add the cwd option from read-pkg as sink for path-injection

erik-krogh · erik-krogh · commit 07bc5856db36 · 2021-07-12T23:43:15.000+02:00
diff --git a/javascript/change-notes/2021-07-12-read-pkg.md b/javascript/change-notes/2021-07-12-read-pkg.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The `cwd` option from the `read-pkg` library is recognized as a sink for `js/tainted-path`.
+  Affected packages are
+    [read-pkg](https://npmjs.com/package/read-pkg)
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -682,6 +682,21 @@ module TaintedPath {
     }
   }
 
+  /**
+   * The `cwd` option for the `read-pkg` library.
+   */
+  private class ReadPkgCwdSink extends TaintedPath::Sink {
+    ReadPkgCwdSink() {
+      this =
+        API::moduleImport("read-pkg")
+            .getMember(["readPackageAsync", "readPackageSync"])
+            .getACall()
+            .getParameter(0)
+            .getMember("cwd")
+            .getARhs()
+    }
+  }
+
   /**
    * Holds if there is a step `src -> dst` mapping `srclabel` to `dstlabel` relevant for path traversal vulnerabilities.
    */
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -2339,6 +2339,40 @@ nodes
 | other-fs-libraries.js:59:39:59:42 | path |
 | other-fs-libraries.js:59:39:59:42 | path |
 | other-fs-libraries.js:59:39:59:42 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:63:51:63:54 | path |
 | prettier.js:6:11:6:28 | p |
 | prettier.js:6:11:6:28 | p |
 | prettier.js:6:11:6:28 | p |
@@ -6815,6 +6849,70 @@ edges
 | other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:59:39:59:42 | path |
 | other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:59:39:59:42 | path |
 | other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:59:39:59:42 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:62:43:62:46 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
+| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:63:51:63:54 | path |
 | other-fs-libraries.js:49:14:49:37 | url.par ... , true) | other-fs-libraries.js:49:14:49:43 | url.par ... ).query |
 | other-fs-libraries.js:49:14:49:37 | url.par ... , true) | other-fs-libraries.js:49:14:49:43 | url.par ... ).query |
 | other-fs-libraries.js:49:14:49:37 | url.par ... , true) | other-fs-libraries.js:49:14:49:43 | url.par ... ).query |
@@ -8552,6 +8650,8 @@ edges
 | other-fs-libraries.js:55:36:55:39 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:55:36:55:39 | path | This path depends on $@. | other-fs-libraries.js:49:24:49:30 | req.url | a user-provided value |
 | other-fs-libraries.js:57:46:57:49 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:57:46:57:49 | path | This path depends on $@. | other-fs-libraries.js:49:24:49:30 | req.url | a user-provided value |
 | other-fs-libraries.js:59:39:59:42 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:59:39:59:42 | path | This path depends on $@. | other-fs-libraries.js:49:24:49:30 | req.url | a user-provided value |
+| other-fs-libraries.js:62:43:62:46 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:62:43:62:46 | path | This path depends on $@. | other-fs-libraries.js:49:24:49:30 | req.url | a user-provided value |
+| other-fs-libraries.js:63:51:63:54 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:63:51:63:54 | path | This path depends on $@. | other-fs-libraries.js:49:24:49:30 | req.url | a user-provided value |
 | prettier.js:7:28:7:28 | p | prettier.js:6:13:6:13 | p | prettier.js:7:28:7:28 | p | This path depends on $@. | prettier.js:6:13:6:13 | p | a user-provided value |
 | prettier.js:11:44:11:44 | p | prettier.js:6:13:6:13 | p | prettier.js:11:44:11:44 | p | This path depends on $@. | prettier.js:6:13:6:13 | p | a user-provided value |
 | pupeteer.js:9:28:9:34 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:9:28:9:34 | tainted | This path depends on $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js
@@ -57,4 +57,8 @@ http.createServer(function(req, res) {
   require('util.promisify')(fs.readFileSync)(path); // NOT OK
 
   require("thenify")(fs.readFileSync)(path); // NOT OK
+
+  const readPkg = require('read-pkg');
+  var pkg = readPkg.readPackageSync({cwd: path}); // NOT OK
+  var pkgPromise = readPkg.readPackageAsync({cwd: path}); // NOT OK
 });
