Added support for lutimes, opendir, and statfs functions from fs-extra.

Napalys · Napalys · commit e1bf054056d0 · 2025-03-28T08:37:30.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -453,7 +453,10 @@ module NodeJSLib {
     methodName = ["remove", "removeSync", "rmSync", "rm", "rmdir", "rmdirSync"] and i = 0
     or
     methodName =
-      ["outputJSON", "outputJson", "writeJSON", "writeJson", "writeJSONSync", "writeJsonSync"] and
+      [
+        "outputJSON", "outputJson", "writeJSON", "writeJson", "writeJSONSync", "writeJsonSync",
+        "outputJSONSync", "outputJsonSync"
+      ] and
     i = 0
     or
     methodName = ["ensureFile", "ensureFileSync"] and i = 0
@@ -465,6 +468,12 @@ module NodeJSLib {
     methodName = ["emptyDir", "emptyDirSync", "emptydir", "emptydirSync"] and i = 0
     or
     methodName = ["pathExists", "pathExistsSync"] and i = 0
+    or
+    methodName = ["lutimes", "lutimesSync"] and i = 0
+    or
+    methodName =
+      ["opendir", "opendirSync", "openAsBlob", "statfs", "statfsSync", "open", "openSync"] and
+    i = 0
   }
 
   /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -64,6 +64,17 @@
 | more-fs-extra.js:19:25:19:32 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:19:25:19:32 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
 | more-fs-extra.js:20:21:20:28 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:20:21:20:28 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
 | more-fs-extra.js:21:17:21:24 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:21:17:21:24 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
+| more-fs-extra.js:22:16:22:23 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:22:16:22:23 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
+| more-fs-extra.js:23:20:23:27 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:23:20:23:27 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
+| more-fs-extra.js:24:19:24:26 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:24:19:24:26 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
+| more-fs-extra.js:25:15:25:22 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:25:15:25:22 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
+| more-fs-extra.js:26:19:26:26 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:26:19:26:26 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
+| more-fs-extra.js:27:13:27:20 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:27:13:27:20 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
+| more-fs-extra.js:28:17:28:24 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:28:17:28:24 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
+| more-fs-extra.js:29:23:29:30 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:29:23:29:30 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
+| more-fs-extra.js:30:16:30:23 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:30:16:30:23 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
+| more-fs-extra.js:31:20:31:27 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:31:20:31:27 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
+| more-fs-extra.js:32:23:32:30 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:32:23:32:30 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
 | normalizedPaths.js:13:19:13:22 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:19:13:22 | path | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value |
 | normalizedPaths.js:14:19:14:29 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:19:14:29 | './' + path | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value |
 | normalizedPaths.js:15:19:15:38 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | This path depends on a $@. | normalizedPaths.js:11:14:11:27 | req.query.path | user-provided value |
@@ -372,6 +383,17 @@ edges
 | more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:19:25:19:32 | filename | provenance |  |
 | more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:20:21:20:28 | filename | provenance |  |
 | more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:21:17:21:24 | filename | provenance |  |
+| more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:22:16:22:23 | filename | provenance |  |
+| more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:23:20:23:27 | filename | provenance |  |
+| more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:24:19:24:26 | filename | provenance |  |
+| more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:25:15:25:22 | filename | provenance |  |
+| more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:26:19:26:26 | filename | provenance |  |
+| more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:27:13:27:20 | filename | provenance |  |
+| more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:28:17:28:24 | filename | provenance |  |
+| more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:29:23:29:30 | filename | provenance |  |
+| more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:30:16:30:23 | filename | provenance |  |
+| more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:31:20:31:27 | filename | provenance |  |
+| more-fs-extra.js:8:11:8:33 | filename | more-fs-extra.js:32:23:32:30 | filename | provenance |  |
 | more-fs-extra.js:8:13:8:20 | filename | more-fs-extra.js:8:11:8:33 | filename | provenance |  |
 | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:8:11:8:22 | { filename } | provenance |  |
 | normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path | provenance |  |
@@ -870,6 +892,17 @@ nodes
 | more-fs-extra.js:19:25:19:32 | filename | semmle.label | filename |
 | more-fs-extra.js:20:21:20:28 | filename | semmle.label | filename |
 | more-fs-extra.js:21:17:21:24 | filename | semmle.label | filename |
+| more-fs-extra.js:22:16:22:23 | filename | semmle.label | filename |
+| more-fs-extra.js:23:20:23:27 | filename | semmle.label | filename |
+| more-fs-extra.js:24:19:24:26 | filename | semmle.label | filename |
+| more-fs-extra.js:25:15:25:22 | filename | semmle.label | filename |
+| more-fs-extra.js:26:19:26:26 | filename | semmle.label | filename |
+| more-fs-extra.js:27:13:27:20 | filename | semmle.label | filename |
+| more-fs-extra.js:28:17:28:24 | filename | semmle.label | filename |
+| more-fs-extra.js:29:23:29:30 | filename | semmle.label | filename |
+| more-fs-extra.js:30:16:30:23 | filename | semmle.label | filename |
+| more-fs-extra.js:31:20:31:27 | filename | semmle.label | filename |
+| more-fs-extra.js:32:23:32:30 | filename | semmle.label | filename |
 | normalizedPaths.js:11:7:11:27 | path | semmle.label | path |
 | normalizedPaths.js:11:14:11:27 | req.query.path | semmle.label | req.query.path |
 | normalizedPaths.js:13:19:13:22 | path | semmle.label | path |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/more-fs-extra.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/more-fs-extra.js
@@ -19,15 +19,15 @@ app.post('/rmsync', (req, res) => {
     fs.cpSync("source", filename); // $ Alert
     fs.emptydirSync(filename); // $ Alert
     fs.emptydir(filename); // $ Alert
-    fs.opendir(filename); // $ MISSING: Alert
-    fs.opendirSync(filename); // $ MISSING: Alert
-    fs.openAsBlob(filename); // $ MISSING: Alert
-    fs.statfs(filename); // $ MISSING: Alert
-    fs.statfsSync(filename); // $ MISSING: Alert
-    fs.open(filename, 'r'); // $ MISSING: Alert
-    fs.openSync(filename, 'r'); // $ MISSING: Alert
-    fs.outputJSONSync(filename, req.body.data, { spaces: 2 }); // $ MISSING: Alert
-    fs.lutimes(filename, new Date(req.body.atime), new Date(req.body.mtime)); // MISSING: $ Alert
-    fs.lutimesSync(filename, new Date(req.body.atime), new Date(req.body.mtime)); // MISSING: $ Alert
-    fs.outputJsonSync(filename, { timestamp: new Date().toISOString(), action: req.body.action, user: req.body.user}, { spaces: 2 }); // $ MISSING: Alert
+    fs.opendir(filename); // $ Alert
+    fs.opendirSync(filename); // $ Alert
+    fs.openAsBlob(filename); // $ Alert
+    fs.statfs(filename); // $ Alert
+    fs.statfsSync(filename); // $ Alert
+    fs.open(filename, 'r'); // $ Alert
+    fs.openSync(filename, 'r'); // $ Alert
+    fs.outputJSONSync(filename, req.body.data, { spaces: 2 }); // $ Alert
+    fs.lutimes(filename, new Date(req.body.atime), new Date(req.body.mtime)); // $ Alert
+    fs.lutimesSync(filename, new Date(req.body.atime), new Date(req.body.mtime)); // $ Alert
+    fs.outputJsonSync(filename, { timestamp: new Date().toISOString(), action: req.body.action, user: req.body.user}, { spaces: 2 }); // $ Alert
 });
