mirror of
https://github.com/github/codeql.git
synced 2026-04-26 01:05:15 +02:00
JS: Add initial file threat-model support
However, as indicated by the `MISSING` annotations, we could do better.
This commit is contained in:
@@ -122,6 +122,19 @@ abstract class FileSystemReadAccess extends FileSystemAccess {
|
||||
abstract DataFlow::Node getADataNode();
|
||||
}
|
||||
|
||||
/**
|
||||
* A FileSystemReadAccess seen as a ThreatModelSource.
|
||||
*/
|
||||
private class FileSystemReadAccessAsThreatModelSource extends ThreatModelSource::Range {
|
||||
FileSystemReadAccessAsThreatModelSource() {
|
||||
this = any(FileSystemReadAccess access).getADataNode()
|
||||
}
|
||||
|
||||
override string getThreatModel() { result = "file" }
|
||||
|
||||
override string getSourceType() { result = "FileSystemReadAccess" }
|
||||
}
|
||||
|
||||
/**
|
||||
* A data flow node that writes data to the file system.
|
||||
*/
|
||||
|
||||
@@ -55,3 +55,37 @@ connection.query('SELECT 1 + 1 AS solution', function (error, results, fields) {
|
||||
SINK(results[0]); // $ hasFlow
|
||||
SINK(results[0].solution); // $ hasFlow
|
||||
});
|
||||
|
||||
// ------ reading from file ------
|
||||
|
||||
// Accessing file contents using fs
|
||||
const fs = require('fs');
|
||||
fs.readFile('file.txt', 'utf8', (err, data) => { // $ MISSING: threat-source=file
|
||||
SINK(data); // $ MISSING: hasFlow
|
||||
});
|
||||
|
||||
// Accessing file contents using fs.readFileSync
|
||||
const fileContent = fs.readFileSync('file.txt', 'utf8'); // $ threat-source=file
|
||||
SINK(fileContent); // $ hasFlow
|
||||
|
||||
// Accessing file contents using fs.promises
|
||||
fs.promises.readFile('file.txt', 'utf8').then((data) => { // $ MISSING: threat-source=file
|
||||
SINK(data); // $ MISSING: hasFlow
|
||||
});
|
||||
|
||||
// Accessing file contents using fs.createReadStream
|
||||
const readStream = fs.createReadStream('file.txt');
|
||||
readStream.on('data', (chunk) => { // $ threat-source=file
|
||||
SINK(chunk); // $ hasFlow
|
||||
});
|
||||
const data = readStream.read(); // $ threat-source=file
|
||||
SINK(data); // $ hasFlow
|
||||
|
||||
// using readline
|
||||
const readline = require('readline');
|
||||
const rl_file = readline.createInterface({
|
||||
input: fs.createReadStream('file.txt') // $ MISSING: threat-source=file
|
||||
});
|
||||
rl_file.on("line", (line) => {
|
||||
SINK(line); // $ MISSING: hasFlow
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user