Skip to content

Commit 2f3ea44

Browse files
erik-krogherik-krogh
committed
add model of the pify library
1 parent f2ca213 commit 2f3ea44

File tree

4 files changed

+111
-4
lines changed

4 files changed

+111
-4
lines changed

javascript/change-notes/2021-06-21-promisify.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
lgtm,codescanning
2+
* Support for libraries modeling `promisify` and `promisifyAll` functions have been improved.
3+
Affected packages are
4+
[pify](https://www.npmjs.com/package/pify)

javascript/ql/src/semmle/javascript/Promises.qll

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -672,10 +672,8 @@ module Promisify {
672672
class PromisifyAllCall extends DataFlow::CallNode {
673673
PromisifyAllCall() {
674674
this =
675-
[
676-
DataFlow::moduleMember("bluebird", "promisifyAll"),
677-
DataFlow::moduleImport("util-promisifyall")
678-
].getACall()
675+
[DataFlow::moduleMember("bluebird", "promisifyAll"), DataFlow::moduleImport("pify")]
676+
.getACall()
679677
}
680678
}
681679

@@ -686,6 +684,8 @@ module Promisify {
686684
class PromisifyCall extends DataFlow::CallNode {
687685
PromisifyCall() {
688686
this = DataFlow::moduleImport(["util", "bluebird"]).getAMemberCall("promisify")
687+
or
688+
this = DataFlow::moduleImport("pify").getACall()
689689
}
690690
}
691691
}

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2271,6 +2271,40 @@ nodes
22712271
| other-fs-libraries.js:52:24:52:27 | path |
22722272
| other-fs-libraries.js:52:24:52:27 | path |
22732273
| other-fs-libraries.js:52:24:52:27 | path |
2274+
| other-fs-libraries.js:54:36:54:39 | path |
2275+
| other-fs-libraries.js:54:36:54:39 | path |
2276+
| other-fs-libraries.js:54:36:54:39 | path |
2277+
| other-fs-libraries.js:54:36:54:39 | path |
2278+
| other-fs-libraries.js:54:36:54:39 | path |
2279+
| other-fs-libraries.js:54:36:54:39 | path |
2280+
| other-fs-libraries.js:54:36:54:39 | path |
2281+
| other-fs-libraries.js:54:36:54:39 | path |
2282+
| other-fs-libraries.js:54:36:54:39 | path |
2283+
| other-fs-libraries.js:54:36:54:39 | path |
2284+
| other-fs-libraries.js:54:36:54:39 | path |
2285+
| other-fs-libraries.js:54:36:54:39 | path |
2286+
| other-fs-libraries.js:54:36:54:39 | path |
2287+
| other-fs-libraries.js:54:36:54:39 | path |
2288+
| other-fs-libraries.js:54:36:54:39 | path |
2289+
| other-fs-libraries.js:54:36:54:39 | path |
2290+
| other-fs-libraries.js:54:36:54:39 | path |
2291+
| other-fs-libraries.js:55:36:55:39 | path |
2292+
| other-fs-libraries.js:55:36:55:39 | path |
2293+
| other-fs-libraries.js:55:36:55:39 | path |
2294+
| other-fs-libraries.js:55:36:55:39 | path |
2295+
| other-fs-libraries.js:55:36:55:39 | path |
2296+
| other-fs-libraries.js:55:36:55:39 | path |
2297+
| other-fs-libraries.js:55:36:55:39 | path |
2298+
| other-fs-libraries.js:55:36:55:39 | path |
2299+
| other-fs-libraries.js:55:36:55:39 | path |
2300+
| other-fs-libraries.js:55:36:55:39 | path |
2301+
| other-fs-libraries.js:55:36:55:39 | path |
2302+
| other-fs-libraries.js:55:36:55:39 | path |
2303+
| other-fs-libraries.js:55:36:55:39 | path |
2304+
| other-fs-libraries.js:55:36:55:39 | path |
2305+
| other-fs-libraries.js:55:36:55:39 | path |
2306+
| other-fs-libraries.js:55:36:55:39 | path |
2307+
| other-fs-libraries.js:55:36:55:39 | path |
22742308
| prettier.js:6:11:6:28 | p |
22752309
| prettier.js:6:11:6:28 | p |
22762310
| prettier.js:6:11:6:28 | p |
@@ -6619,6 +6653,70 @@ edges
66196653
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:52:24:52:27 | path |
66206654
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:52:24:52:27 | path |
66216655
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:52:24:52:27 | path |
6656+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6657+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6658+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6659+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6660+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6661+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6662+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6663+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6664+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6665+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6666+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6667+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6668+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6669+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6670+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6671+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6672+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6673+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6674+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6675+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6676+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6677+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6678+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6679+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6680+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6681+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6682+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6683+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6684+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6685+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6686+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6687+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:54:36:54:39 | path |
6688+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6689+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6690+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6691+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6692+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6693+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6694+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6695+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6696+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6697+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6698+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6699+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6700+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6701+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6702+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6703+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6704+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6705+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6706+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6707+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6708+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6709+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6710+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6711+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6712+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6713+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6714+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6715+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6716+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6717+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6718+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
6719+
| other-fs-libraries.js:49:7:49:48 | path | other-fs-libraries.js:55:36:55:39 | path |
66226720
| other-fs-libraries.js:49:14:49:37 | url.par ... , true) | other-fs-libraries.js:49:14:49:43 | url.par ... ).query |
66236721
| other-fs-libraries.js:49:14:49:37 | url.par ... , true) | other-fs-libraries.js:49:14:49:43 | url.par ... ).query |
66246722
| other-fs-libraries.js:49:14:49:37 | url.par ... , true) | other-fs-libraries.js:49:14:49:43 | url.par ... ).query |
@@ -8352,6 +8450,8 @@ edges
83528450
| other-fs-libraries.js:42:53:42:56 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:42:53:42:56 | path | This path depends on $@. | other-fs-libraries.js:38:24:38:30 | req.url | a user-provided value |
83538451
| other-fs-libraries.js:51:19:51:22 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:51:19:51:22 | path | This path depends on $@. | other-fs-libraries.js:49:24:49:30 | req.url | a user-provided value |
83548452
| other-fs-libraries.js:52:24:52:27 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:52:24:52:27 | path | This path depends on $@. | other-fs-libraries.js:49:24:49:30 | req.url | a user-provided value |
8453+
| other-fs-libraries.js:54:36:54:39 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:54:36:54:39 | path | This path depends on $@. | other-fs-libraries.js:49:24:49:30 | req.url | a user-provided value |
8454+
| other-fs-libraries.js:55:36:55:39 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:55:36:55:39 | path | This path depends on $@. | other-fs-libraries.js:49:24:49:30 | req.url | a user-provided value |
83558455
| prettier.js:7:28:7:28 | p | prettier.js:6:13:6:13 | p | prettier.js:7:28:7:28 | p | This path depends on $@. | prettier.js:6:13:6:13 | p | a user-provided value |
83568456
| prettier.js:11:44:11:44 | p | prettier.js:6:13:6:13 | p | prettier.js:11:44:11:44 | p | This path depends on $@. | prettier.js:6:13:6:13 | p | a user-provided value |
83578457
| pupeteer.js:9:28:9:34 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:9:28:9:34 | tainted | This path depends on $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,4 +50,7 @@ http.createServer(function(req, res) {
5050

5151
fs.readFileSync(path); // NOT OK
5252
asyncFS.readFileSync(path); // NOT OK
53+
54+
require("pify")(fs.readFileSync)(path); // NOT OK
55+
require("pify")(fs).readFileSync(path); // NOT OK
5356
});

0 commit comments

Comments
 (0)