hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: improve model of express' req.sendFile

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2018-10-10 15:46:43 +02:00
parent 358b6c3413
commit 6687dfd558
2 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
javascript/ql/src/semmle/javascript/frameworks/Express.qll
View File

@@ -824,7 +824,7 @@ module Express {
}
/** A call to `response.sendFile`, considered as a file system access. */
private class ResponseSendFileAsFileSystemAccess extends FileSystemAccess, DataFlow::ValueNode {
private class ResponseSendFileAsFileSystemAccess extends FileSystemReadAccess, DataFlow::ValueNode {
override MethodCallExpr astNode;
ResponseSendFileAsFileSystemAccess() {
@@ -832,6 +832,10 @@ module Express {
asExpr().(MethodCallExpr).calls(any(ResponseExpr res), name))
}
override DataFlow::Node getADataNode() {
none()
}
override DataFlow::Node getAPathArgument() {
result = DataFlow::valueNode(astNode.getArgument(0))
}