Remove additional path-injection sinks

2026-05-20 06:07:07 +02:00 · 2020-10-12 13:43:41 +02:00
parent c5ce60c872
commit af02c1ed5b
4 changed files with 12 additions and 23 deletions
--- a/benjamin-button.md
+++ b/benjamin-button.md
@@ -10,6 +10,15 @@ Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by lookin
 - the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
 - the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink

+Sinks added between 2018-08-02 and 2020-01-01 have been removed. Found by looking at:
+
+- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+pathinjection
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+tainted-path
+
+Sinks from the "graceful-fs" and "fs-extra" (added before the open-sourcing squash).
+
 ## Xss.ql

 Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at:
--- a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -493,10 +493,10 @@ module NodeJSLib {
   */
  module FS {
    /**
-     * A member `member` from module `fs` or its drop-in replacements `graceful-fs`, `fs-extra`, `original-fs`.
+     * A member `member` from module `fs`.
     */
    DataFlow::SourceNode moduleMember(string member) {
-      exists(string moduleName | moduleName = ["fs-extra", "graceful-fs", "fs"] |
+      exists(string moduleName | moduleName = ["fs"] |
        result = DataFlow::moduleMember(moduleName, member)
      )
    }
--- a/javascript/ql/lib/semmle/javascript/frameworks/TorrentLibraries.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/TorrentLibraries.qll
@@ -36,25 +36,7 @@ module ParseTorrent {
   * An access to user-controlled torrent information.
   */
  class UserControlledTorrentInfo extends RemoteFlowSource {
-    UserControlledTorrentInfo() {
-      exists(DataFlow::SourceNode ref, DataFlow::PropRead read |
-        ref = parsedTorrentRef() and
-        read = ref.getAPropertyRead() and
-        this = read
-      |
-        exists(string prop |
-          not (
-            prop = "private" or
-            prop = "infoHash" or
-            prop = "length"
-            // "pieceLength" and "lastPieceLength" are not guaranteed to be numbers as of commit ae3ad15d
-          ) and
-          read.getPropertyName() = prop
-        )
-        or
-        not exists(read.getPropertyName())
-      )
-    }
+    UserControlledTorrentInfo() { none() }

    override string getSourceType() { result = "torrent information" }
  }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -608,8 +608,6 @@ module TaintedPath {
      (
        this = fileSystemAccess.getAPathArgument() and
        not exists(fileSystemAccess.getRootPathArgument())
-        or
-        this = fileSystemAccess.getRootPathArgument()
      ) and
      not this = any(ResolvingPathCall call).getInput()
    }