JS: Support regexp-based path traversal check

Author: asgerf

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -460,6 +460,24 @@ module TaintedPath {
     }
   }
 
+  /**
+   * An expression of form `x.matches(/\.\./)` or similar.
+   */
+  class ContainsDotDotRegExpSanitizer extends BarrierGuardNode {
+    StringOps::RegExpTest test;
+
+    ContainsDotDotRegExpSanitizer() {
+      this = test and
+      test.getRegExp().getConstantValue() = [".", "..", "../"]
+    }
+
+    override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      e = test.getStringOperand().asExpr() and
+      outcome = test.getPolarity().booleanNot() and
+      label.(Label::PosixPath).canContainDotDotSlash() // can still be bypassed by normalized absolute path
+    }
+  }
+
   /**
    * A sanitizer that recognizes the following pattern:
    * ```

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected

@@ -1,3 +0,0 @@
-| query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js:390 | did not expect an alert, but found an alert for TaintedPath | OK |  |
-| query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js:393 | did not expect an alert, but found an alert for TaintedPath | OK |  |
-| query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js:396 | did not expect an alert, but found an alert for TaintedPath | OK |  |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

@@ -2126,15 +2126,6 @@ nodes
 | normalizedPaths.js:388:19:388:22 | path |
 | normalizedPaths.js:388:19:388:22 | path |
 | normalizedPaths.js:388:19:388:22 | path |
-| normalizedPaths.js:390:21:390:24 | path |
-| normalizedPaths.js:390:21:390:24 | path |
-| normalizedPaths.js:390:21:390:24 | path |
-| normalizedPaths.js:393:21:393:24 | path |
-| normalizedPaths.js:393:21:393:24 | path |
-| normalizedPaths.js:393:21:393:24 | path |
-| normalizedPaths.js:396:21:396:24 | path |
-| normalizedPaths.js:396:21:396:24 | path |
-| normalizedPaths.js:396:21:396:24 | path |
 | normalizedPaths.js:399:21:399:24 | path |
 | normalizedPaths.js:399:21:399:24 | path |
 | normalizedPaths.js:399:21:399:24 | path |
@@ -7024,18 +7015,6 @@ edges
 | normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:388:19:388:22 | path |
 | normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:388:19:388:22 | path |
 | normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:388:19:388:22 | path |
-| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:390:21:390:24 | path |
-| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:390:21:390:24 | path |
-| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:390:21:390:24 | path |
-| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:390:21:390:24 | path |
-| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:393:21:393:24 | path |
-| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:393:21:393:24 | path |
-| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:393:21:393:24 | path |
-| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:393:21:393:24 | path |
-| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:396:21:396:24 | path |
-| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:396:21:396:24 | path |
-| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:396:21:396:24 | path |
-| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:396:21:396:24 | path |
 | normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
 | normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
 | normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
@@ -9719,9 +9698,6 @@ edges
 | normalizedPaths.js:379:19:379:22 | path | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:379:19:379:22 | path | This path depends on $@. | normalizedPaths.js:377:14:377:27 | req.query.path | a user-provided value |
 | normalizedPaths.js:381:19:381:29 | slash(path) | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:381:19:381:29 | slash(path) | This path depends on $@. | normalizedPaths.js:377:14:377:27 | req.query.path | a user-provided value |
 | normalizedPaths.js:388:19:388:22 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:388:19:388:22 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
-| normalizedPaths.js:390:21:390:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:390:21:390:24 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
-| normalizedPaths.js:393:21:393:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:393:21:393:24 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
-| normalizedPaths.js:396:21:396:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:396:21:396:24 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
 | normalizedPaths.js:399:21:399:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:399:21:399:24 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
 | other-fs-libraries.js:11:19:11:22 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:11:19:11:22 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:12:27:12:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:12:27:12:30 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |