From f7f9beeefdd61a3a846af84aab55fc2a202a727c Mon Sep 17 00:00:00 2001 From: Erik Krogh Kristensen Date: Mon, 23 Nov 2020 14:23:22 +0100 Subject: [PATCH] avoid reporting empty names in `js/exposure-of-private-files` --- javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql | 6 +++++- .../Security/CWE-200/PrivateFileExposure.expected | 1 + .../query-tests/Security/CWE-200/private-file-exposure.js | 4 +++- .../query-tests/Security/CWE-200/subfolder/package.json | 1 + .../Security/CWE-200/subfolder/private-file-exposure-2.js | 6 ++++++ 5 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 javascript/ql/test/query-tests/Security/CWE-200/subfolder/package.json create mode 100644 javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js diff --git a/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql b/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql index 78de0c8cc18..30fbeb4dbe1 100644 --- a/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql +++ b/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql @@ -80,7 +80,11 @@ Folder getAPackageJSONFolder() { result = any(PackageJSON json).getFile().getPar DataFlow::Node getALeakingFolder(string description) { exists(ModuleScope ms | result.asExpr() = ms.getVariable("__dirname").getAnAccess()) and result.getFile().getParentContainer() = getAPackageJSONFolder() and - description = "the folder " + result.getFile().getParentContainer().getRelativePath() + ( + if result.getFile().getParentContainer().getRelativePath().trim() != "" + then description = "the folder " + result.getFile().getParentContainer().getRelativePath() + else description = "a folder" + ) or result = DataFlow::moduleImport("os").getAMemberCall("homedir") and description = "the home folder" diff --git a/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected b/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected index 9163f3fda53..ccbb8b8efd7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected +++ b/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected @@ -19,3 +19,4 @@ | private-file-exposure.js:42:1:42:66 | app.use ... dir())) | Serves the home folder, which can contain private information. | | private-file-exposure.js:43:1:43:46 | app.use ... )("/")) | Serves the root folder, which can contain private information. | | private-file-exposure.js:51:5:51:88 | app.use ... les'))) | Serves the folder "../node_modules", which can contain private information. | +| subfolder/private-file-exposure-2.js:6:1:6:34 | app.use ... rname)) | Serves the folder query-tests/Security/CWE-200/subfolder, which can contain private information. | diff --git a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js index 2d8423e89b0..63528fd37ba 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js @@ -59,4 +59,6 @@ function good() { app.use("jquery", express.static('./node_modules/jquery/dist')); // OK app.use("bootstrap", express.static('./node_modules/bootstrap/dist')); // OK -} \ No newline at end of file +} + +app.use(express.static(__dirname)) // NOT OK \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-200/subfolder/package.json b/javascript/ql/test/query-tests/Security/CWE-200/subfolder/package.json new file mode 100644 index 00000000000..9e26dfeeb6e --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-200/subfolder/package.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js b/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js new file mode 100644 index 00000000000..ec2e40a7c2b --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js @@ -0,0 +1,6 @@ +var express = require('express'); +var http = require('http') +var app = express() +var server = http.createServer(app) +// Static files: +app.use(express.static(__dirname))