add a path sanitizer to zipslip

2026-04-30 19:26:02 +02:00 · 2020-05-14 08:59:56 +02:00
parent 71e7083dcb
commit b727fa81a0
1 changed files with 14 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ZipSlipCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ZipSlipCustomizations.qll
@@ -121,6 +121,20 @@ module ZipSlip {
    BasenameSanitizer() { this = DataFlow::moduleImport("path").getAMemberCall("basename") }
  }

+  /**
+   * An expression that forces the output path to be in the current working folder.
+   * Recognizes the pattern: `path.join(cwd, path.join('/', orgPath))`.
+   */
+  class PathSanitizer extends Sanitizer, DataFlow::CallNode {
+    PathSanitizer() {
+      this = DataFlow::moduleMember("path", "join").getACall() and
+      exists(DataFlow::CallNode inner | inner = getArgument(1) |
+        inner = DataFlow::moduleMember("path", "join").getACall() and
+        inner.getArgument(0).mayHaveStringValue("/")
+      )
+    }
+  }
+
  /**
   * Gets a string which is sufficient to exclude to make
   * a filepath definitely not refer to parent directories.