hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

add sanitizer for relative ".." in js/path-injection

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-02-13 18:44:02 +01:00
parent da566a4484
commit 3a146514ce
4 changed files with 126 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
View File

@@ -1259,6 +1259,34 @@ nodes
| normalizedPaths.js:250:21:250:24 | path |
| normalizedPaths.js:250:21:250:24 | path |
| normalizedPaths.js:250:21:250:24 | path |
| normalizedPaths.js:254:7:254:47 | path |
| normalizedPaths.js:254:7:254:47 | path |
| normalizedPaths.js:254:7:254:47 | path |
| normalizedPaths.js:254:7:254:47 | path |
| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| normalizedPaths.js:254:33:254:46 | req.query.path |
| normalizedPaths.js:254:33:254:46 | req.query.path |
| normalizedPaths.js:254:33:254:46 | req.query.path |
| normalizedPaths.js:254:33:254:46 | req.query.path |
| normalizedPaths.js:254:33:254:46 | req.query.path |
| normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:270:21:270:24 | path |
| normalizedPaths.js:270:21:270:24 | path |
| normalizedPaths.js:270:21:270:24 | path |
| normalizedPaths.js:270:21:270:24 | path |
| normalizedPaths.js:270:21:270:24 | path |
| tainted-require.js:7:19:7:37 | req.param("module") |
| tainted-require.js:7:19:7:37 | req.param("module") |
| tainted-require.js:7:19:7:37 | req.param("module") |
@@ -3630,6 +3658,42 @@ edges
| normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
| normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
| normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | normalizedPaths.js:254:7:254:47 | path |
| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | normalizedPaths.js:254:7:254:47 | path |
| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | normalizedPaths.js:254:7:254:47 | path |
| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | normalizedPaths.js:254:7:254:47 | path |
| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") |
| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") |
@@ -4411,6 +4475,9 @@ edges
| normalizedPaths.js:238:19:238:22 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:238:19:238:22 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
| normalizedPaths.js:245:21:245:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:245:21:245:24 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
| normalizedPaths.js:250:21:250:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:250:21:250:24 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
| normalizedPaths.js:256:19:256:22 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:256:19:256:22 | path | This path depends on $@. | normalizedPaths.js:254:33:254:46 | req.query.path | a user-provided value |
| normalizedPaths.js:262:21:262:24 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:262:21:262:24 | path | This path depends on $@. | normalizedPaths.js:254:33:254:46 | req.query.path | a user-provided value |
| normalizedPaths.js:270:21:270:24 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:270:21:270:24 | path | This path depends on $@. | normalizedPaths.js:254:33:254:46 | req.query.path | a user-provided value |
| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | a user-provided value |
| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | a user-provided value |

23
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
View File

@@ -249,3 +249,26 @@ app.get('/resolve-path', (req, res) => {
else
fs.readFileSync(path); // NOT OK - wrong polarity
});
app.get('/relative-startswith', (req, res) => {
let path = pathModule.resolve(req.query.path);
fs.readFileSync(path); // NOT OK
var self = something();
var relative = pathModule.relative(self.webroot, path);
if(relative.startsWith(".." + pathModule.sep) || relative == "..") {
fs.readFileSync(path); // NOT OK!
} else {
fs.readFileSync(path); // OK!
}
let newpath = pathModule.normalize(p);
var relativePath = path.relative(path.normalize(workspaceDir), newpath);
if (relativePath.indexOf('..' + pathModule.sep) === 0) {
fs.readFileSync(path); // NOT OK!
} else {
fs.readFileSync(newpath); // OK!
}
});