mirror of
https://github.com/github/codeql.git
synced 2025-12-17 17:23:36 +01:00
31 lines
1013 B
Plaintext
31 lines
1013 B
Plaintext
import javascript
|
|
|
|
class CheckPathSanitizerGuard extends TaintTracking::SanitizerGuardNode, DataFlow::CallNode {
|
|
CheckPathSanitizerGuard() { this.getCalleeName() = "checkPath" }
|
|
|
|
override predicate sanitizes(boolean outcome, Expr e) {
|
|
outcome = true and
|
|
e = getArgument(0).asExpr()
|
|
}
|
|
}
|
|
|
|
class CommandLineFileNameConfiguration extends TaintTracking::Configuration {
|
|
CommandLineFileNameConfiguration() { this = "CommandLineFileNameConfiguration" }
|
|
|
|
override predicate isSource(DataFlow::Node source) {
|
|
DataFlow::globalVarRef("process").getAPropertyRead("argv").getAPropertyRead() = source
|
|
}
|
|
|
|
override predicate isSink(DataFlow::Node sink) {
|
|
DataFlow::moduleMember("fs", "readFile").getACall().getArgument(0) = sink
|
|
}
|
|
|
|
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode nd) {
|
|
nd instanceof CheckPathSanitizerGuard
|
|
}
|
|
}
|
|
|
|
from CommandLineFileNameConfiguration cfg, DataFlow::Node source, DataFlow::Node sink
|
|
where cfg.hasFlow(source, sink)
|
|
select source, sink
|