writing out the truth table for DotDotSlashPrefixRemovingReplace

2025-12-21 11:16:30 +01:00 · 2020-04-03 15:46:47 +02:00
parent 94751c1b31
commit 9c2053168b
2 changed files with 21 additions and 39 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@@ -209,9 +209,15 @@ module TaintedPath {
      // foo.replace(/(\.\.\/)*/, "") and similar
      exists(DotDotSlashPrefixRemovingReplace call |
        src = call.getInput() and
-        dst = call.getOutput() and
+        dst = call.getOutput()
-        (srclabel.isNonNormalized() or dstlabel.isAbsolute()) and // if src is normalized, then dst must be absolute (if dst is relative, then dst is sanitized)
+      |
-        dstlabel.toAbsolute() = srclabel.toAbsolute() // preserves normalization status
+        // the 4 possible combinations of normalized + relative for `srclabel`, and the possible values for `dstlabel` in each case.
        srclabel.isNonNormalized() and srclabel.isRelative() // raw + relative -> any()
        or
        srclabel.isNormalized() and srclabel.isAbsolute() and srclabel = dstlabel // normalized + absolute -> normalized + absolute
        or
        srclabel.isNonNormalized() and srclabel.isAbsolute() and dstlabel.isAbsolute() // raw + absolute -> raw/normalized + absolute
        // normalized + relative -> none()
      )
      or
      // path.join()
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -1298,10 +1298,10 @@ nodes
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
@@ -1319,14 +1319,6 @@ nodes
 | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:202:50:202:53 | path |
 | normalizedPaths.js:11:7:11:27 | path |
 | normalizedPaths.js:11:7:11:27 | path |
 | normalizedPaths.js:11:7:11:27 | path |
@@ -4451,14 +4443,6 @@ edges
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:14:173:37 | url.par ... , true) | TaintedPath.js:173:14:173:43 | url.par ... ).query |
 | TaintedPath.js:173:14:173:37 | url.par ... , true) | TaintedPath.js:173:14:173:43 | url.par ... ).query |
 | TaintedPath.js:173:14:173:37 | url.par ... , true) | TaintedPath.js:173:14:173:43 | url.par ... ).query |
@@ -4667,6 +4651,14 @@ edges
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
@@ -4675,22 +4667,6 @@ edges
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |