JS: address copilot suggestions

Napalys · Napalys · commit 0902ca0605de · 2025-06-24T11:37:07.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected
@@ -33,25 +33,24 @@
 | execa.js:23:17:23:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:23:17:23:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
 | execa.js:24:17:24:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:24:17:24:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
 | execa.js:25:17:25:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:25:17:25:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:26:17:26:19 | cmd | execa.js:6:25:6:31 | req.url | execa.js:26:17:26:19 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:27:15:27:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:27:15:27:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
 | execa.js:28:15:28:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:28:15:28:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:29:15:29:17 | cmd | execa.js:6:25:6:31 | req.url | execa.js:29:15:29:17 | cmd | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:30:24:30:47 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:30:24:30:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:30:24:30:47 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:30:24:30:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
+| execa.js:30:24:30:47 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:30:24:30:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
+| execa.js:30:24:30:47 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:30:24:30:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
 | execa.js:31:24:31:47 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:31:24:31:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
 | execa.js:31:24:31:47 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:31:24:31:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
 | execa.js:31:24:31:47 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:31:24:31:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
 | execa.js:31:24:31:47 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:31:24:31:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
-| execa.js:32:24:32:47 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:32:24:32:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:32:24:32:47 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:32:24:32:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
-| execa.js:32:24:32:47 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:32:24:32:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
-| execa.js:32:24:32:47 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:32:24:32:47 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
+| execa.js:33:22:33:45 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:33:22:33:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
+| execa.js:33:22:33:45 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:33:22:33:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
+| execa.js:33:22:33:45 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:33:22:33:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
+| execa.js:33:22:33:45 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:33:22:33:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
 | execa.js:34:22:34:45 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:34:22:34:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
 | execa.js:34:22:34:45 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:34:22:34:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
 | execa.js:34:22:34:45 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:34:22:34:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
 | execa.js:34:22:34:45 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:34:22:34:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
-| execa.js:35:22:35:45 | cmd + a ...  + arg3 | execa.js:6:25:6:31 | req.url | execa.js:35:22:35:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:6:25:6:31 | req.url | user-provided value |
-| execa.js:35:22:35:45 | cmd + a ...  + arg3 | execa.js:7:26:7:32 | req.url | execa.js:35:22:35:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:7:26:7:32 | req.url | user-provided value |
-| execa.js:35:22:35:45 | cmd + a ...  + arg3 | execa.js:8:26:8:32 | req.url | execa.js:35:22:35:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:8:26:8:32 | req.url | user-provided value |
-| execa.js:35:22:35:45 | cmd + a ...  + arg3 | execa.js:9:26:9:32 | req.url | execa.js:35:22:35:45 | cmd + a ...  + arg3 | This command line depends on a $@. | execa.js:9:26:9:32 | req.url | user-provided value |
 | form-parsers.js:9:8:9:39 | "touch  ... nalname | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch  ... nalname | This command line depends on a $@. | form-parsers.js:9:19:9:26 | req.file | user-provided value |
 | form-parsers.js:14:10:14:37 | "touch  ... nalname | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:14:10:14:37 | "touch  ... nalname | This command line depends on a $@. | form-parsers.js:13:3:13:11 | req.files | user-provided value |
 | form-parsers.js:25:10:25:28 | "touch " + filename | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | This command line depends on a $@. | form-parsers.js:24:48:24:55 | filename | user-provided value |
@@ -149,49 +148,48 @@ edges
 | execa.js:6:9:6:54 | cmd | execa.js:23:17:23:19 | cmd | provenance |  |
 | execa.js:6:9:6:54 | cmd | execa.js:24:17:24:19 | cmd | provenance |  |
 | execa.js:6:9:6:54 | cmd | execa.js:25:17:25:19 | cmd | provenance |  |
-| execa.js:6:9:6:54 | cmd | execa.js:26:17:26:19 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:27:15:27:17 | cmd | provenance |  |
 | execa.js:6:9:6:54 | cmd | execa.js:28:15:28:17 | cmd | provenance |  |
-| execa.js:6:9:6:54 | cmd | execa.js:29:15:29:17 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:30:24:30:26 | cmd | provenance |  |
 | execa.js:6:9:6:54 | cmd | execa.js:31:24:31:26 | cmd | provenance |  |
-| execa.js:6:9:6:54 | cmd | execa.js:32:24:32:26 | cmd | provenance |  |
+| execa.js:6:9:6:54 | cmd | execa.js:33:22:33:24 | cmd | provenance |  |
 | execa.js:6:9:6:54 | cmd | execa.js:34:22:34:24 | cmd | provenance |  |
-| execa.js:6:9:6:54 | cmd | execa.js:35:22:35:24 | cmd | provenance |  |
 | execa.js:6:15:6:38 | url.par ... , true) | execa.js:6:9:6:54 | cmd | provenance |  |
 | execa.js:6:25:6:31 | req.url | execa.js:6:15:6:38 | url.par ... , true) | provenance |  |
+| execa.js:7:9:7:53 | arg1 | execa.js:30:30:30:33 | arg1 | provenance |  |
 | execa.js:7:9:7:53 | arg1 | execa.js:31:30:31:33 | arg1 | provenance |  |
-| execa.js:7:9:7:53 | arg1 | execa.js:32:30:32:33 | arg1 | provenance |  |
+| execa.js:7:9:7:53 | arg1 | execa.js:33:28:33:31 | arg1 | provenance |  |
 | execa.js:7:9:7:53 | arg1 | execa.js:34:28:34:31 | arg1 | provenance |  |
-| execa.js:7:9:7:53 | arg1 | execa.js:35:28:35:31 | arg1 | provenance |  |
 | execa.js:7:16:7:39 | url.par ... , true) | execa.js:7:9:7:53 | arg1 | provenance |  |
 | execa.js:7:26:7:32 | req.url | execa.js:7:16:7:39 | url.par ... , true) | provenance |  |
+| execa.js:8:9:8:53 | arg2 | execa.js:30:37:30:40 | arg2 | provenance |  |
 | execa.js:8:9:8:53 | arg2 | execa.js:31:37:31:40 | arg2 | provenance |  |
-| execa.js:8:9:8:53 | arg2 | execa.js:32:37:32:40 | arg2 | provenance |  |
+| execa.js:8:9:8:53 | arg2 | execa.js:33:35:33:38 | arg2 | provenance |  |
 | execa.js:8:9:8:53 | arg2 | execa.js:34:35:34:38 | arg2 | provenance |  |
-| execa.js:8:9:8:53 | arg2 | execa.js:35:35:35:38 | arg2 | provenance |  |
 | execa.js:8:16:8:39 | url.par ... , true) | execa.js:8:9:8:53 | arg2 | provenance |  |
 | execa.js:8:26:8:32 | req.url | execa.js:8:16:8:39 | url.par ... , true) | provenance |  |
+| execa.js:9:9:9:53 | arg3 | execa.js:30:44:30:47 | arg3 | provenance |  |
 | execa.js:9:9:9:53 | arg3 | execa.js:31:44:31:47 | arg3 | provenance |  |
-| execa.js:9:9:9:53 | arg3 | execa.js:32:44:32:47 | arg3 | provenance |  |
+| execa.js:9:9:9:53 | arg3 | execa.js:33:42:33:45 | arg3 | provenance |  |
 | execa.js:9:9:9:53 | arg3 | execa.js:34:42:34:45 | arg3 | provenance |  |
-| execa.js:9:9:9:53 | arg3 | execa.js:35:42:35:45 | arg3 | provenance |  |
 | execa.js:9:16:9:39 | url.par ... , true) | execa.js:9:9:9:53 | arg3 | provenance |  |
 | execa.js:9:26:9:32 | req.url | execa.js:9:16:9:39 | url.par ... , true) | provenance |  |
+| execa.js:30:24:30:26 | cmd | execa.js:30:24:30:47 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:30:30:30:33 | arg1 | execa.js:30:24:30:47 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:30:37:30:40 | arg2 | execa.js:30:24:30:47 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:30:44:30:47 | arg3 | execa.js:30:24:30:47 | cmd + a ...  + arg3 | provenance |  |
 | execa.js:31:24:31:26 | cmd | execa.js:31:24:31:47 | cmd + a ...  + arg3 | provenance |  |
 | execa.js:31:30:31:33 | arg1 | execa.js:31:24:31:47 | cmd + a ...  + arg3 | provenance |  |
 | execa.js:31:37:31:40 | arg2 | execa.js:31:24:31:47 | cmd + a ...  + arg3 | provenance |  |
 | execa.js:31:44:31:47 | arg3 | execa.js:31:24:31:47 | cmd + a ...  + arg3 | provenance |  |
-| execa.js:32:24:32:26 | cmd | execa.js:32:24:32:47 | cmd + a ...  + arg3 | provenance |  |
-| execa.js:32:30:32:33 | arg1 | execa.js:32:24:32:47 | cmd + a ...  + arg3 | provenance |  |
-| execa.js:32:37:32:40 | arg2 | execa.js:32:24:32:47 | cmd + a ...  + arg3 | provenance |  |
-| execa.js:32:44:32:47 | arg3 | execa.js:32:24:32:47 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:33:22:33:24 | cmd | execa.js:33:22:33:45 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:33:28:33:31 | arg1 | execa.js:33:22:33:45 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:33:35:33:38 | arg2 | execa.js:33:22:33:45 | cmd + a ...  + arg3 | provenance |  |
+| execa.js:33:42:33:45 | arg3 | execa.js:33:22:33:45 | cmd + a ...  + arg3 | provenance |  |
 | execa.js:34:22:34:24 | cmd | execa.js:34:22:34:45 | cmd + a ...  + arg3 | provenance |  |
 | execa.js:34:28:34:31 | arg1 | execa.js:34:22:34:45 | cmd + a ...  + arg3 | provenance |  |
 | execa.js:34:35:34:38 | arg2 | execa.js:34:22:34:45 | cmd + a ...  + arg3 | provenance |  |
 | execa.js:34:42:34:45 | arg3 | execa.js:34:22:34:45 | cmd + a ...  + arg3 | provenance |  |
-| execa.js:35:22:35:24 | cmd | execa.js:35:22:35:45 | cmd + a ...  + arg3 | provenance |  |
-| execa.js:35:28:35:31 | arg1 | execa.js:35:22:35:45 | cmd + a ...  + arg3 | provenance |  |
-| execa.js:35:35:35:38 | arg2 | execa.js:35:22:35:45 | cmd + a ...  + arg3 | provenance |  |
-| execa.js:35:42:35:45 | arg3 | execa.js:35:22:35:45 | cmd + a ...  + arg3 | provenance |  |
 | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch  ... nalname | provenance |  |
 | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:13:21:13:24 | file | provenance |  |
 | form-parsers.js:13:21:13:24 | file | form-parsers.js:14:21:14:24 | file | provenance |  |
@@ -317,29 +315,28 @@ nodes
 | execa.js:23:17:23:19 | cmd | semmle.label | cmd |
 | execa.js:24:17:24:19 | cmd | semmle.label | cmd |
 | execa.js:25:17:25:19 | cmd | semmle.label | cmd |
-| execa.js:26:17:26:19 | cmd | semmle.label | cmd |
+| execa.js:27:15:27:17 | cmd | semmle.label | cmd |
 | execa.js:28:15:28:17 | cmd | semmle.label | cmd |
-| execa.js:29:15:29:17 | cmd | semmle.label | cmd |
+| execa.js:30:24:30:26 | cmd | semmle.label | cmd |
+| execa.js:30:24:30:47 | cmd + a ...  + arg3 | semmle.label | cmd + a ...  + arg3 |
+| execa.js:30:30:30:33 | arg1 | semmle.label | arg1 |
+| execa.js:30:37:30:40 | arg2 | semmle.label | arg2 |
+| execa.js:30:44:30:47 | arg3 | semmle.label | arg3 |
 | execa.js:31:24:31:26 | cmd | semmle.label | cmd |
 | execa.js:31:24:31:47 | cmd + a ...  + arg3 | semmle.label | cmd + a ...  + arg3 |
 | execa.js:31:30:31:33 | arg1 | semmle.label | arg1 |
 | execa.js:31:37:31:40 | arg2 | semmle.label | arg2 |
 | execa.js:31:44:31:47 | arg3 | semmle.label | arg3 |
-| execa.js:32:24:32:26 | cmd | semmle.label | cmd |
-| execa.js:32:24:32:47 | cmd + a ...  + arg3 | semmle.label | cmd + a ...  + arg3 |
-| execa.js:32:30:32:33 | arg1 | semmle.label | arg1 |
-| execa.js:32:37:32:40 | arg2 | semmle.label | arg2 |
-| execa.js:32:44:32:47 | arg3 | semmle.label | arg3 |
+| execa.js:33:22:33:24 | cmd | semmle.label | cmd |
+| execa.js:33:22:33:45 | cmd + a ...  + arg3 | semmle.label | cmd + a ...  + arg3 |
+| execa.js:33:28:33:31 | arg1 | semmle.label | arg1 |
+| execa.js:33:35:33:38 | arg2 | semmle.label | arg2 |
+| execa.js:33:42:33:45 | arg3 | semmle.label | arg3 |
 | execa.js:34:22:34:24 | cmd | semmle.label | cmd |
 | execa.js:34:22:34:45 | cmd + a ...  + arg3 | semmle.label | cmd + a ...  + arg3 |
 | execa.js:34:28:34:31 | arg1 | semmle.label | arg1 |
 | execa.js:34:35:34:38 | arg2 | semmle.label | arg2 |
 | execa.js:34:42:34:45 | arg3 | semmle.label | arg3 |
-| execa.js:35:22:35:24 | cmd | semmle.label | cmd |
-| execa.js:35:22:35:45 | cmd + a ...  + arg3 | semmle.label | cmd + a ...  + arg3 |
-| execa.js:35:28:35:31 | arg1 | semmle.label | arg1 |
-| execa.js:35:35:35:38 | arg2 | semmle.label | arg2 |
-| execa.js:35:42:35:45 | arg3 | semmle.label | arg3 |
 | form-parsers.js:9:8:9:39 | "touch  ... nalname | semmle.label | "touch  ... nalname |
 | form-parsers.js:9:19:9:26 | req.file | semmle.label | req.file |
 | form-parsers.js:13:3:13:11 | req.files | semmle.label | req.files |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execa.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execa.js
@@ -16,13 +16,12 @@ http.createServer(async function (req, res) {
 
     $.sync`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
     $.sync`ssh ${arg1} ${arg2} ${arg3}`; // safely escapes variables, preventing shell injection.
-    await $({ shell: true })`${cmd} ${arg1} ${arg2} ${arg3}` // $Alert
-    await $({ shell: false })`${cmd} ${arg1} ${arg2} ${arg3}` // $Alert
-    await $({ shell: false })`ssh ${arg1} ${arg2} ${arg3}` // safely escapes variables, preventing shell injection.
+    await $({ shell: true })`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
+    await $({ shell: false })`${cmd} ${arg1} ${arg2} ${arg3}`; // $Alert
+    await $({ shell: false })`ssh ${arg1} ${arg2} ${arg3}`; // safely escapes variables, preventing shell injection.
 
     await execa(cmd, [arg1, arg2, arg3]); // $Alert
     await execa(cmd, { shell: true }); // $Alert
-    await execa(cmd, { shell: true }); // $Alert
     await execa(cmd, [arg1, arg2, arg3], { shell: true }); // $Alert
 
     execaSync(cmd, [arg1, arg2, arg3]); // $Alert
