recognize utility functions implementing a StartsWith check

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

@@ -1654,6 +1654,33 @@ nodes
 | normalizedPaths.js:346:19:346:22 | path |
 | normalizedPaths.js:346:19:346:22 | path |
 | normalizedPaths.js:346:19:346:22 | path |
+| normalizedPaths.js:354:7:354:27 | path |
+| normalizedPaths.js:354:7:354:27 | path |
+| normalizedPaths.js:354:7:354:27 | path |
+| normalizedPaths.js:354:7:354:27 | path |
+| normalizedPaths.js:354:14:354:27 | req.query.path |
+| normalizedPaths.js:354:14:354:27 | req.query.path |
+| normalizedPaths.js:354:14:354:27 | req.query.path |
+| normalizedPaths.js:354:14:354:27 | req.query.path |
+| normalizedPaths.js:354:14:354:27 | req.query.path |
+| normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:358:7:358:51 | requestPath |
+| normalizedPaths.js:358:7:358:51 | requestPath |
+| normalizedPaths.js:358:7:358:51 | requestPath |
+| normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
+| normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
+| normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
+| normalizedPaths.js:358:47:358:50 | path |
+| normalizedPaths.js:358:47:358:50 | path |
+| normalizedPaths.js:358:47:358:50 | path |
+| normalizedPaths.js:363:21:363:31 | requestPath |
+| normalizedPaths.js:363:21:363:31 | requestPath |
+| normalizedPaths.js:363:21:363:31 | requestPath |
+| normalizedPaths.js:363:21:363:31 | requestPath |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
@@ -4582,6 +4609,37 @@ edges
 | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
 | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
 | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
+| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
+| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:358:47:358:50 | path |
+| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:358:47:358:50 | path |
+| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:358:47:358:50 | path |
+| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
+| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
+| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
+| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
+| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
+| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
+| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
+| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
+| normalizedPaths.js:358:7:358:51 | requestPath | normalizedPaths.js:363:21:363:31 | requestPath |
+| normalizedPaths.js:358:7:358:51 | requestPath | normalizedPaths.js:363:21:363:31 | requestPath |
+| normalizedPaths.js:358:7:358:51 | requestPath | normalizedPaths.js:363:21:363:31 | requestPath |
+| normalizedPaths.js:358:7:358:51 | requestPath | normalizedPaths.js:363:21:363:31 | requestPath |
+| normalizedPaths.js:358:7:358:51 | requestPath | normalizedPaths.js:363:21:363:31 | requestPath |
+| normalizedPaths.js:358:7:358:51 | requestPath | normalizedPaths.js:363:21:363:31 | requestPath |
+| normalizedPaths.js:358:21:358:51 | pathMod ... , path) | normalizedPaths.js:358:7:358:51 | requestPath |
+| normalizedPaths.js:358:21:358:51 | pathMod ... , path) | normalizedPaths.js:358:7:358:51 | requestPath |
+| normalizedPaths.js:358:21:358:51 | pathMod ... , path) | normalizedPaths.js:358:7:358:51 | requestPath |
+| normalizedPaths.js:358:47:358:50 | path | normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
+| normalizedPaths.js:358:47:358:50 | path | normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
+| normalizedPaths.js:358:47:358:50 | path | normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
 | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") |
@@ -5464,6 +5522,8 @@ edges
 | normalizedPaths.js:332:19:332:32 | normalizedPath | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:332:19:332:32 | normalizedPath | This path depends on $@. | normalizedPaths.js:303:13:303:26 | req.query.path | a user-provided value |
 | normalizedPaths.js:341:18:341:21 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:341:18:341:21 | path | This path depends on $@. | normalizedPaths.js:339:32:339:45 | req.query.path | a user-provided value |
 | normalizedPaths.js:346:19:346:22 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:346:19:346:22 | path | This path depends on $@. | normalizedPaths.js:339:32:339:45 | req.query.path | a user-provided value |
+| normalizedPaths.js:356:19:356:22 | path | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:356:19:356:22 | path | This path depends on $@. | normalizedPaths.js:354:14:354:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:363:21:363:31 | requestPath | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:363:21:363:31 | requestPath | This path depends on $@. | normalizedPaths.js:354:14:354:27 | req.query.path | a user-provided value |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | a user-provided value |
 | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js

@@ -347,4 +347,27 @@ app.get('/yet-another-prefix', (req, res) => {
 		return;
     }
 	fs.readFileSync(path); // OK
+});
+
+var rootPath = process.cwd();
+app.get('/yet-another-prefix2', (req, res) => {
+  let path = req.query.path;
+
+  fs.readFileSync(path); // NOT OK
+
+  var requestPath = pathModule.join(rootPath, path);
+
+  var targetPath;
+  if (!allowPath(requestPath, rootPath)) {
+    targetPath = rootPath;
+    fs.readFileSync(requestPath); // NOT OK
+  } else {
+    targetPath = requestPath;
+    fs.readFileSync(requestPath); // OK
+  }
+  fs.readFileSync(targetPath); // OK
+
+  function allowPath(requestPath, rootPath) {
+    return requestPath.indexOf(rootPath) === 0;
+  }
 });