From 7cef4322e70e10c0c62e9ce933ca9f6db44b6ec1 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 29 Jun 2022 22:09:23 +0200
Subject: [PATCH 1/2] add model for chownr

---
 javascript/externs/nodejs/fs.js               |   1 -
 .../semmle/javascript/frameworks/Files.qll    |  12 ++
 .../CWE-022/TaintedPath/TaintedPath.expected  | 199 ++++++++++++++++++
 .../TaintedPath/tainted-access-paths.js       |   9 +-
 4 files changed, 219 insertions(+), 2 deletions(-)

diff --git a/javascript/externs/nodejs/fs.js b/javascript/externs/nodejs/fs.js
index a1ce1f83a7e..1afdf83bcd0 100644
--- a/javascript/externs/nodejs/fs.js
+++ b/javascript/externs/nodejs/fs.js
@@ -1696,4 +1696,3 @@ module.exports.R_OK = fs.R_OK;
 module.exports.W_OK = fs.W_OK;
 
 module.exports.X_OK = fs.X_OK;
-
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Files.qll b/javascript/ql/lib/semmle/javascript/frameworks/Files.qll
index f03f5ee1458..244c9c502c2 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/Files.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Files.qll
@@ -192,6 +192,18 @@ private class WriteFileAtomic extends FileSystemWriteAccess, DataFlow::CallNode
   override DataFlow::Node getADataNode() { result = this.getArgument(1) }
 }
 
+/**
+ * A call to the library `chownr`.
+ * The library changes the owner of a file or directory recursively.
+ */
+private class Chownr extends FileSystemWriteAccess, DataFlow::CallNode {
+  Chownr() { this = DataFlow::moduleImport("chownr").getACall() }
+
+  override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
+
+  override DataFlow::Node getADataNode() { none() }
+}
+
 /**
  * A call to the library `recursive-readdir`.
  */
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
index e8ca5f0f5ff..887b95b2b96 100644
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -3235,6 +3235,92 @@ nodes
 | tainted-access-paths.js:40:23:40:26 | path |
 | tainted-access-paths.js:40:23:40:26 | path |
 | tainted-access-paths.js:40:23:40:26 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:24:48:30 | req.url |
+| tainted-access-paths.js:48:24:48:30 | req.url |
+| tainted-access-paths.js:48:24:48:30 | req.url |
+| tainted-access-paths.js:48:24:48:30 | req.url |
+| tainted-access-paths.js:48:24:48:30 | req.url |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:49:10:49:13 | path |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
@@ -8759,6 +8845,118 @@ edges
 | tainted-access-paths.js:39:24:39:30 | req.url | tainted-access-paths.js:39:14:39:37 | url.par ... , true) |
 | tainted-access-paths.js:39:24:39:30 | req.url | tainted-access-paths.js:39:14:39:37 | url.par ... , true) |
 | tainted-access-paths.js:39:24:39:30 | req.url | tainted-access-paths.js:39:14:39:37 | url.par ... , true) |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:7:48:48 | path | tainted-access-paths.js:49:10:49:13 | path |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:37 | url.par ... , true) | tainted-access-paths.js:48:14:48:43 | url.par ... ).query |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:43 | url.par ... ).query | tainted-access-paths.js:48:14:48:48 | url.par ... ry.path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:14:48:48 | url.par ... ry.path | tainted-access-paths.js:48:7:48:48 | path |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
+| tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:48:14:48:37 | url.par ... , true) |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") |
 | tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") |
@@ -10000,6 +10198,7 @@ edges
 | tainted-access-paths.js:30:23:30:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:30:23:30:30 | obj.sub4 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:31:23:31:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:31:23:31:30 | obj.sub4 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:40:23:40:26 | path | tainted-access-paths.js:39:24:39:30 | req.url | tainted-access-paths.js:40:23:40:26 | path | This path depends on $@. | tainted-access-paths.js:39:24:39:30 | req.url | a user-provided value |
+| tainted-access-paths.js:49:10:49:13 | path | tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:49:10:49:13 | path | This path depends on $@. | tainted-access-paths.js:48:24:48:30 | req.url | a user-provided value |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
 | tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | This path depends on $@. | tainted-require.js:12:29:12:47 | req.param("module") | a user-provided value |
 | tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | This path depends on $@. | tainted-require.js:14:11:14:29 | req.param("module") | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js
index e439628d065..465b5b70b69 100644
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js
@@ -40,4 +40,11 @@ var server2 = http.createServer(function(req, res) {
   nodefs.readFileSync(path); // NOT OK
 });
 
-server2.listen();
\ No newline at end of file
+server2.listen();
+
+const chownr = require("chownr");
+
+var server3 = http.createServer(function (req, res) {
+  let path = url.parse(req.url, true).query.path;
+  chownr(path, "someuid", "somegid", function (err) {}); // NOT OK
+});

From eaec1ac56181722200be70fff1e933766cde4585 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 30 Jun 2022 15:11:49 +0200
Subject: [PATCH 2/2] add change-note

---
 javascript/ql/lib/change-notes/2022-06-30-chownr.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 javascript/ql/lib/change-notes/2022-06-30-chownr.md

diff --git a/javascript/ql/lib/change-notes/2022-06-30-chownr.md b/javascript/ql/lib/change-notes/2022-06-30-chownr.md
new file mode 100644
index 00000000000..1ad13fb8113
--- /dev/null
+++ b/javascript/ql/lib/change-notes/2022-06-30-chownr.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `chownr` library is now modeled as a sink for the `js/path-injection` query.