hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2958 from erik-krogh/InnerPrefix

Browse Source 
Approved by asgerf
This commit is contained in:
semmle-qlci
2020-03-03 11:10:44 +00:00
committed by GitHub
parent 7f3f629d39 d2d5af42bf
commit 57b3e6addf
4 changed files with 186 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
javascript/ql/src/semmle/javascript/InclusionTests.qll
View File

@@ -58,6 +58,40 @@ module InclusionTest {
boolean getPolarity() { result = true }
}
/**
* A call to a utility function (`callee`) that performs an InclusionTest (`inner`).
*/
private class IndirectInclusionTest extends Range, DataFlow::CallNode {
InclusionTest inner;
Function callee;
IndirectInclusionTest() {
inner.getEnclosingExpr() = callee.getAReturnedExpr() and
this.getACallee() = callee and
count(this.getACallee()) = 1 and
count(callee.getAReturnedExpr()) = 1 and
not this.isImprecise() and
inner.getContainerNode().getALocalSource().getEnclosingExpr() = callee.getAParameter() and
inner.getContainedNode().getALocalSource().getEnclosingExpr() = callee.getAParameter()
}
override DataFlow::Node getContainerNode() {
exists(int arg |
inner.getContainerNode().getALocalSource().getEnclosingExpr() = callee.getParameter(arg) and
result = this.getArgument(arg)
)
}
override DataFlow::Node getContainedNode() {
exists(int arg |
inner.getContainedNode().getALocalSource().getEnclosingExpr() = callee.getParameter(arg) and
result = this.getArgument(arg)
)
}
override boolean getPolarity() { result = inner.getPolarity() }
}
/**
* A call to a method named `includes`, assumed to refer to `String.prototype.includes`
* or `Array.prototype.includes`.

69
javascript/ql/src/semmle/javascript/StringOps.qll
View File

@@ -56,6 +56,40 @@ module StringOps {
boolean getPolarity() { result = true }
}
/**
* A call to a utility function (`callee`) that performs a StartsWith check (`inner`).
*/
private class IndirectStartsWith extends Range, DataFlow::CallNode {
StartsWith inner;
Function callee;
IndirectStartsWith() {
inner.getEnclosingExpr() = callee.getAReturnedExpr() and
this.getACallee() = callee and
count(this.getACallee()) = 1 and
count(callee.getAReturnedExpr()) = 1 and
not this.isImprecise() and
inner.getBaseString().getALocalSource().getEnclosingExpr() = callee.getAParameter() and
inner.getSubstring().getALocalSource().getEnclosingExpr() = callee.getAParameter()
}
override DataFlow::Node getBaseString() {
exists(int arg |
inner.getBaseString().getALocalSource().getEnclosingExpr() = callee.getParameter(arg) and
result = this.getArgument(arg)
)
}
override DataFlow::Node getSubstring() {
exists(int arg |
inner.getSubstring().getALocalSource().getEnclosingExpr() = callee.getParameter(arg) and
result = this.getArgument(arg)
)
}
override boolean getPolarity() { result = inner.getPolarity() }
}
/**
* An expression of form `A.startsWith(B)`.
*/
@@ -253,6 +287,41 @@ module StringOps {
boolean getPolarity() { result = true }
}
/**
* A call to a utility function (`callee`) that performs an EndsWith check (`inner`).
*/
private class IndirectEndsWith extends Range, DataFlow::CallNode {
EndsWith inner;
Function callee;
IndirectEndsWith() {
inner.getEnclosingExpr() = callee.getAReturnedExpr() and
this.getACallee() = callee and
count(this.getACallee()) = 1 and
count(callee.getAReturnedExpr()) = 1 and
not this.isImprecise() and
inner.getBaseString().getALocalSource().getEnclosingExpr() = callee.getAParameter() and
inner.getSubstring().getALocalSource().getEnclosingExpr() = callee.getAParameter()
}
override DataFlow::Node getBaseString() {
exists(int arg |
inner.getBaseString().getALocalSource().getEnclosingExpr() = callee.getParameter(arg) and
result = this.getArgument(arg)
)
}
override DataFlow::Node getSubstring() {
exists(int arg |
inner.getSubstring().getALocalSource().getEnclosingExpr() = callee.getParameter(arg) and
result = this.getArgument(arg)
)
}
override boolean getPolarity() { result = inner.getPolarity() }
}
/**
* A call of form `A.endsWith(B)`.
*/

60
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
View File

@@ -1654,6 +1654,33 @@ nodes
| normalizedPaths.js:346:19:346:22 | path |
| normalizedPaths.js:346:19:346:22 | path |
| normalizedPaths.js:346:19:346:22 | path |
| normalizedPaths.js:354:7:354:27 | path |
| normalizedPaths.js:354:7:354:27 | path |
| normalizedPaths.js:354:7:354:27 | path |
| normalizedPaths.js:354:7:354:27 | path |
| normalizedPaths.js:354:14:354:27 | req.query.path |
| normalizedPaths.js:354:14:354:27 | req.query.path |
| normalizedPaths.js:354:14:354:27 | req.query.path |
| normalizedPaths.js:354:14:354:27 | req.query.path |
| normalizedPaths.js:354:14:354:27 | req.query.path |
| normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:358:7:358:51 | requestPath |
| normalizedPaths.js:358:7:358:51 | requestPath |
| normalizedPaths.js:358:7:358:51 | requestPath |
| normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
| normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
| normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
| normalizedPaths.js:358:47:358:50 | path |
| normalizedPaths.js:358:47:358:50 | path |
| normalizedPaths.js:358:47:358:50 | path |
| normalizedPaths.js:363:21:363:31 | requestPath |
| normalizedPaths.js:363:21:363:31 | requestPath |
| normalizedPaths.js:363:21:363:31 | requestPath |
| normalizedPaths.js:363:21:363:31 | requestPath |
| tainted-require.js:7:19:7:37 | req.param("module") |
| tainted-require.js:7:19:7:37 | req.param("module") |
| tainted-require.js:7:19:7:37 | req.param("module") |
@@ -4582,6 +4609,37 @@ edges
| normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
| normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
| normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:339:13:339:46 | pathMod ... y.path) |
| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:356:19:356:22 | path |
| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:358:47:358:50 | path |
| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:358:47:358:50 | path |
| normalizedPaths.js:354:7:354:27 | path | normalizedPaths.js:358:47:358:50 | path |
| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
| normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:354:7:354:27 | path |
| normalizedPaths.js:358:7:358:51 | requestPath | normalizedPaths.js:363:21:363:31 | requestPath |
| normalizedPaths.js:358:7:358:51 | requestPath | normalizedPaths.js:363:21:363:31 | requestPath |
| normalizedPaths.js:358:7:358:51 | requestPath | normalizedPaths.js:363:21:363:31 | requestPath |
| normalizedPaths.js:358:7:358:51 | requestPath | normalizedPaths.js:363:21:363:31 | requestPath |
| normalizedPaths.js:358:7:358:51 | requestPath | normalizedPaths.js:363:21:363:31 | requestPath |
| normalizedPaths.js:358:7:358:51 | requestPath | normalizedPaths.js:363:21:363:31 | requestPath |
| normalizedPaths.js:358:21:358:51 | pathMod ... , path) | normalizedPaths.js:358:7:358:51 | requestPath |
| normalizedPaths.js:358:21:358:51 | pathMod ... , path) | normalizedPaths.js:358:7:358:51 | requestPath |
| normalizedPaths.js:358:21:358:51 | pathMod ... , path) | normalizedPaths.js:358:7:358:51 | requestPath |
| normalizedPaths.js:358:47:358:50 | path | normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
| normalizedPaths.js:358:47:358:50 | path | normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
| normalizedPaths.js:358:47:358:50 | path | normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") |
| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") |
@@ -5464,6 +5522,8 @@ edges
| normalizedPaths.js:332:19:332:32 | normalizedPath | normalizedPaths.js:303:13:303:26 | req.query.path | normalizedPaths.js:332:19:332:32 | normalizedPath | This path depends on $@. | normalizedPaths.js:303:13:303:26 | req.query.path | a user-provided value |
| normalizedPaths.js:341:18:341:21 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:341:18:341:21 | path | This path depends on $@. | normalizedPaths.js:339:32:339:45 | req.query.path | a user-provided value |
| normalizedPaths.js:346:19:346:22 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:346:19:346:22 | path | This path depends on $@. | normalizedPaths.js:339:32:339:45 | req.query.path | a user-provided value |
| normalizedPaths.js:356:19:356:22 | path | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:356:19:356:22 | path | This path depends on $@. | normalizedPaths.js:354:14:354:27 | req.query.path | a user-provided value |
| normalizedPaths.js:363:21:363:31 | requestPath | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:363:21:363:31 | requestPath | This path depends on $@. | normalizedPaths.js:354:14:354:27 | req.query.path | a user-provided value |
| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | a user-provided value |
| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | a user-provided value |

23
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
View File

@@ -347,4 +347,27 @@ app.get('/yet-another-prefix', (req, res) => {
return;
}
fs.readFileSync(path); // OK
});
var rootPath = process.cwd();
app.get('/yet-another-prefix2', (req, res) => {
let path = req.query.path;
fs.readFileSync(path); // NOT OK
var requestPath = pathModule.join(rootPath, path);
var targetPath;
if (!allowPath(requestPath, rootPath)) {
targetPath = rootPath;
fs.readFileSync(requestPath); // NOT OK
} else {
targetPath = requestPath;
fs.readFileSync(requestPath); // OK
}
fs.readFileSync(targetPath); // OK
function allowPath(requestPath, rootPath) {
return requestPath.indexOf(rootPath) === 0;
}
});