avoid reporting empty names in js/exposure-of-private-files

2026-04-28 18:25:24 +02:00 · 2020-11-23 14:23:22 +01:00
parent 02d5fbf46b
commit f7f9beeefd
5 changed files with 16 additions and 2 deletions
--- a/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
+++ b/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
@@ -80,7 +80,11 @@ Folder getAPackageJSONFolder() { result = any(PackageJSON json).getFile().getPar
 DataFlow::Node getALeakingFolder(string description) {
  exists(ModuleScope ms | result.asExpr() = ms.getVariable("__dirname").getAnAccess()) and
  result.getFile().getParentContainer() = getAPackageJSONFolder() and
-  description = "the folder " + result.getFile().getParentContainer().getRelativePath()
+  (
+    if result.getFile().getParentContainer().getRelativePath().trim() != ""
+    then description = "the folder " + result.getFile().getParentContainer().getRelativePath()
+    else description = "a folder"
+  )
  or
  result = DataFlow::moduleImport("os").getAMemberCall("homedir") and
  description = "the home folder"
--- a/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected
@@ -19,3 +19,4 @@
 | private-file-exposure.js:42:1:42:66 | app.use ... dir())) | Serves the home folder, which can contain private information. |
 | private-file-exposure.js:43:1:43:46 | app.use ... )("/")) | Serves the root folder, which can contain private information. |
 | private-file-exposure.js:51:5:51:88 | app.use ... les'))) | Serves the folder "../node_modules", which can contain private information. |
+| subfolder/private-file-exposure-2.js:6:1:6:34 | app.use ... rname)) | Serves the folder query-tests/Security/CWE-200/subfolder, which can contain private information. |
--- a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js
+++ b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js
@@ -59,4 +59,6 @@ function good() {

    app.use("jquery", express.static('./node_modules/jquery/dist')); // OK
    app.use("bootstrap", express.static('./node_modules/bootstrap/dist')); // OK
-}
+}
+
+app.use(express.static(__dirname)) // NOT OK
--- a/javascript/ql/test/query-tests/Security/CWE-200/subfolder/package.json
+++ b/javascript/ql/test/query-tests/Security/CWE-200/subfolder/package.json
@@ -0,0 +1 @@
+{}
--- a/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js
+++ b/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js
@@ -0,0 +1,6 @@
+var express = require('express');
+var http = require('http')
+var app = express()
+var server = http.createServer(app)
+// Static files:
+app.use(express.static(__dirname))