JS: model path-is-inside+is-path-inside for js/path-injection

esbena · esbena · commit 5baba62154e0 · 2020-02-24T23:10:15.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@@ -35,7 +35,8 @@ module TaintedPath {
       guard instanceof StartsWithDotDotSanitizer or
       guard instanceof StartsWithDirSanitizer or
       guard instanceof IsAbsoluteSanitizer or
-      guard instanceof ContainsDotDotSanitizer
+      guard instanceof ContainsDotDotSanitizer or
+      guard instanceof IsInsideCheckSanitizer
     }
 
     override predicate isAdditionalFlowStep(
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -369,6 +369,39 @@ module TaintedPath {
    */
   private class VarAccessBarrier extends Sanitizer, DataFlow::VarAccessBarrier { }
 
+  /**
+   * An expression of form `isInside(x, y)` or similar, where `isInside` is
+   * a library check for the relation between `x` and `y`.
+   */
+  class IsInsideCheckSanitizer extends DataFlow::LabeledBarrierGuardNode {
+    DataFlow::Node checked;
+    boolean onlyNormalizedAbsolutePaths;
+
+    IsInsideCheckSanitizer() {
+      exists(string name, DataFlow::CallNode check |
+        name = "path-is-inside" and onlyNormalizedAbsolutePaths = true
+        or
+        name = "is-path-inside" and onlyNormalizedAbsolutePaths = false
+      |
+        check = DataFlow::moduleImport(name).getACall() and
+        checked = check.getArgument(0) and
+        check = this
+      )
+    }
+
+    override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      (
+        onlyNormalizedAbsolutePaths = true and
+        label.(Label::PosixPath).isNormalized() and
+        label.(Label::PosixPath).isAbsolute()
+        or
+        onlyNormalizedAbsolutePaths = false
+      ) and
+      e = checked.asExpr() and
+      outcome = true
+    }
+  }
+
   /**
    * A source of remote user input, considered as a flow source for
    * tainted-path vulnerabilities.
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
@@ -1,7 +1,4 @@
 | normalizedPaths.js:208:38:208:63 | // OK - ...  anyway | Spurious alert |
-| normalizedPaths.js:259:26:259:30 | // OK | Spurious alert |
-| normalizedPaths.js:275:36:275:40 | // OK | Spurious alert |
-| normalizedPaths.js:282:36:282:40 | // OK | Spurious alert |
 | tainted-string-steps.js:25:43:25:74 | // NOT  ... flagged | Missing alert |
 | tainted-string-steps.js:26:49:26:74 | // OK - ... flagged | Spurious alert |
 | tainted-string-steps.js:28:39:28:70 | // NOT  ... flagged | Missing alert |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -1509,11 +1509,6 @@ nodes
 | normalizedPaths.js:257:18:257:21 | path |
 | normalizedPaths.js:257:18:257:21 | path |
 | normalizedPaths.js:257:18:257:21 | path |
-| normalizedPaths.js:259:19:259:22 | path |
-| normalizedPaths.js:259:19:259:22 | path |
-| normalizedPaths.js:259:19:259:22 | path |
-| normalizedPaths.js:259:19:259:22 | path |
-| normalizedPaths.js:259:19:259:22 | path |
 | normalizedPaths.js:262:19:262:22 | path |
 | normalizedPaths.js:262:19:262:22 | path |
 | normalizedPaths.js:262:19:262:22 | path |
@@ -1523,7 +1518,6 @@ nodes
 | normalizedPaths.js:266:19:266:22 | path |
 | normalizedPaths.js:266:19:266:22 | path |
 | normalizedPaths.js:266:19:266:22 | path |
-| normalizedPaths.js:266:19:266:22 | path |
 | normalizedPaths.js:269:19:269:22 | path |
 | normalizedPaths.js:269:19:269:22 | path |
 | normalizedPaths.js:269:19:269:22 | path |
@@ -1538,18 +1532,10 @@ nodes
 | normalizedPaths.js:273:45:273:48 | path |
 | normalizedPaths.js:273:45:273:48 | path |
 | normalizedPaths.js:273:45:273:48 | path |
-| normalizedPaths.js:275:19:275:32 | normalizedPath |
-| normalizedPaths.js:275:19:275:32 | normalizedPath |
-| normalizedPaths.js:275:19:275:32 | normalizedPath |
-| normalizedPaths.js:275:19:275:32 | normalizedPath |
 | normalizedPaths.js:278:19:278:32 | normalizedPath |
 | normalizedPaths.js:278:19:278:32 | normalizedPath |
 | normalizedPaths.js:278:19:278:32 | normalizedPath |
 | normalizedPaths.js:278:19:278:32 | normalizedPath |
-| normalizedPaths.js:282:19:282:32 | normalizedPath |
-| normalizedPaths.js:282:19:282:32 | normalizedPath |
-| normalizedPaths.js:282:19:282:32 | normalizedPath |
-| normalizedPaths.js:282:19:282:32 | normalizedPath |
 | normalizedPaths.js:285:19:285:32 | normalizedPath |
 | normalizedPaths.js:285:19:285:32 | normalizedPath |
 | normalizedPaths.js:285:19:285:32 | normalizedPath |
@@ -4295,14 +4281,6 @@ edges
 | normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:257:18:257:21 | path |
 | normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:257:18:257:21 | path |
 | normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:257:18:257:21 | path |
-| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
-| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
-| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
-| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
-| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
-| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
-| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
-| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:259:19:259:22 | path |
 | normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:262:19:262:22 | path |
 | normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:262:19:262:22 | path |
 | normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:262:19:262:22 | path |
@@ -4317,8 +4295,6 @@ edges
 | normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:266:19:266:22 | path |
 | normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:266:19:266:22 | path |
 | normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:266:19:266:22 | path |
-| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:266:19:266:22 | path |
-| normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:266:19:266:22 | path |
 | normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:269:19:269:22 | path |
 | normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:269:19:269:22 | path |
 | normalizedPaths.js:256:6:256:26 | path | normalizedPaths.js:269:19:269:22 | path |
@@ -4338,24 +4314,12 @@ edges
 | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:256:6:256:26 | path |
 | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:256:6:256:26 | path |
 | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:256:6:256:26 | path |
-| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:275:19:275:32 | normalizedPath |
-| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:275:19:275:32 | normalizedPath |
-| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:275:19:275:32 | normalizedPath |
-| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:275:19:275:32 | normalizedPath |
-| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:275:19:275:32 | normalizedPath |
-| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:275:19:275:32 | normalizedPath |
 | normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:278:19:278:32 | normalizedPath |
 | normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:278:19:278:32 | normalizedPath |
 | normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:278:19:278:32 | normalizedPath |
 | normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:278:19:278:32 | normalizedPath |
 | normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:278:19:278:32 | normalizedPath |
 | normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:278:19:278:32 | normalizedPath |
-| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:282:19:282:32 | normalizedPath |
-| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:282:19:282:32 | normalizedPath |
-| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:282:19:282:32 | normalizedPath |
-| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:282:19:282:32 | normalizedPath |
-| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:282:19:282:32 | normalizedPath |
-| normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:282:19:282:32 | normalizedPath |
 | normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:285:19:285:32 | normalizedPath |
 | normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:285:19:285:32 | normalizedPath |
 | normalizedPaths.js:273:6:273:49 | normalizedPath | normalizedPaths.js:285:19:285:32 | normalizedPath |
@@ -5237,13 +5201,10 @@ edges
 | normalizedPaths.js:245:21:245:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:245:21:245:24 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
 | normalizedPaths.js:250:21:250:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:250:21:250:24 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
 | normalizedPaths.js:257:18:257:21 | path | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:257:18:257:21 | path | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
-| normalizedPaths.js:259:19:259:22 | path | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:259:19:259:22 | path | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
 | normalizedPaths.js:262:19:262:22 | path | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:262:19:262:22 | path | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
 | normalizedPaths.js:266:19:266:22 | path | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:266:19:266:22 | path | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
 | normalizedPaths.js:269:19:269:22 | path | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:269:19:269:22 | path | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
-| normalizedPaths.js:275:19:275:32 | normalizedPath | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:275:19:275:32 | normalizedPath | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
 | normalizedPaths.js:278:19:278:32 | normalizedPath | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:278:19:278:32 | normalizedPath | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
-| normalizedPaths.js:282:19:282:32 | normalizedPath | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:282:19:282:32 | normalizedPath | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
 | normalizedPaths.js:285:19:285:32 | normalizedPath | normalizedPaths.js:256:13:256:26 | req.query.path | normalizedPaths.js:285:19:285:32 | normalizedPath | This path depends on $@. | normalizedPaths.js:256:13:256:26 | req.query.path | a user-provided value |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | a user-provided value |

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,8 @@ module TaintedPath {`
`35`	`35`	`guard instanceof StartsWithDotDotSanitizer or`
`36`	`36`	`guard instanceof StartsWithDirSanitizer or`
`37`	`37`	`guard instanceof IsAbsoluteSanitizer or`
`38`		`- guard instanceof ContainsDotDotSanitizer`
	`38`	`+ guard instanceof ContainsDotDotSanitizer or`
	`39`	`+ guard instanceof IsInsideCheckSanitizer`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`override predicate isAdditionalFlowStep(`