hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6262 from erik-krogh/slash

Browse Source 
Approved by asgerf
This commit is contained in:
CodeQL CI
2021-07-13 05:44:55 -07:00
committed by GitHub
parent c87fe95d52 899e54fbc9
commit 9d59cba644
4 changed files with 74 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
View File

@@ -798,6 +798,12 @@ module TaintedPath {
srclabel instanceof Label::SplitPath and
dstlabel.(Label::PosixPath).canContainDotDotSlash()
)
or
exists(API::CallNode call | call = API::moduleImport("slash").getACall() |
src = call.getArgument(0) and
dst = call and
srclabel = dstlabel
)
}
/**

53
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
View File

@@ -1843,6 +1843,29 @@ nodes
| normalizedPaths.js:363:21:363:31 | requestPath |
| normalizedPaths.js:363:21:363:31 | requestPath |
| normalizedPaths.js:363:21:363:31 | requestPath |
| normalizedPaths.js:377:7:377:27 | path |
| normalizedPaths.js:377:7:377:27 | path |
| normalizedPaths.js:377:7:377:27 | path |
| normalizedPaths.js:377:7:377:27 | path |
| normalizedPaths.js:377:14:377:27 | req.query.path |
| normalizedPaths.js:377:14:377:27 | req.query.path |
| normalizedPaths.js:377:14:377:27 | req.query.path |
| normalizedPaths.js:377:14:377:27 | req.query.path |
| normalizedPaths.js:377:14:377:27 | req.query.path |
| normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:381:19:381:29 | slash(path) |
| normalizedPaths.js:381:19:381:29 | slash(path) |
| normalizedPaths.js:381:19:381:29 | slash(path) |
| normalizedPaths.js:381:19:381:29 | slash(path) |
| normalizedPaths.js:381:19:381:29 | slash(path) |
| normalizedPaths.js:381:25:381:28 | path |
| normalizedPaths.js:381:25:381:28 | path |
| normalizedPaths.js:381:25:381:28 | path |
| normalizedPaths.js:381:25:381:28 | path |
| other-fs-libraries.js:9:7:9:48 | path |
| other-fs-libraries.js:9:7:9:48 | path |
| other-fs-libraries.js:9:7:9:48 | path |
@@ -6111,6 +6134,34 @@ edges
| normalizedPaths.js:358:47:358:50 | path | normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
| normalizedPaths.js:358:47:358:50 | path | normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
| normalizedPaths.js:358:47:358:50 | path | normalizedPaths.js:358:21:358:51 | pathMod ... , path) |
| normalizedPaths.js:377:7:377:27 | path | normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:377:7:377:27 | path | normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:377:7:377:27 | path | normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:377:7:377:27 | path | normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:377:7:377:27 | path | normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:377:7:377:27 | path | normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:377:7:377:27 | path | normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:377:7:377:27 | path | normalizedPaths.js:379:19:379:22 | path |
| normalizedPaths.js:377:7:377:27 | path | normalizedPaths.js:381:25:381:28 | path |
| normalizedPaths.js:377:7:377:27 | path | normalizedPaths.js:381:25:381:28 | path |
| normalizedPaths.js:377:7:377:27 | path | normalizedPaths.js:381:25:381:28 | path |
| normalizedPaths.js:377:7:377:27 | path | normalizedPaths.js:381:25:381:28 | path |
| normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:377:7:377:27 | path |
| normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:377:7:377:27 | path |
| normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:377:7:377:27 | path |
| normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:377:7:377:27 | path |
| normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:377:7:377:27 | path |
| normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:377:7:377:27 | path |
| normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:377:7:377:27 | path |
| normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:377:7:377:27 | path |
| normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
| normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
| normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
| normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
| normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
| normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
| normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
| normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
| other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
@@ -8535,6 +8586,8 @@ edges
| normalizedPaths.js:346:19:346:22 | path | normalizedPaths.js:339:32:339:45 | req.query.path | normalizedPaths.js:346:19:346:22 | path | This path depends on $@. | normalizedPaths.js:339:32:339:45 | req.query.path | a user-provided value |
| normalizedPaths.js:356:19:356:22 | path | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:356:19:356:22 | path | This path depends on $@. | normalizedPaths.js:354:14:354:27 | req.query.path | a user-provided value |
| normalizedPaths.js:363:21:363:31 | requestPath | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:363:21:363:31 | requestPath | This path depends on $@. | normalizedPaths.js:354:14:354:27 | req.query.path | a user-provided value |
| normalizedPaths.js:379:19:379:22 | path | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:379:19:379:22 | path | This path depends on $@. | normalizedPaths.js:377:14:377:27 | req.query.path | a user-provided value |
| normalizedPaths.js:381:19:381:29 | slash(path) | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:381:19:381:29 | slash(path) | This path depends on $@. | normalizedPaths.js:377:14:377:27 | req.query.path | a user-provided value |
| other-fs-libraries.js:11:19:11:22 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:11:19:11:22 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
| other-fs-libraries.js:12:27:12:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:12:27:12:30 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
| other-fs-libraries.js:13:24:13:27 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:13:24:13:27 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |

9
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
View File

@@ -370,4 +370,13 @@ app.get('/yet-another-prefix2', (req, res) => {
function allowPath(requestPath, rootPath) {
return requestPath.indexOf(rootPath) === 0;
}
});
import slash from 'slash';
app.get('/slash-stuff', (req, res) => {
let path = req.query.path;
fs.readFileSync(path); // NOT OK
fs.readFileSync(slash(path)); // NOT OK
});