dst can be relative for "../" replace call

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll

@@ -210,7 +210,7 @@ module TaintedPath {
       exists(DotDotSlashPrefixRemovingReplace call |
         src = call.getInput() and
         dst = call.getOutput() and
-        dstlabel.isAbsolute() and // result can be absolute
+        (srclabel.isNonNormalized() or dstlabel.isAbsolute()) and // if src is normalized, then dst must be absolute (if dst is relative, then dst is sanitized)
         dstlabel.toAbsolute() = srclabel.toAbsolute() // preserves normalization status
       )
       or

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

@@ -1294,6 +1294,10 @@ nodes
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
@@ -4639,6 +4643,22 @@ edges
 | TaintedPath.js:201:40:201:43 | path | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
 | TaintedPath.js:201:40:201:43 | path | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
 | TaintedPath.js:201:40:201:43 | path | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:43 | path | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:43 | path | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:43 | path | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:43 | path | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:43 | path | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:43 | path | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:43 | path | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:43 | path | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |