JavaScript: Teach IncompleteSanitization to flag incomplete path sanitizers.

2026-04-28 10:15:14 +02:00 · 2019-11-15 12:25:47 +00:00
parent b39bcde31c
commit 5565be14fc
3 changed files with 8 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
@@ -166,6 +166,9 @@ where
        // URL encoder
        repl.getArgument(1).getStringValue().regexpMatch(urlEscapePattern)
      )
+      or
+      // path sanitizer
+      (m = ".." or m = "/.." or m = "../" or m = "/../")
    ) and
    // don't flag replace operations in a loop
    not DataFlow::valueNode(repl.getReceiver()) = DataFlow::valueNode(repl).getASuccessor+() and