File tree Expand file tree Collapse file tree 2 files changed +109
-283
lines changed
src/semmle/javascript/security/dataflow
test/query-tests/Security/CWE-022/TaintedPath Expand file tree Collapse file tree 2 files changed +109
-283
lines changed Original file line number Diff line number Diff line change @@ -97,23 +97,17 @@ module TaintedPath {
9797 )
9898 )
9999 or
100+ // A `str.split()` call can either split into path elements (`str.split("/")`) or split by some other string.
101+ exists ( StringSplitCall mcn | dst = mcn and mcn .getUnsplit ( ) = src |
102+ if mcn .getSplitAt ( ) = "/"
103+ then
104+ srclabel .( Label:: PosixPath ) .canContainDotDotSlash ( ) and
105+ dstlabel instanceof Label:: SplitPath
106+ else srclabel = dstlabel
107+ )
108+ or
100109 // array method calls of interest
101110 exists ( DataFlow:: MethodCallNode mcn , string name | dst = mcn and mcn .calls ( src , name ) |
102- // A `str.split()` call can either split into path elements (`str.split("/")`) or split by some other string.
103- name = "split" and
104- (
105- if
106- exists ( DataFlow:: Node splitBy | splitBy = mcn .getArgument ( 0 ) |
107- splitBy .mayHaveStringValue ( "/" ) or
108- any ( DataFlow:: RegExpCreationNode reg | reg .getRoot ( ) .getAMatchedString ( ) = "/" )
109- .flowsTo ( splitBy )
110- )
111- then
112- srclabel .( Label:: PosixPath ) .canContainDotDotSlash ( ) and
113- dstlabel instanceof Label:: SplitPath
114- else srclabel = dstlabel
115- )
116- or
117111 (
118112 name = "pop" or
119113 name = "shift"
You can’t perform that action at this time.
0 commit comments