add fs.open/openSync as ZipSlip sinks

erik-krogh · erik-krogh · commit 6d2bffef72b5 · 2020-05-14T20:31:13.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ZipSlipCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ZipSlipCustomizations.qll
@@ -108,6 +108,13 @@ module ZipSlip {
       // to be a zipslip vulnerability since it may truncate an
       // existing file.
       this = NodeJSLib::Fs::moduleMember("createWriteStream").getACall().getArgument(0)
+      or
+      // Not covered by `FileSystemWriteSink` because a later call
+      // to `fs.write` is required for a write to take place.
+      exists(DataFlow::CallNode call | this = call.getArgument(0) |
+        call = NodeJSLib::Fs::moduleMember(["open", "openSync"]).getACall() and
+        call.getArgument(1).getStringValue().regexpMatch("(?i)w.{0,2}")
+      )
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,13 @@ module ZipSlip {`
`108`	`108`	`// to be a zipslip vulnerability since it may truncate an`
`109`	`109`	`// existing file.`
`110`	`110`	`this = NodeJSLib::Fs::moduleMember("createWriteStream").getACall().getArgument(0)`
	`111`	`+ or`
	`112`	+ // Not covered by `FileSystemWriteSink` because a later call
	`113`	+ // to `fs.write` is required for a write to take place.
	`114`	`+ exists(DataFlow::CallNode call \| this = call.getArgument(0) \|`
	`115`	`+ call = NodeJSLib::Fs::moduleMember(["open", "openSync"]).getACall() and`
	`116`	`+ call.getArgument(1).getStringValue().regexpMatch("(?i)w.{0,2}")`
	`117`	`+ )`
`111`	`118`	`}`
`112`	`119`	`}`
`113`	`120`