add support for getASavePath() to js/insecure-download

2026-04-30 19:26:02 +02:00 · 2020-06-25 14:40:35 +02:00
parent dafca8fd81
commit 8f5a3e9f4f
3 changed files with 21 additions and 3 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/InsecureDownloadCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/InsecureDownloadCustomizations.qll
@@ -68,13 +68,21 @@ module InsecureDownload {
    override DataFlow::FlowLabel getALabel() {
      result instanceof Label::InsecureURL
      or
-      exists(string suffix | suffix = unsafeExtension() |
-        str.suffix(str.length() - suffix.length() - 1).toLowerCase() = "." + suffix
-      ) and
+      hasUnsafeExtension(str) and
      result instanceof Label::SensitiveInsecureURL
    }
  }

+  /**
+   * Holds if `str` is a string that ends with an unsafe file extension.
+   */
+  bindingset[str]
+  predicate hasUnsafeExtension(string str) {
+    exists(string suffix | suffix = unsafeExtension() |
+      str.suffix(str.length() - suffix.length() - 1).toLowerCase() = "." + suffix
+    )
+  }
+
  /**
   * Gets a file-extension that can potentially be dangerous.
   *
@@ -99,6 +107,9 @@ module InsecureDownload {

    override DataFlow::FlowLabel getALabel() {
      result instanceof Label::SensitiveInsecureURL // TODO: Also non-sensitive.
+      or
+      hasUnsafeExtension(request.getASavePath().getStringValue()) and
+      result instanceof Label::InsecureURL
    }
  }
 }
--- a/javascript/ql/test/query-tests/Security/CWE-829/InsecureDownload.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-829/InsecureDownload.expected
@@ -17,6 +17,9 @@ nodes
 | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
 | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
 | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
+| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" |
+| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" |
+| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" |
 edges
 | insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:15:18:15:40 | buildTo ... llerUrl |
 | insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:15:18:15:40 | buildTo ... llerUrl |
@@ -30,9 +33,11 @@ edges
 | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:36:9:36:45 | url |
 | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:36:9:36:45 | url |
 | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
+| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | insecure-download.js:46:12:46:38 | "http:/ ... unsafe" |
 #select
 | insecure-download.js:5:16:5:28 | installer.url | insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:5:16:5:28 | installer.url | $@ of sensitive file from $@. | insecure-download.js:5:9:5:44 | nugget( ... => { }) | Download | insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | HTTP source |
 | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | $@ of sensitive file from $@. | insecure-download.js:30:5:30:43 | nugget( ... e.APK") | Download | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | HTTP source |
 | insecure-download.js:37:23:37:25 | url | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:37:23:37:25 | url | $@ of sensitive file from $@. | insecure-download.js:37:5:37:42 | cp.exec ...  () {}) | Download | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | HTTP source |
 | insecure-download.js:39:26:39:28 | url | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:39:26:39:28 | url | $@ of sensitive file from $@. | insecure-download.js:39:5:39:46 | cp.exec ...  () {}) | Download | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | HTTP source |
 | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | $@ of sensitive file from $@. | insecure-download.js:41:5:41:42 | nugget( ... e.APK") | Download | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | HTTP source |
+| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | $@ of sensitive file from $@. | insecure-download.js:46:5:46:71 | nugget( ... => { }) | Download | insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | HTTP source |
--- a/javascript/ql/test/query-tests/Security/CWE-829/insecure-download.js
+++ b/javascript/ql/test/query-tests/Security/CWE-829/insecure-download.js
@@ -46,4 +46,6 @@ var writeFileAtomic = require("write-file-atomic");

 function test() {
    nugget("http://example.org/unsafe", {target: "foo.exe"}, () => { }) // NOT OK
+
+    nugget("http://example.org/unsafe", {target: "foo.safe"}, () => { }) // OK
 }