add model for multiparty

javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll

@@ -25,7 +25,7 @@ private module Busboy {
   class BusBoyRemoteFlow extends RemoteFlowSource {
     BusBoyRemoteFlow() { this = busboy().getAMemberCall("on").getABoundCallbackParameter(1, _) }
 
-    override string getSourceType() { result = "Busbuy parsed user value" }
+    override string getSourceType() { result = "parsed user value from Busbuy" }
   }
 }
 
@@ -48,5 +48,38 @@ private class FormidableRemoteFlow extends RemoteFlowSource {
     )
   }
 
-  override string getSourceType() { result = "Formidable parsed user value" }
+  override string getSourceType() { result = "parsed user value from Formidable" }
+}
+
+/**
+ * Predicates and classes modelling the `multiparty` library.
+ */
+private module Multiparty {
+  /**
+   * Gets an instance of of `Multiparty` form parser that parses a HTTP request object.
+   * The `parse` call is the method call that receives the HTTP request object.
+   */
+  private DataFlow::SourceNode form(DataFlow::MethodCallNode parse) {
+    result = DataFlow::moduleMember("multiparty", "Form").getAnInstantiation() and
+    parse = result.getAMethodCall("parse") and
+    parse.getArgument(0).asExpr() instanceof HTTP::RequestExpr
+  }
+
+  /**
+   * A source of remote flow from the `Multiparty` library.
+   */
+  class MultipartyRemoteFlow extends RemoteFlowSource {
+    MultipartyRemoteFlow() {
+      exists(DataFlow::MethodCallNode parse | exists(form(parse)) |
+        this = parse.getABoundCallbackParameter(1, any(int i | i > 0))
+      )
+      or
+      exists(DataFlow::MethodCallNode on | on = form(_).getAMethodCall("on") |
+        on.getArgument(0).mayHaveStringValue(["part", "file", "field"]) and
+        this = on.getABoundCallbackParameter(1, _)
+      )
+    }
+
+    override string getSourceType() { result = "parsed user value from Multiparty" }
+  }
 }

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected

@@ -117,6 +117,18 @@ nodes
 | form-parsers.js:41:10:41:31 | "touch  ... ds.name |
 | form-parsers.js:41:21:41:26 | fields |
 | form-parsers.js:41:21:41:31 | fields.name |
+| form-parsers.js:52:34:52:39 | fields |
+| form-parsers.js:52:34:52:39 | fields |
+| form-parsers.js:53:10:53:31 | "touch  ... ds.name |
+| form-parsers.js:53:10:53:31 | "touch  ... ds.name |
+| form-parsers.js:53:21:53:26 | fields |
+| form-parsers.js:53:21:53:31 | fields.name |
+| form-parsers.js:58:30:58:33 | part |
+| form-parsers.js:58:30:58:33 | part |
+| form-parsers.js:59:10:59:33 | "touch  ... ilename |
+| form-parsers.js:59:10:59:33 | "touch  ... ilename |
+| form-parsers.js:59:21:59:24 | part |
+| form-parsers.js:59:21:59:33 | part.filename |
 | lib/subLib/index.js:7:32:7:35 | name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -275,6 +287,16 @@ edges
 | form-parsers.js:41:21:41:26 | fields | form-parsers.js:41:21:41:31 | fields.name |
 | form-parsers.js:41:21:41:31 | fields.name | form-parsers.js:41:10:41:31 | "touch  ... ds.name |
 | form-parsers.js:41:21:41:31 | fields.name | form-parsers.js:41:10:41:31 | "touch  ... ds.name |
+| form-parsers.js:52:34:52:39 | fields | form-parsers.js:53:21:53:26 | fields |
+| form-parsers.js:52:34:52:39 | fields | form-parsers.js:53:21:53:26 | fields |
+| form-parsers.js:53:21:53:26 | fields | form-parsers.js:53:21:53:31 | fields.name |
+| form-parsers.js:53:21:53:31 | fields.name | form-parsers.js:53:10:53:31 | "touch  ... ds.name |
+| form-parsers.js:53:21:53:31 | fields.name | form-parsers.js:53:10:53:31 | "touch  ... ds.name |
+| form-parsers.js:58:30:58:33 | part | form-parsers.js:59:21:59:24 | part |
+| form-parsers.js:58:30:58:33 | part | form-parsers.js:59:21:59:24 | part |
+| form-parsers.js:59:21:59:24 | part | form-parsers.js:59:21:59:33 | part.filename |
+| form-parsers.js:59:21:59:33 | part.filename | form-parsers.js:59:10:59:33 | "touch  ... ilename |
+| form-parsers.js:59:21:59:33 | part.filename | form-parsers.js:59:10:59:33 | "touch  ... ilename |
 | lib/subLib/index.js:7:32:7:35 | name | lib/subLib/index.js:8:22:8:25 | name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -351,6 +373,8 @@ edges
 | form-parsers.js:25:10:25:28 | "touch " + filename | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | This command depends on $@. | form-parsers.js:24:48:24:55 | filename | a user-provided value |
 | form-parsers.js:36:10:36:31 | "touch  ... ds.name | form-parsers.js:35:25:35:30 | fields | form-parsers.js:36:10:36:31 | "touch  ... ds.name | This command depends on $@. | form-parsers.js:35:25:35:30 | fields | a user-provided value |
 | form-parsers.js:41:10:41:31 | "touch  ... ds.name | form-parsers.js:40:26:40:31 | fields | form-parsers.js:41:10:41:31 | "touch  ... ds.name | This command depends on $@. | form-parsers.js:40:26:40:31 | fields | a user-provided value |
+| form-parsers.js:53:10:53:31 | "touch  ... ds.name | form-parsers.js:52:34:52:39 | fields | form-parsers.js:53:10:53:31 | "touch  ... ds.name | This command depends on $@. | form-parsers.js:52:34:52:39 | fields | a user-provided value |
+| form-parsers.js:59:10:59:33 | "touch  ... ilename | form-parsers.js:58:30:58:33 | part | form-parsers.js:59:10:59:33 | "touch  ... ilename | This command depends on $@. | form-parsers.js:58:30:58:33 | part | a user-provided value |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | child_process-test.js:85:37:85:54 | req.query.fileName | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | This command depends on $@. | child_process-test.js:85:37:85:54 | req.query.fileName | a user-provided value |
 | other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js

@@ -41,3 +41,23 @@ app.post('/api/upload', (req, res, next) => {
     exec("touch " + fields.name); // NOT OK
   });
 });
+
+var multiparty = require('multiparty');
+var http = require('http');
+
+http.createServer(function (req, res) {
+  // parse a file upload
+  var form = new multiparty.Form();
+
+  form.parse(req, function (err, fields, files) {
+    exec("touch " + fields.name); // NOT OK
+  });
+
+
+  var form2 = new multiparty.Form();
+  form2.on('part', function (part) { // / file / field
+    exec("touch " + part.filename); // NOT OK
+  });
+  form2.parse(req);
+
+}).listen(8080);