writing out the truth table for DotDotSlashPrefixRemovingReplace

2025-12-21 03:06:31 +01:00 · 2020-04-03 15:46:47 +02:00
parent 94751c1b31
commit 9c2053168b
2 changed files with 21 additions and 39 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@@ -209,9 +209,15 @@ module TaintedPath {
      // foo.replace(/(\.\.\/)*/, "") and similar
      exists(DotDotSlashPrefixRemovingReplace call |
        src = call.getInput() and
-        dst = call.getOutput() and
-        (srclabel.isNonNormalized() or dstlabel.isAbsolute()) and // if src is normalized, then dst must be absolute (if dst is relative, then dst is sanitized)
-        dstlabel.toAbsolute() = srclabel.toAbsolute() // preserves normalization status
+        dst = call.getOutput()
+      |
+        // the 4 possible combinations of normalized + relative for `srclabel`, and the possible values for `dstlabel` in each case.
+        srclabel.isNonNormalized() and srclabel.isRelative() // raw + relative -> any()
+        or
+        srclabel.isNormalized() and srclabel.isAbsolute() and srclabel = dstlabel // normalized + absolute -> normalized + absolute
+        or
+        srclabel.isNonNormalized() and srclabel.isAbsolute() and dstlabel.isAbsolute() // raw + absolute -> raw/normalized + absolute
+        // normalized + relative -> none()
      )
      or
      // path.join()