Remove additional path-injection sinks

2026-05-20 14:17:11 +02:00 · 2020-10-12 13:43:41 +02:00
parent 6d86a2e690
commit 94940502d0
7 changed files with 15 additions and 169 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -447,10 +447,10 @@ module NodeJSLib {
   */
  module FS {
    /**
-     * A member `member` from module `fs` or its drop-in replacements `graceful-fs`, `fs-extra`, `original-fs`.
+     * A member `member` from module `fs`.
     */
    DataFlow::SourceNode moduleMember(string member) {
-      exists(string moduleName | moduleName = ["fs-extra", "graceful-fs", "fs"] |
+      exists(string moduleName | moduleName = ["fs"] |
        result = DataFlow::moduleMember(moduleName, member)
      )
    }
--- a/javascript/ql/src/semmle/javascript/frameworks/TorrentLibraries.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/TorrentLibraries.qll
@@ -36,25 +36,7 @@ module ParseTorrent {
   * An access to user-controlled torrent information.
   */
  class UserControlledTorrentInfo extends RemoteFlowSource {
-    UserControlledTorrentInfo() {
-      exists(DataFlow::SourceNode ref, DataFlow::PropRead read |
-        ref = parsedTorrentRef() and
-        read = ref.getAPropertyRead() and
-        this = read
-      |
-        exists(string prop |
-          not (
-            prop = "private" or
-            prop = "infoHash" or
-            prop = "length"
-            // "pieceLength" and "lastPieceLength" are not guaranteed to be numbers as of commit ae3ad15d
-          ) and
-          read.getPropertyName() = prop
-        )
-        or
-        not exists(read.getPropertyName())
-      )
-    }
+    UserControlledTorrentInfo() { none() }

    override string getSourceType() { result = "torrent information" }
  }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -584,8 +584,6 @@ module TaintedPath {
      (
        this = fileSystemAccess.getAPathArgument() and
        not exists(fileSystemAccess.getRootPathArgument())
-        or
-        this = fileSystemAccess.getRootPathArgument()
      ) and
      not this = any(ResolvingPathCall call).getInput()
    }
--- a/javascript/ql/test/library-tests/TorrentLibraries/UserControlledTorrentInfo.expected
+++ b/javascript/ql/test/library-tests/TorrentLibraries/UserControlledTorrentInfo.expected
@@ -1,4 +0,0 @@
-| tst.js:6:2:6:12 | parsed.name |
-| tst.js:8:2:8:19 | parsed.pieceLength |
-| tst.js:14:2:14:25 | indirec ... ed.name |
-| tst.js:20:2:20:7 | t.name |
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
@@ -1,4 +1,6 @@
 | query-tests/Security/CWE-022/TaintedPath/TaintedPath.js:138 | expected an alert, but found none | NOT OK |  |
+| query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js:12 | expected an alert, but found none | NOT OK |  |
+| query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js:13 | expected an alert, but found none | NOT OK |  |
 | query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js:14 | expected an alert, but found none | NOT OK |  |
 | query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js:16 | expected an alert, but found none | NOT OK |  |
 | query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js:17 | expected an alert, but found none | NOT OK |  |
@@ -12,3 +14,4 @@
 | query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js:17 | expected an alert, but found none | BAD: doesn't help if user controls root |  |
 | query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js:24 | expected an alert, but found none | NOT OK |  |
 | query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js:25 | expected an alert, but found none | NOT OK |  |
+| query-tests/Security/CWE-022/TaintedPath/torrents.js:7 | expected an alert, but found none | NOT OK |  |
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -1843,40 +1843,6 @@ nodes
 | other-fs-libraries.js:11:19:11:22 | path |
 | other-fs-libraries.js:11:19:11:22 | path |
 | other-fs-libraries.js:11:19:11:22 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:13:24:13:27 | path |
 | tainted-access-paths.js:6:7:6:48 | path |
 | tainted-access-paths.js:6:7:6:48 | path |
 | tainted-access-paths.js:6:7:6:48 | path |
@@ -2705,26 +2671,6 @@ nodes
 | tainted-string-steps.js:27:18:27:36 | path.split(unknown) |
 | tainted-string-steps.js:27:18:27:36 | path.split(unknown) |
 | tainted-string-steps.js:27:18:27:36 | path.split(unknown) |
-| torrents.js:5:6:5:38 | name |
-| torrents.js:5:6:5:38 | name |
-| torrents.js:5:6:5:38 | name |
-| torrents.js:5:13:5:38 | parseTo ... t).name |
-| torrents.js:5:13:5:38 | parseTo ... t).name |
-| torrents.js:5:13:5:38 | parseTo ... t).name |
-| torrents.js:5:13:5:38 | parseTo ... t).name |
-| torrents.js:6:6:6:45 | loc |
-| torrents.js:6:6:6:45 | loc |
-| torrents.js:6:6:6:45 | loc |
-| torrents.js:6:12:6:45 | dir + " ... t.data" |
-| torrents.js:6:12:6:45 | dir + " ... t.data" |
-| torrents.js:6:12:6:45 | dir + " ... t.data" |
-| torrents.js:6:24:6:27 | name |
-| torrents.js:6:24:6:27 | name |
-| torrents.js:6:24:6:27 | name |
-| torrents.js:7:25:7:27 | loc |
-| torrents.js:7:25:7:27 | loc |
-| torrents.js:7:25:7:27 | loc |
-| torrents.js:7:25:7:27 | loc |
 | typescript.ts:9:7:9:48 | path |
 | typescript.ts:9:7:9:48 | path |
 | typescript.ts:9:7:9:48 | path |
@@ -5488,70 +5434,6 @@ edges
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:12:27:12:30 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
-| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:13:24:13:27 | path |
 | other-fs-libraries.js:9:14:9:37 | url.par ... , true) | other-fs-libraries.js:9:14:9:43 | url.par ... ).query |
 | other-fs-libraries.js:9:14:9:37 | url.par ... , true) | other-fs-libraries.js:9:14:9:43 | url.par ... ).query |
 | other-fs-libraries.js:9:14:9:37 | url.par ... , true) | other-fs-libraries.js:9:14:9:43 | url.par ... ).query |
@@ -6777,27 +6659,6 @@ edges
 | tainted-string-steps.js:27:18:27:21 | path | tainted-string-steps.js:27:18:27:36 | path.split(unknown) |
 | tainted-string-steps.js:27:18:27:21 | path | tainted-string-steps.js:27:18:27:36 | path.split(unknown) |
 | tainted-string-steps.js:27:18:27:21 | path | tainted-string-steps.js:27:18:27:36 | path.split(unknown) |
-| torrents.js:5:6:5:38 | name | torrents.js:6:24:6:27 | name |
-| torrents.js:5:6:5:38 | name | torrents.js:6:24:6:27 | name |
-| torrents.js:5:6:5:38 | name | torrents.js:6:24:6:27 | name |
-| torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:5:6:5:38 | name |
-| torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:5:6:5:38 | name |
-| torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:5:6:5:38 | name |
-| torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:5:6:5:38 | name |
-| torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:5:6:5:38 | name |
-| torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:5:6:5:38 | name |
-| torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc |
-| torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc |
-| torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc |
-| torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc |
-| torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc |
-| torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc |
-| torrents.js:6:12:6:45 | dir + " ... t.data" | torrents.js:6:6:6:45 | loc |
-| torrents.js:6:12:6:45 | dir + " ... t.data" | torrents.js:6:6:6:45 | loc |
-| torrents.js:6:12:6:45 | dir + " ... t.data" | torrents.js:6:6:6:45 | loc |
-| torrents.js:6:24:6:27 | name | torrents.js:6:12:6:45 | dir + " ... t.data" |
-| torrents.js:6:24:6:27 | name | torrents.js:6:12:6:45 | dir + " ... t.data" |
-| torrents.js:6:24:6:27 | name | torrents.js:6:12:6:45 | dir + " ... t.data" |
 | typescript.ts:9:7:9:48 | path | typescript.ts:12:29:12:32 | path |
 | typescript.ts:9:7:9:48 | path | typescript.ts:12:29:12:32 | path |
 | typescript.ts:9:7:9:48 | path | typescript.ts:12:29:12:32 | path |
@@ -7199,8 +7060,6 @@ edges
 | normalizedPaths.js:356:19:356:22 | path | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:356:19:356:22 | path | This path depends on $@. | normalizedPaths.js:354:14:354:27 | req.query.path | a user-provided value |
 | normalizedPaths.js:363:21:363:31 | requestPath | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:363:21:363:31 | requestPath | This path depends on $@. | normalizedPaths.js:354:14:354:27 | req.query.path | a user-provided value |
 | other-fs-libraries.js:11:19:11:22 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:11:19:11:22 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
-| other-fs-libraries.js:12:27:12:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:12:27:12:30 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
-| other-fs-libraries.js:13:24:13:27 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:13:24:13:27 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | tainted-access-paths.js:8:19:8:22 | path | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:8:19:8:22 | path | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:12:19:12:25 | obj.sub | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:12:19:12:25 | obj.sub | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:26:19:26:26 | obj.sub3 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:26:19:26:26 | obj.sub3 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
@@ -7222,7 +7081,6 @@ edges
 | tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:24:18:24:35 | path.split("?")[0] | This path depends on $@. | tainted-string-steps.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | This path depends on $@. | tainted-string-steps.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-string-steps.js:27:18:27:36 | path.split(unknown) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:27:18:27:36 | path.split(unknown) | This path depends on $@. | tainted-string-steps.js:6:24:6:30 | req.url | a user-provided value |
-| torrents.js:7:25:7:27 | loc | torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:7:25:7:27 | loc | This path depends on $@. | torrents.js:5:13:5:38 | parseTo ... t).name | a user-provided value |
 | typescript.ts:12:29:12:32 | path | typescript.ts:9:24:9:30 | req.url | typescript.ts:12:29:12:32 | path | This path depends on $@. | typescript.ts:9:24:9:30 | req.url | a user-provided value |
 | typescript.ts:21:39:21:43 | path3 | typescript.ts:9:24:9:30 | req.url | typescript.ts:21:39:21:43 | path3 | This path depends on $@. | typescript.ts:9:24:9:30 | req.url | a user-provided value |
 | typescript.ts:24:39:24:43 | path4 | typescript.ts:9:24:9:30 | req.url | typescript.ts:24:39:24:43 | path4 | This path depends on $@. | typescript.ts:9:24:9:30 | req.url | a user-provided value |