avoid reporting empty names in js/exposure-of-private-files

2026-01-06 03:00:24 +01:00 · 2020-11-23 14:23:22 +01:00
parent 02d5fbf46b
commit f7f9beeefd
5 changed files with 16 additions and 2 deletions
--- a/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
+++ b/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
@@ -80,7 +80,11 @@ Folder getAPackageJSONFolder() { result = any(PackageJSON json).getFile().getPar
 DataFlow::Node getALeakingFolder(string description) {
  exists(ModuleScope ms | result.asExpr() = ms.getVariable("__dirname").getAnAccess()) and
  result.getFile().getParentContainer() = getAPackageJSONFolder() and
-  description = "the folder " + result.getFile().getParentContainer().getRelativePath()
+  (
+    if result.getFile().getParentContainer().getRelativePath().trim() != ""
+    then description = "the folder " + result.getFile().getParentContainer().getRelativePath()
+    else description = "a folder"
+  )
  or
  result = DataFlow::moduleImport("os").getAMemberCall("homedir") and
  description = "the home folder"