recognize another prefix check for js/path-injection

2025-12-24 04:36:35 +01:00 · 2020-02-28 14:55:41 +01:00
parent 4ca57db553
commit 71ff32e930
4 changed files with 90 additions and 9 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@@ -36,7 +36,7 @@ module TaintedPath {
      guard instanceof StartsWithDirSanitizer or
      guard instanceof IsAbsoluteSanitizer or
      guard instanceof ContainsDotDotSanitizer or
-      guard instanceof RelativePathStartsWithDotDotSanitizer or
+      guard instanceof RelativePathStartsWithSanitizer or
      guard instanceof IsInsideCheckSanitizer
    }

--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -368,29 +368,43 @@ module TaintedPath {
   *   // pathname is safe
   * }
   * ```
+   * 
+   * or
+   * ```
+   * var relative = path.resolve(pathname); // or path.normalize
+   * if(relative.startsWith(webroot) {
+   *   // pathname is safe
+   * } else {
+   *   // pathname is unsafe
+   * }
+   * ```
   */
-  class RelativePathStartsWithDotDotSanitizer extends DataFlow::BarrierGuardNode {
+  class RelativePathStartsWithSanitizer extends DataFlow::BarrierGuardNode {
    StringOps::StartsWith startsWith;
-    DataFlow::CallNode relativeCall;
+    DataFlow::CallNode pathCall;
+    string member;

-    RelativePathStartsWithDotDotSanitizer() {
+    RelativePathStartsWithSanitizer() {
+      (member = "relative" or member = "resolve" or member = "normalize") and
      this = startsWith and
-      relativeCall = NodeJSLib::Path::moduleMember("relative").getACall() and
+      pathCall = NodeJSLib::Path::moduleMember(member).getACall() and
      (
-        startsWith.getBaseString().getALocalSource() = relativeCall
+        startsWith.getBaseString().getALocalSource() = pathCall
        or
        startsWith
            .getBaseString()
            .getALocalSource()
            .(NormalizingPathCall)
            .getInput()
-            .getALocalSource() = relativeCall
+            .getALocalSource() = pathCall
      ) and
-      isDotDotSlashPrefix(startsWith.getSubstring())
+      (not member = "relative" or isDotDotSlashPrefix(startsWith.getSubstring()))
    }

    override predicate blocks(boolean outcome, Expr e) {
-      e = relativeCall.getArgument(1).asExpr() and outcome = startsWith.getPolarity().booleanNot()
+      member = "relative" and e = pathCall.getArgument(1).asExpr() and outcome = startsWith.getPolarity().booleanNot()
+      or
+      not member = "relative" and e = pathCall.getArgument(0).asExpr() and outcome = startsWith.getPolarity()
    }
  }