hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
66737402c20fc83b3d3a654dcccf4b26c901b100
codeql/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js
Asger F 87518ba60e JS: Update tainted-sendFile.js 
This file was added on main while this branch was in progress. Porting the whole file in one step.
2025-02-28 13:29:25 +01:00

37 lines
1.4 KiB
JavaScript
Raw Blame History

var express = require('express');
let path = require('path');
var app = express();
app.get('/some/path/:x', function(req, res) {
res.sendFile(req.param("gimme")); // $ Alert - sending a file based on un-sanitized query parameters
res.sendfile(req.param("gimme")); // $ Alert - same as above
// OK - ensures files cannot be accessed outside of root folder
res.sendFile(req.param("gimme"), { root: process.cwd() });
// OK - ensures files cannot be accessed outside of root folder
res.sendfile(req.param("gimme"), { root: process.cwd() });
res.sendFile(req.param("file"), { root: req.param("dir") }); // $ Alert - doesn't help if user controls root
let homeDir = path.resolve('.');
res.sendFile(homeDir + '/data/' + req.params.x); // OK - sendFile disallows ../
res.sendfile('data/' + req.params.x); // OK - sendfile disallows ../
res.sendFile(path.resolve('data', req.params.x)); // $ Alert
res.sendfile(path.join('data', req.params.x)); // $ Alert
res.sendFile(homeDir + path.join('data', req.params.x)); // kinda OK - can only escape from 'data/'
res.download(req.param("gimme")); // $ Alert
res.download(homeDir + '/data/' + req.params.x); // $ Alert
res.download(path.join('data', req.params.x)); // $ Alert
res.download(req.param("file"), { root: req.param("dir") }); // $ Alert
// OK - ensures files cannot be accessed outside of root folder
res.download(req.param("gimme"), { root: process.cwd() });
});
Reference in New Issue View Git Blame Copy Permalink