Merge pull request #691 from asger-semmle/sendfile-root

JS: Recognize 'root' option in Express res.sendFile
2026-04-28 18:25:24 +02:00 · 2018-12-19 16:06:15 +01:00
parent 495a1fcf3b f9da1dc03e
commit c57f8a6d6e
6 changed files with 29 additions and 2 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected
@@ -87,6 +87,7 @@ nodes
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-sendFile.js:7:16:7:33 | req.param("gimme") |
 | tainted-sendFile.js:9:16:9:33 | req.param("gimme") |
+| tainted-sendFile.js:17:43:17:58 | req.param("dir") |
 | views.js:1:43:1:55 | req.params[0] |
 edges
 | TaintedPath-es6.js:7:7:7:44 | path | TaintedPath-es6.js:10:41:10:44 | path |
@@ -194,4 +195,5 @@ edges
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
 | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | a user-provided value |
 | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | a user-provided value |
+| tainted-sendFile.js:17:43:17:58 | req.param("dir") | tainted-sendFile.js:17:43:17:58 | req.param("dir") | tainted-sendFile.js:17:43:17:58 | req.param("dir") | This path depends on $@. | tainted-sendFile.js:17:43:17:58 | req.param("dir") | a user-provided value |
 | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on $@. | views.js:1:43:1:55 | req.params[0] | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-022/tainted-sendFile.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/tainted-sendFile.js
@@ -7,4 +7,12 @@ app.get('/some/path', function(req, res) {
  res.sendFile(req.param("gimme"));
  // BAD: same as above
  res.sendfile(req.param("gimme"));
+
+  // GOOD: ensures files cannot be accessed outside of root folder
+  res.sendFile(req.param("gimme"), { root: process.cwd() });
+  // GOOD: ensures files cannot be accessed outside of root folder
+  res.sendfile(req.param("gimme"), { root: process.cwd() });
+
+  // BAD: doesn't help if user controls root
+  res.sendFile(req.param("file"), { root: req.param("dir") });
 });