add qhelp

erik-krogh · erik-krogh · commit a779ae58a88b · 2020-02-24T14:03:41.000+01:00
diff --git a/javascript/ql/src/Security/CWE-078/UselessUseOfCat.qhelp b/javascript/ql/src/Security/CWE-078/UselessUseOfCat.qhelp
@@ -3,28 +3,45 @@
 "qhelp.dtd">
 <qhelp>
 <overview>
-	<p>
-		Useless use of cat
-	</p>
-
-
+<p>Using the unix command <code>cat</code> to simply read a file is a 
+unnecessarily complex way to achieve something that can be done simpler and 
+safer using the Node.js <code>fs.readFile</code> API.
+</p>
+<p>
+The use of <code>cat</code> for simple file reads leads to code that is 
+unportable, inefficient, complex, and can lead to subtle bugs or even 
+security vulnerabilities. 
+</p>
 </overview>
 <recommendation>
-	<p>
-		TODO: This is a placeholder
-	</p>
-
+<p>
+Use <code>fs.readFile</code> or <code>fs.readFileSync</code> to read files 
+from the file system. 
+</p>
 </recommendation>
 <example>
-	<p>
-	</p>
+
+<p>The following example shows code that reads a file using <code>cat</code>:</p>
+
+<sample src="examples/useless-cat.js"/>
+
+<p>The code in the example will break if the input <code>name</code> contain 
+special characters (including space), the code does not work on windows,  
+and if the input is user controlled a command injection attack can happen.</p>
+
+<p>To avoid these potential issues the <code>fs.readFile</code> API can be 
+used instead: </p>
+
+<sample src="examples/useless-cat-fixed.js"/>
+
 </example>
 <references>
 
-	<li>
-		OWASP:
-		<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
-	</li>
+<li>
+OWASP: <a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+Node.js: <a href="https://nodejs.org/api/fs.html">File System API</a>. 
+</li>
+
 
 </references>
 </qhelp>
diff --git a/javascript/ql/src/Security/CWE-078/examples/useless-cat-fixed.js b/javascript/ql/src/Security/CWE-078/examples/useless-cat-fixed.js
@@ -0,0 +1,5 @@
+var fs = require('fs');
+
+module.exports = function (name) {
+    return fs.readFileSync(name).toString();
+};
diff --git a/javascript/ql/src/Security/CWE-078/examples/useless-cat.js b/javascript/ql/src/Security/CWE-078/examples/useless-cat.js
@@ -0,0 +1,5 @@
+var child_process = require('child_process');
+
+module.exports = function (name) {
+    return child_process.execSync("cat " + name).toString();
+};
