diff --git a/benjamin-button.md b/benjamin-button.md index e964f0f1aef..3d63edddca0 100644 --- a/benjamin-button.md +++ b/benjamin-button.md @@ -10,6 +10,15 @@ Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by lookin - the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected - the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink +Sinks added between 2018-08-02 and 2020-01-01 have been removed. Found by looking at: + +- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected +- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink +- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+pathinjection +- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+tainted-path + +Sinks from the "graceful-fs" and "fs-extra" (added before the open-sourcing squash). + ## Xss.ql Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at: diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll index 5f3aac27fd1..56e174187bd 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll @@ -493,10 +493,10 @@ module NodeJSLib { */ module FS { /** - * A member `member` from module `fs` or its drop-in replacements `graceful-fs`, `fs-extra`, `original-fs`. + * A member `member` from module `fs`. */ DataFlow::SourceNode moduleMember(string member) { - exists(string moduleName | moduleName = ["fs-extra", "graceful-fs", "fs"] | + exists(string moduleName | moduleName = ["fs"] | result = DataFlow::moduleMember(moduleName, member) ) } diff --git a/javascript/ql/lib/semmle/javascript/frameworks/TorrentLibraries.qll b/javascript/ql/lib/semmle/javascript/frameworks/TorrentLibraries.qll index ee6755a8adf..9502bb51fa7 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/TorrentLibraries.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/TorrentLibraries.qll @@ -36,25 +36,7 @@ module ParseTorrent { * An access to user-controlled torrent information. */ class UserControlledTorrentInfo extends RemoteFlowSource { - UserControlledTorrentInfo() { - exists(DataFlow::SourceNode ref, DataFlow::PropRead read | - ref = parsedTorrentRef() and - read = ref.getAPropertyRead() and - this = read - | - exists(string prop | - not ( - prop = "private" or - prop = "infoHash" or - prop = "length" - // "pieceLength" and "lastPieceLength" are not guaranteed to be numbers as of commit ae3ad15d - ) and - read.getPropertyName() = prop - ) - or - not exists(read.getPropertyName()) - ) - } + UserControlledTorrentInfo() { none() } override string getSourceType() { result = "torrent information" } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll index 85a56a05ef2..24cb96eb9fa 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll @@ -608,8 +608,6 @@ module TaintedPath { ( this = fileSystemAccess.getAPathArgument() and not exists(fileSystemAccess.getRootPathArgument()) - or - this = fileSystemAccess.getRootPathArgument() ) and not this = any(ResolvingPathCall call).getInput() }