JS: Port TaintedPath

2026-04-27 01:35:13 +02:00 · 2023-10-04 21:22:38 +02:00
parent fcfab5238e
commit 65e9706c8e
8 changed files with 655 additions and 9929 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql
@@ -1,3 +1,9 @@
 import javascript
 import semmle.javascript.security.dataflow.TaintedPathQuery
 import testUtilities.ConsistencyChecking
+
+class TaintedPathConsistency extends ConsistencyConfiguration {
+  TaintedPathConsistency() { this = "TaintedPathConsistency" }
+
+  override DataFlow::Node getAnAlert() { TaintedPathFlow::flowTo(result) }
+}
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js
@@ -70,7 +70,11 @@ http.createServer(function(req, res) {
  fs.readFileSync(path); // NOT OK
  mkdirp(path); // NOT OK
  mkdirp.sync(path); // NOT OK
+  func(path);
 });
+function func(x) {
+  fs.readFileSync(x); // NOT OK
+}

 const fsp = require("fs/promises");
 http.createServer(function(req, res) {
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js
@@ -0,0 +1,35 @@
+const fs = require('fs');
+const express = require('express');
+const app = express();
+
+app.get('/', function (req, res) {
+    getTree(req, res, { workspaceDir: '/tmp' });
+});
+
+function getTree(req, res, options) {
+    var workspaceId = req.params.workspaceId;
+    var realfileRootPath = workspaceId; // getfileRoot(workspaceId);
+    var filePath = workspaceId; // path.join(options.workspaceDir,realfileRootPath, req.params["0"]);
+    withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {});
+}
+
+function getfileRoot(workspaceId) {
+    var userId = decodeUserIdFromWorkspaceId(workspaceId);
+    return path.join(userId.substring(0,2), userId, decodeWorkspaceNameFromWorkspaceId(workspaceId));
+}
+
+function withStatsAndETag(filepath, callback) {
+	fs.readFileSync(filepath); // NOT OK
+};
+
+function decodeUserIdFromWorkspaceId(workspaceId) {
+    var index = workspaceId.lastIndexOf(SEPARATOR);
+    if (index === -1) return null;
+    return workspaceId.substring(0, index);
+}
+
+function decodeWorkspaceNameFromWorkspaceId(workspaceId) {
+    var index = workspaceId.lastIndexOf(SEPARATOR);
+    if (index === -1) return null;
+    return workspaceId.substring(index + 1);
+}
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js
@@ -0,0 +1,15 @@
+var fs = require('fs'),
+    http = require('http'),
+    url = require('url');
+
+var server = http.createServer(function(req, res) {
+  let path = url.parse(req.url, true).query.path;
+  doRead(Promise.resolve(path));
+});
+
+async function doRead(pathPromise) {
+  fs.readFileSync(await pathPromise); // NOT OK
+  pathPromise.then(path => fs.readFileSync(path)); // NO TOK
+}
+
+server.listen();