Merge pull request #6993 from asgerf/js/tainted-path-regexp-contains-check

codeql-ci · web-flow · commit 6f80387ac159 · 2021-11-08T01:52:28.000-08:00
Approved by erik-krogh
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -445,17 +445,25 @@ module TaintedPath {
   /**
    * An expression of form `x.includes("..")` or similar.
    */
-  class ContainsDotDotSanitizer extends BarrierGuardNode {
-    StringOps::Includes contains;
+  class ContainsDotDotSanitizer extends BarrierGuardNode instanceof StringOps::Includes {
+    ContainsDotDotSanitizer() { isDotDotSlashPrefix(super.getSubstring()) }
 
-    ContainsDotDotSanitizer() {
-      this = contains and
-      isDotDotSlashPrefix(contains.getSubstring())
+    override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      e = super.getBaseString().asExpr() and
+      outcome = super.getPolarity().booleanNot() and
+      label.(Label::PosixPath).canContainDotDotSlash() // can still be bypassed by normalized absolute path
     }
+  }
+
+  /**
+   * An expression of form `x.matches(/\.\./)` or similar.
+   */
+  class ContainsDotDotRegExpSanitizer extends BarrierGuardNode instanceof StringOps::RegExpTest {
+    ContainsDotDotRegExpSanitizer() { super.getRegExp().getConstantValue() = [".", "..", "../"] }
 
     override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
-      e = contains.getBaseString().asExpr() and
-      outcome = contains.getPolarity().booleanNot() and
+      e = super.getStringOperand().asExpr() and
+      outcome = super.getPolarity().booleanNot() and
       label.(Label::PosixPath).canContainDotDotSlash() // can still be bypassed by normalized absolute path
     }
   }
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -2116,6 +2116,19 @@ nodes
 | normalizedPaths.js:381:25:381:28 | path |
 | normalizedPaths.js:381:25:381:28 | path |
 | normalizedPaths.js:381:25:381:28 | path |
+| normalizedPaths.js:385:7:385:46 | path |
+| normalizedPaths.js:385:7:385:46 | path |
+| normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
+| normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
+| normalizedPaths.js:385:35:385:45 | req.query.x |
+| normalizedPaths.js:385:35:385:45 | req.query.x |
+| normalizedPaths.js:385:35:385:45 | req.query.x |
+| normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:399:21:399:24 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
@@ -6998,6 +7011,20 @@ edges
 | normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
 | normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
 | normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) | normalizedPaths.js:385:7:385:46 | path |
+| normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) | normalizedPaths.js:385:7:385:46 | path |
+| normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
+| normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
+| normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
+| normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
@@ -9670,6 +9697,8 @@ edges
 | normalizedPaths.js:363:21:363:31 | requestPath | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:363:21:363:31 | requestPath | This path depends on $@. | normalizedPaths.js:354:14:354:27 | req.query.path | a user-provided value |
 | normalizedPaths.js:379:19:379:22 | path | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:379:19:379:22 | path | This path depends on $@. | normalizedPaths.js:377:14:377:27 | req.query.path | a user-provided value |
 | normalizedPaths.js:381:19:381:29 | slash(path) | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:381:19:381:29 | slash(path) | This path depends on $@. | normalizedPaths.js:377:14:377:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:388:19:388:22 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:388:19:388:22 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
+| normalizedPaths.js:399:21:399:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:399:21:399:24 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
 | other-fs-libraries.js:11:19:11:22 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:11:19:11:22 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:12:27:12:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:12:27:12:30 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:13:24:13:27 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:13:24:13:27 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
@@ -379,4 +379,23 @@ app.get('/slash-stuff', (req, res) => {
   fs.readFileSync(path); // NOT OK
 
   fs.readFileSync(slash(path)); // NOT OK
-});
+});
+
+app.get('/dotdot-regexp', (req, res) => {
+  let path = pathModule.normalize(req.query.x);
+  if (pathModule.isAbsolute(path))
+    return;
+  fs.readFileSync(path); // NOT OK
+  if (!path.match(/\./)) {
+    fs.readFileSync(path); // OK
+  }
+  if (!path.match(/\.\./)) {
+    fs.readFileSync(path); // OK
+  }
+  if (!path.match(/\.\.\//)) {
+    fs.readFileSync(path); // OK
+  }
+  if (!path.match(/\.\.\/foo/)) {
+    fs.readFileSync(path); // NOT OK
+  }
+});
