JS: Add modeling for @google-cloud/promisify

Napalys · Napalys · commit 312471e9db57 · 2025-09-15T16:55:27.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/Promises.qll b/javascript/ql/lib/semmle/javascript/Promises.qll
@@ -727,7 +727,7 @@ module Promisify {
     PromisifyAllCall() {
       this =
         [
-          DataFlow::moduleMember("bluebird", "promisifyAll"),
+          DataFlow::moduleMember(["bluebird", "@google-cloud/promisify"], "promisifyAll"),
           DataFlow::moduleMember("thenify-all", "withCallback"),
           DataFlow::moduleImport(["util-promisifyall", "pify", "thenify-all"])
         ].getACall()
@@ -747,6 +747,8 @@ module Promisify {
       this = DataFlow::moduleImport("thenify").getACall()
       or
       this = DataFlow::moduleMember("thenify", "withCallback").getACall()
+      or
+      this = DataFlow::moduleMember("@google-cloud/promisify", "promisify").getACall()
     }
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected
@@ -90,6 +90,11 @@
 | promisification.js:102:27:102:30 | code | promisification.js:99:18:99:25 | req.body | promisification.js:102:27:102:30 | code | This command line depends on a $@. | promisification.js:99:18:99:25 | req.body | user-provided value |
 | promisification.js:106:24:106:27 | code | promisification.js:99:18:99:25 | req.body | promisification.js:106:24:106:27 | code | This command line depends on a $@. | promisification.js:99:18:99:25 | req.body | user-provided value |
 | promisification.js:109:24:109:27 | code | promisification.js:99:18:99:25 | req.body | promisification.js:109:24:109:27 | code | This command line depends on a $@. | promisification.js:99:18:99:25 | req.body | user-provided value |
+| promisification.js:144:21:144:24 | code | promisification.js:141:18:141:25 | req.body | promisification.js:144:21:144:24 | code | This command line depends on a $@. | promisification.js:141:18:141:25 | req.body | user-provided value |
+| promisification.js:147:15:147:18 | code | promisification.js:141:18:141:25 | req.body | promisification.js:147:15:147:18 | code | This command line depends on a $@. | promisification.js:141:18:141:25 | req.body | user-provided value |
+| promisification.js:150:24:150:27 | code | promisification.js:141:18:141:25 | req.body | promisification.js:150:24:150:27 | code | This command line depends on a $@. | promisification.js:141:18:141:25 | req.body | user-provided value |
+| promisification.js:151:28:151:31 | code | promisification.js:141:18:141:25 | req.body | promisification.js:151:28:151:31 | code | This command line depends on a $@. | promisification.js:141:18:141:25 | req.body | user-provided value |
+| promisification.js:152:25:152:28 | code | promisification.js:141:18:141:25 | req.body | promisification.js:152:25:152:28 | code | This command line depends on a $@. | promisification.js:141:18:141:25 | req.body | user-provided value |
 | third-party-command-injection.js:6:21:6:27 | command | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | This command line depends on a $@. | third-party-command-injection.js:5:20:5:26 | command | user-provided value |
 edges
 | actions.js:8:9:8:13 | title | actions.js:9:16:9:20 | title | provenance |  |
@@ -278,6 +283,12 @@ edges
 | promisification.js:99:11:99:14 | code | promisification.js:106:24:106:27 | code | provenance |  |
 | promisification.js:99:11:99:14 | code | promisification.js:109:24:109:27 | code | provenance |  |
 | promisification.js:99:18:99:25 | req.body | promisification.js:99:11:99:14 | code | provenance |  |
+| promisification.js:141:11:141:14 | code | promisification.js:144:21:144:24 | code | provenance |  |
+| promisification.js:141:11:141:14 | code | promisification.js:147:15:147:18 | code | provenance |  |
+| promisification.js:141:11:141:14 | code | promisification.js:150:24:150:27 | code | provenance |  |
+| promisification.js:141:11:141:14 | code | promisification.js:151:28:151:31 | code | provenance |  |
+| promisification.js:141:11:141:14 | code | promisification.js:152:25:152:28 | code | provenance |  |
+| promisification.js:141:18:141:25 | req.body | promisification.js:141:11:141:14 | code | provenance |  |
 | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | provenance |  |
 nodes
 | actions.js:8:9:8:13 | title | semmle.label | title |
@@ -479,6 +490,13 @@ nodes
 | promisification.js:102:27:102:30 | code | semmle.label | code |
 | promisification.js:106:24:106:27 | code | semmle.label | code |
 | promisification.js:109:24:109:27 | code | semmle.label | code |
+| promisification.js:141:11:141:14 | code | semmle.label | code |
+| promisification.js:141:18:141:25 | req.body | semmle.label | req.body |
+| promisification.js:144:21:144:24 | code | semmle.label | code |
+| promisification.js:147:15:147:18 | code | semmle.label | code |
+| promisification.js:150:24:150:27 | code | semmle.label | code |
+| promisification.js:151:28:151:31 | code | semmle.label | code |
+| promisification.js:152:25:152:28 | code | semmle.label | code |
 | third-party-command-injection.js:5:20:5:26 | command | semmle.label | command |
 | third-party-command-injection.js:6:21:6:27 | command | semmle.label | command |
 subpaths
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/promisification.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/promisification.js
@@ -138,16 +138,16 @@ app.post('/eval', async (req, res) => {
 
 app.post('/eval', async (req, res) => {
     const {promisify, promisifyAll} = require('@google-cloud/promisify');
-    const code = req.body; // $ MISSING: Source
+    const code = req.body; // $ Source
 
     const promisifiedExec = promisify(cp.exec);
-    promisifiedExec(code); // $ MISSING: Alert
+    promisifiedExec(code); // $ Alert
 
     const execAsync = promisify(cp.exec.bind(cp));
-    execAsync(code); // $ MISSING: Alert
+    execAsync(code); // $ Alert
 
     const promisifiedCp = promisifyAll(cp);
-    promisifiedCp.exec(code); // $ MISSING: Alert
-    promisifiedCp.execFile(code); // $ MISSING: Alert
-    promisifiedCp.spawn(code); // $ MISSING: Alert
+    promisifiedCp.exec(code); // $ Alert
+    promisifiedCp.execFile(code); // $ Alert
+    promisifiedCp.spawn(code); // $ Alert
 });

Original file line number	Diff line number	Diff line change
`@@ -727,7 +727,7 @@ module Promisify {`
`727`	`727`	`PromisifyAllCall() {`
`728`	`728`	`this =`
`729`	`729`	`[`
`730`		`- DataFlow::moduleMember("bluebird", "promisifyAll"),`
	`730`	`+ DataFlow::moduleMember(["bluebird", "@google-cloud/promisify"], "promisifyAll"),`
`731`	`731`	`DataFlow::moduleMember("thenify-all", "withCallback"),`
`732`	`732`	`DataFlow::moduleImport(["util-promisifyall", "pify", "thenify-all"])`
`733`	`733`	`].getACall()`
`@@ -747,6 +747,8 @@ module Promisify {`
`747`	`747`	`this = DataFlow::moduleImport("thenify").getACall()`
`748`	`748`	`or`
`749`	`749`	`this = DataFlow::moduleMember("thenify", "withCallback").getACall()`
	`750`	`+ or`
	`751`	`+ this = DataFlow::moduleMember("@google-cloud/promisify", "promisify").getACall()`
`750`	`752`	`}`
`751`	`753`	`}`
`752`	`754`	`}`