hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: recognize res.sendfile root option

Browse Source
This commit is contained in:
Asger F
2018-12-14 11:12:16 +00:00
parent f84301e476
commit 0e40717358
4 changed files with 20 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
javascript/ql/src/semmle/javascript/Concepts.qll
View File

@@ -28,7 +28,15 @@ abstract class FileSystemAccess extends DataFlow::Node {
/** Gets an argument to this file system access that is interpreted as a path. */
abstract DataFlow::Node getAPathArgument();
/**
* Gets an argument to this file system access that is interpreted as a root folder
* in which the path arguments are constrained.
*
* In other words, if a root argument is provided, the underlying file access does its own
* sanitization to prevent the path arguments from traversing outside the root folder.
*/
DataFlow::Node getRootPathArgument() { none() }
}
/**

4
javascript/ql/src/semmle/javascript/frameworks/Express.qll
View File

@@ -866,6 +866,10 @@ module Express {
override DataFlow::Node getAPathArgument() {
result = DataFlow::valueNode(astNode.getArgument(0))
}
override DataFlow::Node getRootPathArgument() {
result = this.(DataFlow::CallNode).getOptionArgument(1, "root")
}
}
/**

6
javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
View File

@@ -71,7 +71,11 @@ module TaintedPath {
*/
class FsPathSink extends Sink, DataFlow::ValueNode {
FsPathSink() {
this = any(FileSystemAccess fs).getAPathArgument()
exists (FileSystemAccess fs |
this = fs.getAPathArgument() and
not exists(fs.getRootPathArgument())
or
this = fs.getRootPathArgument())
}
}

8
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected
View File

@@ -84,9 +84,7 @@ nodes
| tainted-require.js:7:19:7:37 | req.param("module") |
| tainted-sendFile.js:7:16:7:33 | req.param("gimme") |
| tainted-sendFile.js:9:16:9:33 | req.param("gimme") |
| tainted-sendFile.js:12:16:12:33 | req.param("gimme") |
| tainted-sendFile.js:14:16:14:33 | req.param("gimme") |
| tainted-sendFile.js:17:16:17:32 | req.param("file") |
| tainted-sendFile.js:17:43:17:58 | req.param("dir") |
| views.js:1:43:1:55 | req.params[0] |
edges
| TaintedPath-es6.js:7:7:7:44 | path | TaintedPath-es6.js:10:41:10:44 | path |
@@ -191,7 +189,5 @@ edges
| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | a user-provided value |
| tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | a user-provided value |
| tainted-sendFile.js:12:16:12:33 | req.param("gimme") | tainted-sendFile.js:12:16:12:33 | req.param("gimme") | tainted-sendFile.js:12:16:12:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:12:16:12:33 | req.param("gimme") | a user-provided value |
| tainted-sendFile.js:14:16:14:33 | req.param("gimme") | tainted-sendFile.js:14:16:14:33 | req.param("gimme") | tainted-sendFile.js:14:16:14:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:14:16:14:33 | req.param("gimme") | a user-provided value |
| tainted-sendFile.js:17:16:17:32 | req.param("file") | tainted-sendFile.js:17:16:17:32 | req.param("file") | tainted-sendFile.js:17:16:17:32 | req.param("file") | This path depends on $@. | tainted-sendFile.js:17:16:17:32 | req.param("file") | a user-provided value |
| tainted-sendFile.js:17:43:17:58 | req.param("dir") | tainted-sendFile.js:17:43:17:58 | req.param("dir") | tainted-sendFile.js:17:43:17:58 | req.param("dir") | This path depends on $@. | tainted-sendFile.js:17:43:17:58 | req.param("dir") | a user-provided value |
| views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on $@. | views.js:1:43:1:55 | req.params[0] | a user-provided value |