hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b3eada829a27e3d62d0ce4aa3e615107938cdcb6
codeql/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
Jason Reed 23d37c7167 JS: Unbreak TaintedPath
2019-02-28 15:45:26 -05:00

117 lines
3.5 KiB
JavaScript
Raw Blame History

var fs = require('fs'),
http = require('http'),
url = require('url'),
sanitize = require('sanitize-filename'),
pathModule = require('path')
;
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
// BAD: This could read any file on the file system
res.write(fs.readFileSync(path));
// BAD: This could still read any file on the file system
res.write(fs.readFileSync("/home/user/" + path));
// BAD: Insufficient sanitisation
if (path.startsWith("/home/user/"))
res.write(fs.readFileSync(path));
// BAD: Insufficient sanitisation
if (path.indexOf("secret") == -1)
res.write(fs.readFileSync(path));
// BAD: Insufficient sanitisation
if (fs.existsSync(path))
res.write(fs.readFileSync(path));
// GOOD: Path is compared to white-list
if (path === 'foo.txt')
res.write(fs.readFileSync(path));
// GOOD: Path is compared to white-list
if (path === 'foo.txt' || path === 'bar.txt')
res.write(fs.readFileSync(path));
// BAD: Path is incompletely compared to white-list
if (path === 'foo.txt' || path === 'bar.txt' || someOpaqueCondition())
res.write(fs.readFileSync(path));
// GOOD: Path is sanitized
path = sanitize(path);
res.write(fs.readFileSync(path));
path = url.parse(req.url, true).query.path;
// BAD: taint is preserved
res.write(fs.readFileSync(pathModule.basename(path)));
// BAD: taint is preserved
res.write(fs.readFileSync(pathModule.dirname(path)));
// BAD: taint is preserved
res.write(fs.readFileSync(pathModule.extname(path)));
// BAD: taint is preserved
res.write(fs.readFileSync(pathModule.join(path)));
// BAD: taint is preserved
res.write(fs.readFileSync(pathModule.join(x, y, path, z)));
// BAD: taint is preserved
res.write(fs.readFileSync(pathModule.normalize(path)));
// BAD: taint is preserved
res.write(fs.readFileSync(pathModule.relative(x, path)));
// BAD: taint is preserved
res.write(fs.readFileSync(pathModule.relative(path, x)));
// BAD: taint is preserved
res.write(fs.readFileSync(pathModule.resolve(path)));
// BAD: taint is preserved
res.write(fs.readFileSync(pathModule.resolve(x, y, path, z)));
// BAD: taint is preserved
res.write(fs.readFileSync(pathModule.toNamespacedPath(path)));
});
angular.module('myApp', [])
.directive('myCustomer', function() {
return {
templateUrl: "SAFE" // OK
}
})
.directive('myCustomer', function() {
return {
templateUrl: Cookie.get("unsafe") // NOT OK
}
})
var server = http.createServer(function(req, res) {
// tests for a few uri-libraries
res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // NOT OK
res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // NOT OK
res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // NOT OK
});
(function(){
var express = require('express');
var application = express();
var views_local = (req, res) => res.render(req.params[0]);
application.get('/views/*', views_local);
var views_imported = require("./views");
application.get('/views/*', views_imported);
})();
addEventListener('message', (ev) => {
Cookie.set("unsafe", ev.data);
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
res.write(fs.readFileSync(fs.realpathSync(path)));
fs.realpath(path,
function(err, realpath){
res.write(fs.readFileSync(realpath));
}
);
});
Reference in New Issue View Git Blame Copy Permalink