
`41`	`42`	`}`