JS: Accept Sources/Sink tags

Author: asgerf

javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js

@@ -1,6 +1,6 @@
 let externalLib = require('external-lib');
 
-let untrusted = window.name;
+let untrusted = window.name; // $ Source
 
 externalLib(untrusted); // $ Alert
 externalLib({x: untrusted}); // $ Alert

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js

@@ -4,7 +4,7 @@ import { parse } from 'url';
 import { join } from 'path';
 
 var server = createServer(function(req, res) {
-  let path = parse(req.url, true).query.path;
+  let path = parse(req.url, true).query.path; // $ Source
 
   res.write(readFileSync(join("public", path))); // $ Alert - This could read any file on the file system
 });

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js

@@ -6,7 +6,7 @@ var fs = require('fs'),
     ;
 
 var server = http.createServer(function(req, res) {
-  let path = url.parse(req.url, true).query.path;
+  let path = url.parse(req.url, true).query.path; // $ Source
 
   res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system
 
@@ -33,7 +33,7 @@ var server = http.createServer(function(req, res) {
   path = sanitize(path);
   res.write(fs.readFileSync(path)); // OK - Path is sanitized
 
-  path = url.parse(req.url, true).query.path;
+  path = url.parse(req.url, true).query.path; // $ Source
   // OK - basename is safe
   res.write(fs.readFileSync(pathModule.basename(path)));
   res.write(fs.readFileSync(pathModule.dirname(path))); // $ Alert - taint is preserved
@@ -70,7 +70,7 @@ var server = http.createServer(function(req, res) {
 })();
 
 var server = http.createServer(function(req, res) {
-	let path = url.parse(req.url, true).query.path;
+	let path = url.parse(req.url, true).query.path; // $ Source
 
 	res.write(fs.readFileSync(fs.realpathSync(path))); // $ Alert
 	fs.realpath(path,
@@ -106,13 +106,13 @@ var server = http.createServer(function(req, res) {
 });
 
 var server = http.createServer(function(req, res) {
-	let path = url.parse(req.url, true).query.path;
+	let path = url.parse(req.url, true).query.path; // $ Source
 
 	require('send')(req, path); // $ Alert
 });
 
 var server = http.createServer(function(req, res) {
-  let path = url.parse(req.url, true).query.path;
+  let path = url.parse(req.url, true).query.path; // $ Source
 
   fs.readFileSync(path); // $ Alert
 
@@ -136,7 +136,7 @@ var server = http.createServer(function(req, res) {
 });
 
 var server = http.createServer(function(req, res) {
-  let path = url.parse(req.url, true).query.path;
+  let path = url.parse(req.url, true).query.path; // $ Source
 
   // Removal of forward-slash or dots.
   res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, '')));
@@ -181,14 +181,14 @@ var server = http.createServer(function(req, res) {
 
 const cp = require("child_process");
 var server = http.createServer(function(req, res) {
-  let path = url.parse(req.url, true).query.path;
+  let path = url.parse(req.url, true).query.path; // $ Source
   cp.execSync("foobar", {cwd: path}); // $ Alert
   cp.execFileSync("foobar", ["args"], {cwd: path}); // $ Alert
   cp.execFileSync("foobar", {cwd: path}); // $ Alert
 });
 
 var server = http.createServer(function(req, res) {
-  let path = url.parse(req.url, true).query.path;
+  let path = url.parse(req.url, true).query.path; // $ Source
 
   // Removal of forward-slash or dots.
   res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), '')));
@@ -197,7 +197,7 @@ var server = http.createServer(function(req, res) {
 });
 
 var server = http.createServer(function(req, res) {
-  let path = url.parse(req.url, true).query.path;
+  let path = url.parse(req.url, true).query.path; // $ Source
 
   res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // $ Alert - can be absolute
 

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js

@@ -5,7 +5,7 @@ const fs = require('fs'),
 const ROOT = "/var/www/";
 
 var server = http.createServer(function(req, res) {
-  let filePath = url.parse(req.url, true).query.path;
+  let filePath = url.parse(req.url, true).query.path; // $ Source
 
   res.write(fs.readFileSync(ROOT + filePath, 'utf8')); // $ Alert - This function uses unsanitized input that can read any file on the file system.
 });

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js

@@ -8,7 +8,7 @@ var fs = require('fs'),
 let app = express();
 
 app.get('/basic', (req, res) => {
-  let path = req.query.path;
+  let path = req.query.path; // $ Source
 
   fs.readFileSync(path); // $ Alert
   fs.readFileSync('./' + path); // $ Alert
@@ -18,7 +18,7 @@ app.get('/basic', (req, res) => {
 });
 
 app.get('/normalize', (req, res) => {
-  let path = pathModule.normalize(req.query.path);
+  let path = pathModule.normalize(req.query.path); // $ Source
 
   fs.readFileSync(path); // $ Alert
   fs.readFileSync('./' + path); // $ Alert
@@ -28,7 +28,7 @@ app.get('/normalize', (req, res) => {
 });
 
 app.get('/normalize-notAbsolute', (req, res) => {
-  let path = pathModule.normalize(req.query.path);
+  let path = pathModule.normalize(req.query.path); // $ Source
 
   if (pathModule.isAbsolute(path))
     return;
@@ -51,7 +51,7 @@ app.get('/normalize-notAbsolute', (req, res) => {
 });
 
 app.get('/normalize-noInitialDotDot', (req, res) => {
-  let path = pathModule.normalize(req.query.path);
+  let path = pathModule.normalize(req.query.path); // $ Source
 
   if (path.startsWith(".."))
     return;
@@ -70,7 +70,7 @@ app.get('/normalize-noInitialDotDot', (req, res) => {
 
 app.get('/prepend-normalize', (req, res) => {
   // Coerce to relative prior to normalization
-  let path = pathModule.normalize('./' + req.query.path);
+  let path = pathModule.normalize('./' + req.query.path); // $ Source
 
   if (!path.startsWith(".."))
     fs.readFileSync(path);
@@ -79,7 +79,7 @@ app.get('/prepend-normalize', (req, res) => {
 });
 
 app.get('/absolute', (req, res) => {
-  let path = req.query.path;
+  let path = req.query.path; // $ Source
 
   if (!pathModule.isAbsolute(path))
     return;
@@ -91,7 +91,7 @@ app.get('/absolute', (req, res) => {
 });
 
 app.get('/normalized-absolute', (req, res) => {
-  let path = pathModule.normalize(req.query.path);
+  let path = pathModule.normalize(req.query.path); // $ Source
 
   if (!pathModule.isAbsolute(path))
     return;
@@ -114,7 +114,7 @@ app.get('/combined-check', (req, res) => {
 });
 
 app.get('/realpath', (req, res) => {
-  let path = fs.realpathSync(req.query.path);
+  let path = fs.realpathSync(req.query.path); // $ Source
 
   fs.readFileSync(path); // $ Alert
   fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert
@@ -127,7 +127,7 @@ app.get('/realpath', (req, res) => {
 });
 
 app.get('/coerce-relative', (req, res) => {
-  let path = pathModule.join('.', req.query.path);
+  let path = pathModule.join('.', req.query.path); // $ Source
 
   if (!path.startsWith('..'))
     fs.readFileSync(path);
@@ -136,7 +136,7 @@ app.get('/coerce-relative', (req, res) => {
 });
 
 app.get('/coerce-absolute', (req, res) => {
-  let path = pathModule.join('/home/user/www', req.query.path);
+  let path = pathModule.join('/home/user/www', req.query.path); // $ Source
 
   if (path.startsWith('/home/user/www'))
     fs.readFileSync(path);
@@ -145,7 +145,7 @@ app.get('/coerce-absolute', (req, res) => {
 });
 
 app.get('/concat-after-normalization', (req, res) => {
-  let path = 'foo/' + pathModule.normalize(req.query.path);
+  let path = 'foo/' + pathModule.normalize(req.query.path); // $ Source
 
   if (!path.startsWith('..'))
     fs.readFileSync(path); // $ Alert - prefixing foo/ invalidates check
@@ -157,7 +157,7 @@ app.get('/concat-after-normalization', (req, res) => {
 });
 
 app.get('/noDotDot', (req, res) => {
-  let path = pathModule.normalize(req.query.path);
+  let path = pathModule.normalize(req.query.path); // $ Source
 
   if (path.includes('..'))
     return;
@@ -171,7 +171,7 @@ app.get('/noDotDot', (req, res) => {
 });
 
 app.get('/join-regression', (req, res) => {
-  let path = req.query.path;
+  let path = req.query.path; // $ Source
 
   // Regression test for a specific corner case:
   // Some guard nodes sanitize both branches, but for a different set of flow labels.
@@ -211,7 +211,7 @@ app.get('/join-regression', (req, res) => {
 });
 
 app.get('/decode-after-normalization', (req, res) => {
-  let path = pathModule.normalize(req.query.path);
+  let path = pathModule.normalize(req.query.path); // $ Source
 
   if (!pathModule.isAbsolute(path) && !path.startsWith('..'))
     fs.readFileSync(path);
@@ -223,7 +223,7 @@ app.get('/decode-after-normalization', (req, res) => {
 });
 
 app.get('/replace', (req, res) => {
-  let path = pathModule.normalize(req.query.path).replace(/%20/g, ' ');
+  let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); // $ Source
   if (!pathModule.isAbsolute(path)) {
     fs.readFileSync(path); // $ Alert
 
@@ -233,7 +233,7 @@ app.get('/replace', (req, res) => {
 });
 
 app.get('/resolve-path', (req, res) => {
-  let path = pathModule.resolve(req.query.path);
+  let path = pathModule.resolve(req.query.path); // $ Source
 
   fs.readFileSync(path); // $ Alert
 
@@ -251,7 +251,7 @@ app.get('/resolve-path', (req, res) => {
 });
 
 app.get('/relative-startswith', (req, res) => {
-  let path = pathModule.resolve(req.query.path);
+  let path = pathModule.resolve(req.query.path); // $ Source
 
   fs.readFileSync(path); // $ Alert
 
@@ -300,7 +300,7 @@ app.get('/relative-startswith', (req, res) => {
 var isPathInside = require("is-path-inside"),
     pathIsInside = require("path-is-inside");
 app.get('/pseudo-normalizations', (req, res) => {
-	let path = req.query.path;
+	let path = req.query.path; // $ Source
 	fs.readFileSync(path); // $ Alert
 	if (isPathInside(path, SAFE)) {
 		fs.readFileSync(path);
@@ -336,7 +336,7 @@ app.get('/pseudo-normalizations', (req, res) => {
 });
 
 app.get('/yet-another-prefix', (req, res) => {
-	let path = pathModule.resolve(req.query.path);
+	let path = pathModule.resolve(req.query.path); // $ Source
 
 	fs.readFileSync(path); // $ Alert
 
@@ -351,7 +351,7 @@ app.get('/yet-another-prefix', (req, res) => {
 
 var rootPath = process.cwd();
 app.get('/yet-another-prefix2', (req, res) => {
-  let path = req.query.path;
+  let path = req.query.path; // $ Source
 
   fs.readFileSync(path); // $ Alert
 
@@ -374,15 +374,15 @@ app.get('/yet-another-prefix2', (req, res) => {
 
 import slash from 'slash';
 app.get('/slash-stuff', (req, res) => {
-  let path = req.query.path;
+  let path = req.query.path; // $ Source
 
   fs.readFileSync(path); // $ Alert
 
   fs.readFileSync(slash(path)); // $ Alert
 });
 
 app.get('/dotdot-regexp', (req, res) => {
-  let path = pathModule.normalize(req.query.x);
+  let path = pathModule.normalize(req.query.x); // $ Source
   if (pathModule.isAbsolute(path))
     return;
   fs.readFileSync(path); // $ Alert
@@ -409,7 +409,7 @@ app.get('/join-spread', (req, res) => {
 });
 
 app.get('/dotdot-matchAll-regexp', (req, res) => {
-  let path = pathModule.normalize(req.query.x);
+  let path = pathModule.normalize(req.query.x); // $ Source
   if (pathModule.isAbsolute(path))
     return;
   fs.readFileSync(path); // $ Alert

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js

@@ -6,7 +6,7 @@ var http = require("http"),
   originalFs = require("original-fs");
 
 var server = http.createServer(function(req, res) {
-  var path = url.parse(req.url, true).query.path;
+  var path = url.parse(req.url, true).query.path; // $ Source
 
   fs.readFileSync(path); // $ Alert
   gracefulFs.readFileSync(path); // $ Alert
@@ -35,7 +35,7 @@ function getFsModule(special) {
 var util = require("util");
 
 http.createServer(function(req, res) {
-  var path = url.parse(req.url, true).query.path;
+  var path = url.parse(req.url, true).query.path; // $ Source
 
   util.promisify(fs.readFileSync)(path); // $ Alert
   require("bluebird").promisify(fs.readFileSync)(path); // $ Alert
@@ -46,7 +46,7 @@ http.createServer(function(req, res) {
 const asyncFS = require("./my-async-fs-module");
 
 http.createServer(function(req, res) {
-  var path = url.parse(req.url, true).query.path;
+  var path = url.parse(req.url, true).query.path; // $ Source
 
   fs.readFileSync(path); // $ Alert
   asyncFS.readFileSync(path); // $ Alert
@@ -65,7 +65,7 @@ http.createServer(function(req, res) {
 
 const mkdirp = require("mkdirp");
 http.createServer(function(req, res) {
-  var path = url.parse(req.url, true).query.path;
+  var path = url.parse(req.url, true).query.path; // $ Source
 
   fs.readFileSync(path); // $ Alert
   mkdirp(path); // $ Alert
@@ -78,7 +78,7 @@ function func(x) {
 
 const fsp = require("fs/promises");
 http.createServer(function(req, res) {
-  var path = url.parse(req.url, true).query.path;
+  var path = url.parse(req.url, true).query.path; // $ Source
 
   fsp.readFile(path); // $ Alert
 });

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js

@@ -3,7 +3,7 @@ const prettier = require("prettier");
 
 const app = express();
 app.get('/some/path', function (req, res) {
-    const { p } = req.params;
+    const { p } = req.params; // $ Source
     prettier.resolveConfig(p).then((options) => { // $ Alert
         const formatted = prettier.format("foo", options);
     });

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js

@@ -2,7 +2,7 @@ const puppeteer = require('puppeteer');
 const parseTorrent = require('parse-torrent');
 
 (async () => {
-    let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data";
+    let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data"; // $ Source
 
     const browser = await puppeteer.launch();
     const page = await browser.newPage();

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js

@@ -10,7 +10,7 @@ function getTree(req, res, options) {
     var workspaceId = req.params.workspaceId;
     var realfileRootPath = workspaceId; // getfileRoot(workspaceId);
     var filePath = workspaceId; // path.join(options.workspaceDir,realfileRootPath, req.params["0"]);
-    withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {});
+    withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {}); // $ Source
 }
 
 function getfileRoot(workspaceId) {