Merge pull request #3065 from erik-krogh/PathSinks

Approved by esbena
2026-04-25 16:55:19 +02:00 · 2020-03-17 13:00:00 +00:00
parent 1472bf0c11 9403026fff
commit ea46873bfe
6 changed files with 251 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/Files.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Files.qll
@@ -4,6 +4,23 @@

 import javascript

+/**
+ * A call that can produce a file name.
+ */
+abstract private class FileNameProducer extends DataFlow::Node {
+  /**
+   * Gets a file name produced by this producer.
+   */
+  abstract DataFlow::Node getAFileName();
+}
+
+/**
+ * A node that contains a file name, and is produced by a `ProducesFileNames`.
+ */
+private class ProducedFileName extends FileNameSource {
+  ProducedFileName() { this = any(FileNameProducer producer).getAFileName() }
+}
+
 /**
 * A file name from the `walk-sync` library.
 */
@@ -106,3 +123,143 @@ private class FastGlobFileNameSource extends FileNameSource {
    )
  }
 }
+
+/**
+ * Classes and predicates for modelling the `fstream` library (https://www.npmjs.com/package/fstream).
+ */
+private module FStream {
+  /**
+   * Gets a reference to a method in the `fstream` library.
+   */
+  private DataFlow::SourceNode getAnFStreamProperty() {
+    exists(DataFlow::SourceNode mod, string readOrWrite, string subMod |
+      mod = DataFlow::moduleImport("fstream") and
+      (readOrWrite = "Reader" or readOrWrite = "Writer") and
+      (subMod = "File" or subMod = "Dir" or subMod = "Link" or subMod = "Proxy")
+    |
+      result = mod.getAPropertyRead(readOrWrite) or
+      result = mod.getAPropertyRead(readOrWrite).getAPropertyRead(subMod) or
+      result = mod.getAPropertyRead(subMod).getAPropertyRead(readOrWrite)
+    )
+  }
+
+  /**
+   * An invocation of a method defined in the `fstream` library.
+   */
+  private class FStream extends FileSystemAccess, DataFlow::InvokeNode {
+    FStream() { this = getAnFStreamProperty().getAnInvocation() }
+
+    override DataFlow::Node getAPathArgument() {
+      result = getOptionArgument(0, "path")
+      or
+      not exists(getOptionArgument(0, "path")) and
+      result = getArgument(0)
+    }
+  }
+}
+
+/**
+ * A call to the library `write-file-atomic`.
+ */
+private class WriteFileAtomic extends FileSystemWriteAccess, DataFlow::CallNode {
+  WriteFileAtomic() {
+    this = DataFlow::moduleImport("write-file-atomic").getACall()
+    or
+    this = DataFlow::moduleMember("write-file-atomic", "sync").getACall()
+  }
+
+  override DataFlow::Node getAPathArgument() { result = getArgument(0) }
+
+  override DataFlow::Node getADataNode() { result = getArgument(1) }
+}
+
+/**
+ * A call to the library `recursive-readdir`.
+ */
+private class RecursiveReadDir extends FileSystemAccess, FileNameProducer, DataFlow::CallNode {
+  RecursiveReadDir() { this = DataFlow::moduleImport("recursive-readdir").getACall() }
+
+  override DataFlow::Node getAPathArgument() { result = getArgument(0) }
+
+  override DataFlow::Node getAFileName() { result = getCallback([1 .. 2]).getParameter(1) }
+}
+
+/**
+ * Classes and predicates for modelling the `jsonfile` library (https://www.npmjs.com/package/jsonfile).
+ */
+private module JSONFile {
+  /**
+   * A reader for JSON files.
+   */
+  class JSONFileReader extends FileSystemReadAccess, DataFlow::CallNode {
+    JSONFileReader() {
+      this =
+        DataFlow::moduleMember("jsonfile", any(string s | s = "readFile" or s = "readFileSync"))
+            .getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() { result = getArgument(0) }
+
+    override DataFlow::Node getADataNode() {
+      this.getCalleeName() = "readFile" and result = getCallback([1 .. 2]).getParameter(1)
+      or
+      this.getCalleeName() = "readFileSync" and result = this
+    }
+  }
+
+  /**
+   * A writer for JSON files.
+   */
+  class JSONFileWriter extends FileSystemWriteAccess, DataFlow::CallNode {
+    JSONFileWriter() {
+      this =
+        DataFlow::moduleMember("jsonfile", any(string s | s = "writeFile" or s = "writeFileSync"))
+            .getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() { result = getArgument(0) }
+
+    override DataFlow::Node getADataNode() { result = getArgument(1) }
+  }
+}
+
+/**
+ * A file system access made by a NodeJS library.
+ * This class models multiple NodeJS libraries that access files.
+ */
+private class LibraryAccess extends FileSystemAccess, DataFlow::InvokeNode {
+  int pathArgument; // The index of the path argument.
+
+  LibraryAccess() {
+    pathArgument = 0 and
+    (
+      this = DataFlow::moduleImport("path-exists").getACall()
+      or
+      this = DataFlow::moduleImport("rimraf").getACall()
+      or
+      this =
+        DataFlow::moduleMember("node-dir",
+          any(string s |
+            s = "readFiles" or
+            s = "readFilesStream" or
+            s = "files" or
+            s = "promiseFiles" or
+            s = "subdirs" or
+            s = "paths"
+          )).getACall()
+    )
+    or
+    pathArgument = 0 and
+    this =
+      DataFlow::moduleMember("vinyl-fs", any(string s | s = "src" or s = "dest" or s = "symlink"))
+          .getACall()
+    or
+    pathArgument = [0 .. 1] and
+    (
+      this = DataFlow::moduleImport("ncp").getACall() or
+      this = DataFlow::moduleMember("ncp", "ncp").getACall()
+    )
+  }
+
+  override DataFlow::Node getAPathArgument() { result = getArgument(pathArgument) }
+}