Merge pull request #889 from jcreedcmu/jcreed/tarslip

JavaScript: Add new query for ZipSlip (CWE-022).
2026-04-30 19:26:02 +02:00 · 2019-03-01 08:16:35 +00:00
parent 28304e4fde 86bbb5fb18
commit 8dcd8715b9
21 changed files with 286 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.qlref
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/fs.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/fs.js
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/views.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/views.js
--- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected
@@ -0,0 +1,17 @@
+nodes
+| ZipSlipBad2.js:5:9:5:46 | fileName |
+| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
+| ZipSlipBad2.js:5:37:5:46 | entry.path |
+| ZipSlipBad2.js:6:22:6:29 | fileName |
+| ZipSlipBad.js:7:11:7:31 | fileName |
+| ZipSlipBad.js:7:22:7:31 | entry.path |
+| ZipSlipBad.js:8:37:8:44 | fileName |
+edges
+| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName |
+| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | ZipSlipBad2.js:5:9:5:46 | fileName |
+| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
+| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName |
+| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName |
+#select
+| ZipSlipBad2.js:6:22:6:29 | fileName | ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:6:22:6:29 | fileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBad2.js:5:37:5:46 | entry.path | item path |
+| ZipSlipBad.js:8:37:8:44 | fileName | ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:8:37:8:44 | fileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBad.js:7:22:7:31 | entry.path | item path |
--- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.qlref
@@ -0,0 +1 @@
+Security/CWE-022/ZipSlip.ql
--- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js
@@ -0,0 +1,9 @@
+const fs = require('fs');
+const unzip = require('unzip');
+
+fs.createReadStream('archive.zip')
+  .pipe(unzip.Parse())
+  .on('entry', entry => {
+    const fileName = entry.path;
+    entry.pipe(fs.createWriteStream(fileName));
+  });
--- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js
@@ -0,0 +1,8 @@
+var fs = require('fs');
+var unzip = require('unzip');
+fs.readFile('path/to/archive.zip', function (err, zipContents) {
+  unzip.Parse(zipContents).on('entry', function (entry) {
+    var fileName = 'output/path/' + entry.path;
+    fs.writeFileSync(fileName, entry.contents);
+  });
+});
--- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js
@@ -0,0 +1,14 @@
+const fs = require('fs');
+const unzip = require('unzip');
+
+fs.createReadStream('archive.zip')
+  .pipe(unzip.Parse())
+  .on('entry', entry => {
+    const fileName = entry.path;
+    if (fileName.indexOf('..') == -1) {
+      entry.pipe(fs.createWriteStream(fileName));
+    }
+    else {
+      console.log('skipping bad path', fileName);
+    }
+  });
--- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/externs.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/externs.js
@@ -0,0 +1,11 @@
+/**
+ * @externs
+ */
+var fs = {};
+
+/**
+ * @param {string} filename
+ * @param {*} data
+ * @return {void}
+ */
+fs.writeFileSync = function(filename, data) {};