accept IO redirections as OK

2020-02-19 10:12:24 +01:00 · 2020-02-19 10:12:24 +01:00 · 344060e139
--- a/javascript/ql/src/semmle/javascript/security/UselessUseOfCat.qll
+++ b/javascript/ql/src/semmle/javascript/security/UselessUseOfCat.qll
@ -36,8 +36,8 @@ class UselessCat extends DataFlow::Node {
        commandString = getStartingString(command).trim() and
        (commandString = cat or commandString.regexpMatch(cat + " .*"))
      ) and
-      // `cat` is OK in combination with pipes and wildcards.
-      not getAString(command).regexpMatch(".*(\\*|\\|).*") and
+      // `cat` is OK in combination with pipes, wildcards, and redirections.
+      not getAString(command).regexpMatch(".*(\\*|\\||>|<).*") and
      // It is OK just to spawn "cat" without any arguments.
      not (
        command.mayHaveStringValue(cat) and
--- a/javascript/ql/test/query-tests/Security/CWE-078/UselessCat.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UselessCat.expected
@ -1,2 +1,3 @@
 | False negative | uselesscat.js:69:42:69:69 | // NOT  ... lagged] |
 | False positive | uselesscat.js:18:70:18:118 | // OK [ ... jection |
+| False positive | uselesscat.js:82:80:82:128 | // OK ( ... / gid)) |
--- a/javascript/ql/test/query-tests/Security/CWE-078/uselesscat.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/uselesscat.js
@ -50,10 +50,10 @@ execSync(cmd); // NOT OK
 execSync("cat /proc/cpuinfo | grep -c '" + someValue + "'"); // OK - pipes

 function cat(file) {
-	return execSync('cat ' + file).toString(); // NOT OK [flagged]
+	return execSync('cat ' + file).toString(); // NOT OK
 }

-execSync(`cat ${files.join(' ')} > ${outFile}`); // NOT OK [flagged]
+execSync(`cat ${files.join(' ')} > ${outFile}`); // OK

 var cmd = 'cat package.json | grep'
 exec(cmd); // OK - pipes!
@ -70,4 +70,13 @@ execSync("sh -c 'cat " + newpath + "'"); // NOT OK. [but not flagged]

 exec(` cat ${newpath}`) // NOT OK

-exec(` cat ${newpath} | grep foo`) // OK - pipes
+exec(` cat ${newpath} | grep foo`) // OK - pipes
+
+execSync('cat /proc/cpuinfo > foo/bar/baz').toString(); // OK.
+
+execSync(`cat ${newpath} > ${destpath}`).toString(); // OK.
+
+const Opts = {encoding: 'utf8'}
+execSync(`cat foo/bar/${newpath}`, Opts).slice(0, 7); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync)
+
+execSync("/bin/cat /proc/cpuinfo", { uid: 1000, gid: 1000, encoding: 'utf8'}); // OK (fs.readFileSync cannot emulate uid / gid))