From dc02288bdebc1bb41981e64eb3c8e473cc019a2a Mon Sep 17 00:00:00 2001
From: Riya <karmakri@amazon.com>
Date: Wed, 21 Jun 2023 15:26:20 +0530
Subject: [PATCH 1/5] Add compliant and noncompliant examples of
 code-injection@v1.0

---
 .../code_injection/code_injection.js          | 38 ++++++++-----------
 1 file changed, 15 insertions(+), 23 deletions(-)

diff --git a/src/javascript/detectors/code_injection/code_injection.js b/src/javascript/detectors/code_injection/code_injection.js
index 5230f0e..0ae9c56 100644
--- a/src/javascript/detectors/code_injection/code_injection.js
+++ b/src/javascript/detectors/code_injection/code_injection.js
@@ -6,17 +6,14 @@
 // {fact rule=code-injection@v1.0 defects=1}
 var express = require('express')
 var app = express()
-var vm = require('vm')
+var exec = require("child_process")
 function codeInjectionNoncompliant() {
-    app.get('/perform/:action', (req, res) => {
-        const sandbox = {
-            actionToPerform: req.params.action
-        }
-        const code = 'performAction(sandbox.actionToPerform)'
-        vm.createContext(sandbox)
-        // Noncompliant: user-supplied input evaluated as a script.
-        vm.runInContext(code, sandbox)
-        res.send('Action performed successfully!')
+    app.get('/perform/action', (req, res) => {
+        const command = req.query.command
+        // Noncompliant: passing user-supplied parameters directly into the shell command.
+        exec(command, (error, stdout, stderr) => {
+            console.log(stdout)
+        });
     })
 }
 // {/fact}
@@ -25,21 +22,16 @@ function codeInjectionNoncompliant() {
 // {fact rule=code-injection@v1.0 defects=0}
 var express = require('express')
 var app = express()
-var vm = require('vm')
+var exec = require("child_process")
 function codeInjectionCompliant() {
-    app.get('/perform/:action', (req, res) => {
-        const sandbox = {
-            actionToPerform: req.params.action
-        }
-        const code = 'performAction(sandbox.actionToPerform)'
-        vm.createContext(sandbox)
-        // Compliant: user-supplied parameter must be in allow-list to be evaluated.
-        if(sandbox.actionToPerform.match(/^pull|fetch|add|commit$/)) {
-            vm.runInContext(code, sandbox)
-            res.send('Action performed successfully!')
+    app.get('/perform/action', (req, res) => {
+        const command = req.query.command
+        // Compliant: validating user-supplied command before passing them into the shell command.
+        if ( command.indexOf("rm") == -1 ) {
+            exec(command, (error, stdout, stderr) => {
+                console.log(stdout)
+            });
         }
-        else
-            res.send('Invalid action')
     })
 }
 // {/fact}
\ No newline at end of file

From 3a6f7a8d310c05cd2045257165720bcdcf0a8110 Mon Sep 17 00:00:00 2001
From: Riya <karmakri@amazon.com>
Date: Thu, 22 Jun 2023 14:19:00 +0530
Subject: [PATCH 2/5] Add compliant and noncompliant examples of
 javascript/code-injection@v1.0

---
 .../code_injection/code_injection.js          | 28 ++++++++++++-------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/src/javascript/detectors/code_injection/code_injection.js b/src/javascript/detectors/code_injection/code_injection.js
index 0ae9c56..16f27b0 100644
--- a/src/javascript/detectors/code_injection/code_injection.js
+++ b/src/javascript/detectors/code_injection/code_injection.js
@@ -8,12 +8,13 @@ var express = require('express')
 var app = express()
 var exec = require("child_process")
 function codeInjectionNoncompliant() {
-    app.get('/perform/action', (req, res) => {
+    app.get('/read/logfile', (req, res) => {
         const command = req.query.command
-        // Noncompliant: passing user-supplied parameters directly into the shell command.
-        exec(command, (error, stdout, stderr) => {
-            console.log(stdout)
-        });
+        const parameters = req.query.parameters
+        // Noncompliant: passing user-supplied parameters into the shell command.
+        exec(command + " " + parameters + " ./logfile.txt" , (error, stdout, stderr) => {
+            res.send(stdout)
+        })
     })
 }
 // {/fact}
@@ -24,13 +25,20 @@ var express = require('express')
 var app = express()
 var exec = require("child_process")
 function codeInjectionCompliant() {
-    app.get('/perform/action', (req, res) => {
+    app.get('/read/logfile', (req, res) => {
         const command = req.query.command
+        const parameters = req.query.parameters
+
+        const allowedList = ['head', 'tail']
+        const allowedParameters = ['-n', '-c']
+
         // Compliant: validating user-supplied command before passing them into the shell command.
-        if ( command.indexOf("rm") == -1 ) {
-            exec(command, (error, stdout, stderr) => {
-                console.log(stdout)
-            });
+        if ( allowedList.indexOf(command) != -1 && allowedParameters.indexOf(parameters) != -1) {
+            exec(command + " " + parameters + " ./logfile.txt" , (error, stdout, stderr) => {
+                res.send(stdout)
+            })
+        } else {
+            res.send('Invalid action')
         }
     })
 }

From e75ea93480c543f1966e4effa6d7e6973f47a07c Mon Sep 17 00:00:00 2001
From: Riya <karmakri@amazon.com>
Date: Thu, 22 Jun 2023 15:28:18 +0530
Subject: [PATCH 3/5] Add compliant and noncompliant examples of
 javascript/code-injection@v1.0

---
 .../detectors/code_injection/code_injection.js       | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/javascript/detectors/code_injection/code_injection.js b/src/javascript/detectors/code_injection/code_injection.js
index 16f27b0..ff20fdd 100644
--- a/src/javascript/detectors/code_injection/code_injection.js
+++ b/src/javascript/detectors/code_injection/code_injection.js
@@ -27,17 +27,19 @@ var exec = require("child_process")
 function codeInjectionCompliant() {
     app.get('/read/logfile', (req, res) => {
         const command = req.query.command
-        const parameters = req.query.parameters
+        const parameter = req.query.parameter
+        const lines = req.query.lines
 
-        const allowedList = ['head', 'tail']
+        const allowedCommands = ['head', 'tail']
         const allowedParameters = ['-n', '-c']
 
         // Compliant: validating user-supplied command before passing them into the shell command.
-        if ( allowedList.indexOf(command) != -1 && allowedParameters.indexOf(parameters) != -1) {
-            exec(command + " " + parameters + " ./logfile.txt" , (error, stdout, stderr) => {
+        if ( allowedCommands.indexOf(command) != -1 && allowedParameters.indexOf(parameter) != -1 && !isNaN(lines)) {
+            exec(command + " " + parameter + " " + lines + " ./logfile.txt" , (error, stdout, stderr) => {
                 res.send(stdout)
             })
-        } else {
+        }
+        else {
             res.send('Invalid action')
         }
     })

From 82abdc6b02f12a57b38c3da5b62f29568bd74a00 Mon Sep 17 00:00:00 2001
From: Riya <karmakri@amazon.com>
Date: Thu, 22 Jun 2023 15:35:53 +0530
Subject: [PATCH 4/5] Add compliant and noncompliant examples of
 javascript/code-injection@v1.0

---
 src/javascript/detectors/code_injection/code_injection.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/javascript/detectors/code_injection/code_injection.js b/src/javascript/detectors/code_injection/code_injection.js
index ff20fdd..eff90de 100644
--- a/src/javascript/detectors/code_injection/code_injection.js
+++ b/src/javascript/detectors/code_injection/code_injection.js
@@ -10,9 +10,10 @@ var exec = require("child_process")
 function codeInjectionNoncompliant() {
     app.get('/read/logfile', (req, res) => {
         const command = req.query.command
-        const parameters = req.query.parameters
-        // Noncompliant: passing user-supplied parameters into the shell command.
-        exec(command + " " + parameters + " ./logfile.txt" , (error, stdout, stderr) => {
+        const parameter = req.query.parameter
+        const lines = req.query.lines
+        // Noncompliant: passing user-supplied datas into the shell command.
+        exec(command + " " + parameter + " " + lines + " ./logfile.txt" , (error, stdout, stderr) => {
             res.send(stdout)
         })
     })

From 1e3fcc0bd542d208e3acf22f3b770e46c2a8d84f Mon Sep 17 00:00:00 2001
From: Riya <karmakri@amazon.com>
Date: Thu, 22 Jun 2023 15:37:09 +0530
Subject: [PATCH 5/5] Add compliant and noncompliant examples of
 javascript/code-injection@v1.0

---
 src/javascript/detectors/code_injection/code_injection.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/javascript/detectors/code_injection/code_injection.js b/src/javascript/detectors/code_injection/code_injection.js
index eff90de..0d61318 100644
--- a/src/javascript/detectors/code_injection/code_injection.js
+++ b/src/javascript/detectors/code_injection/code_injection.js
@@ -34,7 +34,7 @@ function codeInjectionCompliant() {
         const allowedCommands = ['head', 'tail']
         const allowedParameters = ['-n', '-c']
 
-        // Compliant: validating user-supplied command before passing them into the shell command.
+        // Compliant: validating user-supplied datas before passing them into the shell command.
         if ( allowedCommands.indexOf(command) != -1 && allowedParameters.indexOf(parameter) != -1 && !isNaN(lines)) {
             exec(command + " " + parameter + " " + lines + " ./logfile.txt" , (error, stdout, stderr) => {
                 res.send(stdout)