hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

use RegExpTerm to generalize predicate

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-03-03 12:34:18 +01:00
parent 622a2fcfdc
commit 95819c8731
2 changed files with 9 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
View File

@@ -217,20 +217,14 @@ module TaintedPath {
this.getCalleeName() = "replace" and
input = getReceiver() and
output = this and
not exists(RegExpLiteral literal |
not exists(RegExpLiteral literal, RegExpTerm term |
getArgument(0).getALocalSource().asExpr() = literal and
literal.isGlobal()
literal.isGlobal() and
literal.getRoot() = term
|
exists(RegExpSequence seq | literal.getRoot() = seq |
seq.getChild(0).(RegExpConstant).getValue() = "." and
seq.getChild(1).(RegExpConstant).getValue() = "." and
seq.getNumChild() = 2
)
or
exists(RegExpTerm term | literal.getRoot() = term |
term.getAMatchedString() = "/" or
term.getAMatchedString() = "."
)
term.getAMatchedString() = "/" or
term.getAMatchedString() = "." or
term.getAMatchedString() = ".."
)
}

4
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
View File

@@ -172,7 +172,7 @@ var server = http.createServer(function(req, res) {
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
// Removal of forward-slash.
// Removal of forward-slash or dots.
res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); // OK.
res.write(fs.readFileSync(path.replace(/[abcd]/g, ''))); // NOT OK
res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // OK (can still be absolute)
@@ -181,4 +181,6 @@ var server = http.createServer(function(req, res) {
res.write(fs.readFileSync(path.replace(/[foobar/foobar]/g, ''))); // OK
res.write(fs.readFileSync(path.replace(/\//g, ''))); // OK
res.write(fs.readFileSync(path.replace(/\./g, ''))); // OK
res.write(fs.readFileSync(path.replace(/\.|\//g, ''))); // OK
res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // OK
});