Skip to content

Commit 8f5a3e9

Browse files
erik-krogherik-krogh
committed
add support for getASavePath() to js/insecure-download
1 parent dafca8f commit 8f5a3e9

File tree

3 files changed

+21
-3
lines changed

3 files changed

+21
-3
lines changed

javascript/ql/src/semmle/javascript/security/dataflow/InsecureDownloadCustomizations.qll

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -68,13 +68,21 @@ module InsecureDownload {
6868
override DataFlow::FlowLabel getALabel() {
6969
result instanceof Label::InsecureURL
7070
or
71-
exists(string suffix | suffix = unsafeExtension() |
72-
str.suffix(str.length() - suffix.length() - 1).toLowerCase() = "." + suffix
73-
) and
71+
hasUnsafeExtension(str) and
7472
result instanceof Label::SensitiveInsecureURL
7573
}
7674
}
7775

76+
/**
77+
* Holds if `str` is a string that ends with an unsafe file extension.
78+
*/
79+
bindingset[str]
80+
predicate hasUnsafeExtension(string str) {
81+
exists(string suffix | suffix = unsafeExtension() |
82+
str.suffix(str.length() - suffix.length() - 1).toLowerCase() = "." + suffix
83+
)
84+
}
85+
7886
/**
7987
* Gets a file-extension that can potentially be dangerous.
8088
*
@@ -99,6 +107,9 @@ module InsecureDownload {
99107

100108
override DataFlow::FlowLabel getALabel() {
101109
result instanceof Label::SensitiveInsecureURL // TODO: Also non-sensitive.
110+
or
111+
hasUnsafeExtension(request.getASavePath().getStringValue()) and
112+
result instanceof Label::InsecureURL
102113
}
103114
}
104115
}

javascript/ql/test/query-tests/Security/CWE-829/InsecureDownload.expected

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@ nodes
1717
| insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
1818
| insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
1919
| insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
20+
| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" |
21+
| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" |
22+
| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" |
2023
edges
2124
| insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:15:18:15:40 | buildTo ... llerUrl |
2225
| insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:15:18:15:40 | buildTo ... llerUrl |
@@ -30,9 +33,11 @@ edges
3033
| insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:36:9:36:45 | url |
3134
| insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:36:9:36:45 | url |
3235
| insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
36+
| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | insecure-download.js:46:12:46:38 | "http:/ ... unsafe" |
3337
#select
3438
| insecure-download.js:5:16:5:28 | installer.url | insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:5:16:5:28 | installer.url | $@ of sensitive file from $@. | insecure-download.js:5:9:5:44 | nugget( ... => { }) | Download | insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | HTTP source |
3539
| insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | $@ of sensitive file from $@. | insecure-download.js:30:5:30:43 | nugget( ... e.APK") | Download | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | HTTP source |
3640
| insecure-download.js:37:23:37:25 | url | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:37:23:37:25 | url | $@ of sensitive file from $@. | insecure-download.js:37:5:37:42 | cp.exec ... () {}) | Download | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | HTTP source |
3741
| insecure-download.js:39:26:39:28 | url | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:39:26:39:28 | url | $@ of sensitive file from $@. | insecure-download.js:39:5:39:46 | cp.exec ... () {}) | Download | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | HTTP source |
3842
| insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | $@ of sensitive file from $@. | insecure-download.js:41:5:41:42 | nugget( ... e.APK") | Download | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | HTTP source |
43+
| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | $@ of sensitive file from $@. | insecure-download.js:46:5:46:71 | nugget( ... => { }) | Download | insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | HTTP source |

javascript/ql/test/query-tests/Security/CWE-829/insecure-download.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,4 +46,6 @@ var writeFileAtomic = require("write-file-atomic");
4646

4747
function test() {
4848
nugget("http://example.org/unsafe", {target: "foo.exe"}, () => { }) // NOT OK
49+
50+
nugget("http://example.org/unsafe", {target: "foo.safe"}, () => { }) // OK
4951
}

0 commit comments

Comments
 (0)