hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
z80coder/query-pack-release-candidate-2
codeql/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js
Erik Krogh Kristensen 14b26f2a68 add mkdirp as a sink for tainted-path
2021-07-14 19:32:22 +02:00

74 lines
2.0 KiB
JavaScript
Raw Permalink Blame History

var http = require("http"),
url = require("url"),
fs = require("fs"),
gracefulFs = require("graceful-fs"),
fsExtra = require("fs-extra"),
originalFs = require("original-fs");
var server = http.createServer(function(req, res) {
var path = url.parse(req.url, true).query.path;
fs.readFileSync(path); // NOT OK
gracefulFs.readFileSync(path); // NOT OK
fsExtra.readFileSync(path); // NOT OK
originalFs.readFileSync(path); // NOT OK
getFsModule(true).readFileSync(path); // NOT OK
getFsModule(false).readFileSync(path); // NOT OK
require("./my-fs-module").require(true).readFileSync(path); // NOT OK
let flexibleModuleName = require(process.versions["electron"]
? "original-fs"
: "fs");
flexibleModuleName.readFileSync(path); // NOT OK
});
function getFsModule(special) {
if (special) {
return require("fs");
} else {
return require("original-fs");
}
}
var util = require("util");
http.createServer(function(req, res) {
var path = url.parse(req.url, true).query.path;
util.promisify(fs.readFileSync)(path); // NOT OK
require("bluebird").promisify(fs.readFileSync)(path); // NOT OK
require("bluebird").promisifyAll(fs).readFileSync(path); // NOT OK
});
const asyncFS = require("./my-async-fs-module");
http.createServer(function(req, res) {
var path = url.parse(req.url, true).query.path;
fs.readFileSync(path); // NOT OK
asyncFS.readFileSync(path); // NOT OK
require("pify")(fs.readFileSync)(path); // NOT OK
require("pify")(fs).readFileSync(path); // NOT OK
require('util.promisify')(fs.readFileSync)(path); // NOT OK
require("thenify")(fs.readFileSync)(path); // NOT OK
const readPkg = require('read-pkg');
var pkg = readPkg.readPackageSync({cwd: path}); // NOT OK
var pkgPromise = readPkg.readPackageAsync({cwd: path}); // NOT OK
});
const mkdirp = require("mkdirp");
http.createServer(function(req, res) {
var path = url.parse(req.url, true).query.path;
fs.readFileSync(path); // NOT OK
mkdirp(path); // NOT OK
mkdirp.sync(path); // NOT OK
});
Reference in New Issue View Git Blame Copy Permalink