hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

use the generalized fs module in more places

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-05-14 20:31:00 +02:00
parent c06680a496
commit 2d675262b2
3 changed files with 30 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
View File

@@ -306,7 +306,7 @@ module NodeJSLib {
FsFlowTarget() {
exists(DataFlow::CallNode call, string methodName |
call = DataFlow::moduleMember("fs", methodName).getACall()
call = Fs::moduleMember(methodName).getACall()
|
methodName = "realpathSync" and
tainted = call.getArgument(0) and
@@ -430,27 +430,32 @@ module NodeJSLib {
}
/**
* A member `member` from module `fs` or its drop-in replacements `graceful-fs`, `fs-extra`, `original-fs`.
* Provides predicates for working with the "fs" module and its variants as a single module.
*/
private DataFlow::SourceNode fsModuleMember(string member) {
result = fsModule(DataFlow::TypeTracker::end()).getAPropertyRead(member)
}
module Fs {
/**
* A member `member` from module `fs` or its drop-in replacements `graceful-fs`, `fs-extra`, `original-fs`.
*/
DataFlow::SourceNode moduleMember(string member) {
result = fsModule(DataFlow::TypeTracker::end()).getAPropertyRead(member)
}
private DataFlow::SourceNode fsModule(DataFlow::TypeTracker t) {
exists(string moduleName |
moduleName = "fs" or
moduleName = "graceful-fs" or
moduleName = "fs-extra" or
moduleName = "original-fs"
|
result = DataFlow::moduleImport(moduleName)
private DataFlow::SourceNode fsModule(DataFlow::TypeTracker t) {
exists(string moduleName |
moduleName = "fs" or
moduleName = "graceful-fs" or
moduleName = "fs-extra" or
moduleName = "original-fs"
|
result = DataFlow::moduleImport(moduleName)
or
// extra support for flexible names
result.asExpr().(Require).getArgument(0).mayHaveStringValue(moduleName)
) and
t.start()
or
// extra support for flexible names
result.asExpr().(Require).getArgument(0).mayHaveStringValue(moduleName)
) and
t.start()
or
exists(DataFlow::TypeTracker t2 | result = fsModule(t2).track(t2, t))
exists(DataFlow::TypeTracker t2 | result = fsModule(t2).track(t2, t))
}
}
/**
@@ -459,7 +464,7 @@ module NodeJSLib {
private class NodeJSFileSystemAccess extends FileSystemAccess, DataFlow::CallNode {
string methodName;
NodeJSFileSystemAccess() { this = maybePromisified(fsModuleMember(methodName)).getACall() }
NodeJSFileSystemAccess() { this = maybePromisified(Fs::moduleMember(methodName)).getACall() }
/**
* Gets the name of the called method.
@@ -582,8 +587,8 @@ module NodeJSLib {
name = "readdir" or
name = "realpath"
|
this = fsModuleMember(name).getACall().getCallback([1 .. 2]).getParameter(1) or
this = fsModuleMember(name + "Sync").getACall()
this = Fs::moduleMember(name).getACall().getCallback([1 .. 2]).getParameter(1) or
this = Fs::moduleMember(name + "Sync").getACall()
)
}
}

4
javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
View File

@@ -155,11 +155,11 @@ module TaintedPath {
input = getAnArgument() and
output = this
or
this = DataFlow::moduleMember("fs", "realpathSync").getACall() and
this = NodeJSLib::Fs::moduleMember("realpathSync").getACall() and
input = getArgument(0) and
output = this
or
this = DataFlow::moduleMember("fs", "realpath").getACall() and
this = NodeJSLib::Fs::moduleMember("realpath").getACall() and
input = getArgument(0) and
output = getCallback(1).getParameter(1)
}

2
javascript/ql/src/semmle/javascript/security/dataflow/ZipSlipCustomizations.qll
View File

@@ -107,7 +107,7 @@ module ZipSlip {
// However, we want to consider even the bare `createWriteStream`
// to be a zipslip vulnerability since it may truncate an
// existing file.
this = DataFlow::moduleImport("fs").getAMemberCall("createWriteStream").getArgument(0)
this = NodeJSLib::Fs::moduleMember("createWriteStream").getACall().getArgument(0)
}
}