add typeof sanitizer to js/shell-command-constructed-from-input

2026-05-02 04:05:14 +02:00 · 2020-12-21 14:16:55 +01:00
parent 0a0137bb5e
commit 876ba7ef2d
2 changed files with 27 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -189,4 +189,25 @@ module UnsafeShellCommandConstruction {
      )
    }
  }
+
+  /**
+   * A check of the form `type x === "X"`, where x is  "number", or "boolean",
+   * which sanitized `x` in its "then" branch.
+   */
+  class TypeOfSanitizer extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
+    Expr x;
+    override EqualityTest astNode;
+
+    TypeOfSanitizer() {
+      exists(StringLiteral str, TypeofExpr typeof | astNode.hasOperands(str, typeof) |
+        str.getValue() = ["number", "boolean"] and // "undefined" is already handled in TaintTracking.qll
+        typeof.getOperand() = x
+      )
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      outcome = astNode.getPolarity() and
+      e = x
+    }
+  }
 }
--- a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -339,3 +339,9 @@ module.exports.unproblematic = function() {
 module.exports.problematic = function(n) {
 	cp.exec("rm -rf " + id(n)); // NOT OK
 };
+
+module.exports.typeofNumber = function(n) {
+	if (typeof n === "number") {
+		cp.exec("rm -rf " + n); // OK
+	}
+};