hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: model path-is-inside+is-path-inside for js/path-injection

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2020-02-24 22:48:09 +01:00
parent 86b836cd29
commit 5baba62154
4 changed files with 35 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
View File

@@ -35,7 +35,8 @@ module TaintedPath {
guard instanceof StartsWithDotDotSanitizer or
guard instanceof StartsWithDirSanitizer or
guard instanceof IsAbsoluteSanitizer or
guard instanceof ContainsDotDotSanitizer
guard instanceof ContainsDotDotSanitizer or
guard instanceof IsInsideCheckSanitizer
}
override predicate isAdditionalFlowStep(

33
javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
View File

@@ -369,6 +369,39 @@ module TaintedPath {
*/
private class VarAccessBarrier extends Sanitizer, DataFlow::VarAccessBarrier { }
/**
* An expression of form `isInside(x, y)` or similar, where `isInside` is
* a library check for the relation between `x` and `y`.
*/
class IsInsideCheckSanitizer extends DataFlow::LabeledBarrierGuardNode {
DataFlow::Node checked;
boolean onlyNormalizedAbsolutePaths;
IsInsideCheckSanitizer() {
exists(string name, DataFlow::CallNode check |
name = "path-is-inside" and onlyNormalizedAbsolutePaths = true
or
name = "is-path-inside" and onlyNormalizedAbsolutePaths = false
|
check = DataFlow::moduleImport(name).getACall() and
checked = check.getArgument(0) and
check = this
)
}
override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
(
onlyNormalizedAbsolutePaths = true and
label.(Label::PosixPath).isNormalized() and
label.(Label::PosixPath).isAbsolute()
or
onlyNormalizedAbsolutePaths = false
) and
e = checked.asExpr() and
outcome = true
}
}
/**
* A source of remote user input, considered as a flow source for
* tainted-path vulnerabilities.

3
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
View File

@@ -1,7 +1,4 @@
| normalizedPaths.js:208:38:208:63 | // OK - ... anyway | Spurious alert |
| normalizedPaths.js:259:26:259:30 | // OK | Spurious alert |
| normalizedPaths.js:275:36:275:40 | // OK | Spurious alert |
| normalizedPaths.js:282:36:282:40 | // OK | Spurious alert |
| tainted-string-steps.js:25:43:25:74 | // NOT ... flagged | Missing alert |
| tainted-string-steps.js:26:49:26:74 | // OK - ... flagged | Spurious alert |
| tainted-string-steps.js:28:39:28:70 | // NOT ... flagged | Missing alert |

39
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
View File

@@ -1509,11 +1509,6 @@ nodes
| normalizedPaths.js:257:18:257:21 | path |
| normalizedPaths.js:257:18:257:21 | path |
| normalizedPaths.js:257:18:257:21 | path |
| normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:262:19:262:22 | path |
| normalizedPaths.js:262:19:262:22 | path |
| normalizedPaths.js:262:19:262:22 | path |
@@ -1523,7 +1518,6 @@ nodes
| normalizedPaths.js:266:19:266:22 | path |
| normalizedPaths.js:266:19:266:22 | path |
| normalizedPaths.js:266:19:266:22 | path |
| normalizedPaths.js:266:19:266:22 | path |
| normalizedPaths.js:269:19:269:22 | path |
| normalizedPaths.js:269:19:269:22 | path |
| normalizedPaths.js:269:19:269:22 | path |
@@ -1538,18 +1532,10 @@ nodes
| normalizedPaths.js:273:45:273:48 | path |
| normalizedPaths.js:273:45:273:48 | path |
| normalizedPaths.js:273:45:273:48 | path |
| normalizedPaths.js:275:19:275:32 | normalizedPath |
| normalizedPaths.js:275:19:275:32 | normalizedPath |
| normalizedPaths.js:275:19:275:32 | normalizedPath |
| normalizedPaths.js:275:19:275:32 | normalizedPath |
| normalizedPaths.js:278:19:278:32 | normalizedPath |
| normalizedPaths.js:278:19:278:32 | normalizedPath |
| normalizedPaths.js:278:19:278:32 | normalizedPath |
| normalizedPaths.js:278:19:278:32 | normalizedPath |
| normalizedPaths.js:282:19:282:32 | normalizedPath |
| normalizedPaths.js:282:19:282:32 | normalizedPath |
| normalizedPaths.js:282:19:282:32 | normalizedPath |
| normalizedPaths.js:282:19:282:32 | normalizedPath |
| normalizedPaths.js:285:19:285:32 | normalizedPath |
| normalizedPaths.js:285:19:285:32 | normalizedPath |
| normalizedPaths.js:285:19:285:32 | normalizedPath |
@@ -4295,14 +4281,6 @@ edges
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:257:18:257:21 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:257:18:257:21 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:257:18:257:21 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:262:19:262:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:262:19:262:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:262:19:262:22 | path |
@@ -4317,8 +4295,6 @@ edges
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:266:19:266:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:266:19:266:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:266:19:266:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:266:19:266:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:266:19:266:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:269:19:269:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:269:19:269:22 | path |
| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:269:19:269:22 | path |
@@ -4338,24 +4314,12 @@ edges
| normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:256:6:256:26 | path |
| normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:256:6:256:26 | path |
| normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:256:6:256:26 | path |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:275:19:275:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:275:19:275:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:275:19:275:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:275:19:275:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:275:19:275:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:275:19:275:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:278:19:278:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:278:19:278:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:278:19:278:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:278:19:278:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:278:19:278:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:278:19:278:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:282:19:282:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:282:19:282:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:282:19:282:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:282:19:282:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:282:19:282:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:282:19:282:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:285:19:285:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:285:19:285:32 | normalizedPath |
| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:285:19:285:32 | normalizedPath |
@@ -5237,13 +5201,10 @@ edges
| normalizedPaths.js:245:21:245:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:245:21:245:24 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
| normalizedPaths.js:250:21:250:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:250:21:250:24 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
| normalizedPaths.js:257:18:257:21 | path | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:257:18:257:21 | path | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
| normalizedPaths.js:259:19:259:22 | path | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:259:19:259:22 | path | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
| normalizedPaths.js:262:19:262:22 | path | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:262:19:262:22 | path | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
| normalizedPaths.js:266:19:266:22 | path | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:266:19:266:22 | path | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
| normalizedPaths.js:269:19:269:22 | path | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:269:19:269:22 | path | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
| normalizedPaths.js:275:19:275:32 | normalizedPath | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:275:19:275:32 | normalizedPath | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
| normalizedPaths.js:278:19:278:32 | normalizedPath | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:278:19:278:32 | normalizedPath | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
| normalizedPaths.js:282:19:282:32 | normalizedPath | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:282:19:282:32 | normalizedPath | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
| normalizedPaths.js:285:19:285:32 | normalizedPath | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:285:19:285:32 | normalizedPath | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | a user-provided value |