Merge pull request github#3803 from esbena/js/more-fs-promises

semmle-qlci · web-flow · commit 4b7d60a217a6 · 2020-06-30T12:33:35.000+01:00
Approved by erik-krogh
diff --git a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -459,7 +459,18 @@ module NodeJSLib {
       ) and
       t.start()
       or
-      exists(DataFlow::TypeTracker t2 | result = fsModule(t2).track(t2, t))
+      exists(DataFlow::TypeTracker t2, DataFlow::SourceNode pred | pred = fsModule(t2) |
+        result = pred.track(t2, t)
+        or
+        t.continue() = t2 and
+        exists(DataFlow::CallNode promisifyAllCall |
+          result = promisifyAllCall and
+          pred.flowsTo(promisifyAllCall.getArgument(0)) and
+          promisifyAllCall =
+            [DataFlow::moduleMember("bluebird", "promisifyAll"),
+                DataFlow::moduleImport("util-promisifyall")].getACall()
+        )
+      )
     }
   }
 
@@ -605,7 +616,7 @@ module NodeJSLib {
     result = callback
     or
     exists(DataFlow::CallNode promisify |
-      promisify = DataFlow::moduleMember("util", "promisify").getACall()
+      promisify = DataFlow::moduleMember(["util", "bluebird"], "promisify").getACall()
     |
       result = promisify and promisify.getArgument(0).getALocalSource() = callback
     )
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -2168,6 +2168,40 @@ nodes
 | other-fs-libraries.js:40:35:40:38 | path |
 | other-fs-libraries.js:40:35:40:38 | path |
 | other-fs-libraries.js:40:35:40:38 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:42:53:42:56 | path |
 | tainted-access-paths.js:6:7:6:48 | path |
 | tainted-access-paths.js:6:7:6:48 | path |
 | tainted-access-paths.js:6:7:6:48 | path |
@@ -6090,6 +6124,70 @@ edges
 | other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:40:35:40:38 | path |
 | other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:40:35:40:38 | path |
 | other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:40:35:40:38 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:41:50:41:53 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
+| other-fs-libraries.js:38:7:38:48 | path | other-fs-libraries.js:42:53:42:56 | path |
 | other-fs-libraries.js:38:14:38:37 | url.par ... , true) | other-fs-libraries.js:38:14:38:43 | url.par ... ).query |
 | other-fs-libraries.js:38:14:38:37 | url.par ... , true) | other-fs-libraries.js:38:14:38:43 | url.par ... ).query |
 | other-fs-libraries.js:38:14:38:37 | url.par ... , true) | other-fs-libraries.js:38:14:38:43 | url.par ... ).query |
@@ -7470,6 +7568,8 @@ edges
 | other-fs-libraries.js:19:56:19:59 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:19:56:19:59 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:24:35:24:38 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:24:35:24:38 | path | This path depends on $@. | other-fs-libraries.js:9:24:9:30 | req.url | a user-provided value |
 | other-fs-libraries.js:40:35:40:38 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:40:35:40:38 | path | This path depends on $@. | other-fs-libraries.js:38:24:38:30 | req.url | a user-provided value |
+| other-fs-libraries.js:41:50:41:53 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:41:50:41:53 | path | This path depends on $@. | other-fs-libraries.js:38:24:38:30 | req.url | a user-provided value |
+| other-fs-libraries.js:42:53:42:56 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:42:53:42:56 | path | This path depends on $@. | other-fs-libraries.js:38:24:38:30 | req.url | a user-provided value |
 | tainted-access-paths.js:8:19:8:22 | path | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:8:19:8:22 | path | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:12:19:12:25 | obj.sub | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:12:19:12:25 | obj.sub | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:26:19:26:26 | obj.sub3 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:26:19:26:26 | obj.sub3 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js
@@ -38,4 +38,6 @@ http.createServer(function(req, res) {
   var path = url.parse(req.url, true).query.path;
 
   util.promisify(fs.readFileSync)(path); // NOT OK
-});
+  require("bluebird").promisify(fs.readFileSync)(path); // NOT OK
+  require("bluebird").promisifyAll(fs).readFileSync(path); // NOT OK
+});
