JS: Add test for regexp-based sanitizer

asgerf · asgerf · commit 83edcf515bb4 · 2021-11-02T14:12:04.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
@@ -0,0 +1,3 @@
+| query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js:390 | did not expect an alert, but found an alert for TaintedPath | OK |  |
+| query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js:393 | did not expect an alert, but found an alert for TaintedPath | OK |  |
+| query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js:396 | did not expect an alert, but found an alert for TaintedPath | OK |  |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -2116,6 +2116,28 @@ nodes
 | normalizedPaths.js:381:25:381:28 | path |
 | normalizedPaths.js:381:25:381:28 | path |
 | normalizedPaths.js:381:25:381:28 | path |
+| normalizedPaths.js:385:7:385:46 | path |
+| normalizedPaths.js:385:7:385:46 | path |
+| normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
+| normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
+| normalizedPaths.js:385:35:385:45 | req.query.x |
+| normalizedPaths.js:385:35:385:45 | req.query.x |
+| normalizedPaths.js:385:35:385:45 | req.query.x |
+| normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:390:21:390:24 | path |
+| normalizedPaths.js:390:21:390:24 | path |
+| normalizedPaths.js:390:21:390:24 | path |
+| normalizedPaths.js:393:21:393:24 | path |
+| normalizedPaths.js:393:21:393:24 | path |
+| normalizedPaths.js:393:21:393:24 | path |
+| normalizedPaths.js:396:21:396:24 | path |
+| normalizedPaths.js:396:21:396:24 | path |
+| normalizedPaths.js:396:21:396:24 | path |
+| normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:399:21:399:24 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
@@ -6998,6 +7020,32 @@ edges
 | normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
 | normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
 | normalizedPaths.js:381:25:381:28 | path | normalizedPaths.js:381:19:381:29 | slash(path) |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:388:19:388:22 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:390:21:390:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:390:21:390:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:390:21:390:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:390:21:390:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:393:21:393:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:393:21:393:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:393:21:393:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:393:21:393:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:396:21:396:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:396:21:396:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:396:21:396:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:396:21:396:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:385:7:385:46 | path | normalizedPaths.js:399:21:399:24 | path |
+| normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) | normalizedPaths.js:385:7:385:46 | path |
+| normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) | normalizedPaths.js:385:7:385:46 | path |
+| normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
+| normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
+| normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
+| normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:385:14:385:46 | pathMod ... uery.x) |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
@@ -9670,6 +9718,11 @@ edges
 | normalizedPaths.js:363:21:363:31 | requestPath | normalizedPaths.js:354:14:354:27 | req.query.path | normalizedPaths.js:363:21:363:31 | requestPath | This path depends on $@. | normalizedPaths.js:354:14:354:27 | req.query.path | a user-provided value |
 | normalizedPaths.js:379:19:379:22 | path | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:379:19:379:22 | path | This path depends on $@. | normalizedPaths.js:377:14:377:27 | req.query.path | a user-provided value |
 | normalizedPaths.js:381:19:381:29 | slash(path) | normalizedPaths.js:377:14:377:27 | req.query.path | normalizedPaths.js:381:19:381:29 | slash(path) | This path depends on $@. | normalizedPaths.js:377:14:377:27 | req.query.path | a user-provided value |
+| normalizedPaths.js:388:19:388:22 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:388:19:388:22 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
+| normalizedPaths.js:390:21:390:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:390:21:390:24 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
+| normalizedPaths.js:393:21:393:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:393:21:393:24 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
+| normalizedPaths.js:396:21:396:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:396:21:396:24 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
+| normalizedPaths.js:399:21:399:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:399:21:399:24 | path | This path depends on $@. | normalizedPaths.js:385:35:385:45 | req.query.x | a user-provided value |
 | other-fs-libraries.js:11:19:11:22 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:11:19:11:22 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:12:27:12:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:12:27:12:30 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:13:24:13:27 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:13:24:13:27 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
@@ -379,4 +379,23 @@ app.get('/slash-stuff', (req, res) => {
   fs.readFileSync(path); // NOT OK
 
   fs.readFileSync(slash(path)); // NOT OK
-});
+});
+
+app.get('/dotdot-regexp', (req, res) => {
+  let path = pathModule.normalize(req.query.x);
+  if (pathModule.isAbsolute(path))
+    return;
+  fs.readFileSync(path); // NOT OK
+  if (!path.match(/\./)) {
+    fs.readFileSync(path); // OK
+  }
+  if (!path.match(/\.\./)) {
+    fs.readFileSync(path); // OK
+  }
+  if (!path.match(/\.\.\//)) {
+    fs.readFileSync(path); // OK
+  }
+  if (!path.match(/\.\.\/foo/)) {
+    fs.readFileSync(path); // NOT OK
+  }
+});

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+\| query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js:390 \| did not expect an alert, but found an alert for TaintedPath \| OK \| \|`
	`2`	`+\| query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js:393 \| did not expect an alert, but found an alert for TaintedPath \| OK \| \|`
	`3`	`+\| query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js:396 \| did not expect an alert, but found an alert for TaintedPath \| OK \| \|`