writing out the truth table for DotDotSlashPrefixRemovingReplace

erik-krogh · erik-krogh · commit 9c2053168b28 · 2020-04-03T15:46:47.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@@ -209,9 +209,15 @@ module TaintedPath {
       // foo.replace(/(\.\.\/)*/, "") and similar
       exists(DotDotSlashPrefixRemovingReplace call |
         src = call.getInput() and
-        dst = call.getOutput() and
-        (srclabel.isNonNormalized() or dstlabel.isAbsolute()) and // if src is normalized, then dst must be absolute (if dst is relative, then dst is sanitized)
-        dstlabel.toAbsolute() = srclabel.toAbsolute() // preserves normalization status
+        dst = call.getOutput()
+      |
+        // the 4 possible combinations of normalized + relative for `srclabel`, and the possible values for `dstlabel` in each case.
+        srclabel.isNonNormalized() and srclabel.isRelative() // raw + relative -> any()
+        or
+        srclabel.isNormalized() and srclabel.isAbsolute() and srclabel = dstlabel // normalized + absolute -> normalized + absolute
+        or
+        srclabel.isNonNormalized() and srclabel.isAbsolute() and dstlabel.isAbsolute() // raw + absolute -> raw/normalized + absolute
+        // normalized + relative -> none()
       )
       or
       // path.join()
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -1298,10 +1298,10 @@ nodes
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
@@ -1319,14 +1319,6 @@ nodes
 | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:202:50:202:53 | path |
 | normalizedPaths.js:11:7:11:27 | path |
 | normalizedPaths.js:11:7:11:27 | path |
 | normalizedPaths.js:11:7:11:27 | path |
@@ -4451,14 +4443,6 @@ edges
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
-| TaintedPath.js:173:7:173:48 | path | TaintedPath.js:202:50:202:53 | path |
 | TaintedPath.js:173:14:173:37 | url.par ... , true) | TaintedPath.js:173:14:173:43 | url.par ... ).query |
 | TaintedPath.js:173:14:173:37 | url.par ... , true) | TaintedPath.js:173:14:173:43 | url.par ... ).query |
 | TaintedPath.js:173:14:173:37 | url.par ... , true) | TaintedPath.js:173:14:173:43 | url.par ... ).query |
@@ -4667,6 +4651,14 @@ edges
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
+| TaintedPath.js:201:40:201:73 | path.re ... +/, '') | TaintedPath.js:201:29:201:73 | "prefix ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
@@ -4675,22 +4667,6 @@ edges
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
 | TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
-| TaintedPath.js:202:29:202:54 | pathMod ... e(path) | TaintedPath.js:202:29:202:84 | pathMod ... +/, '') |
-| TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
-| TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
-| TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
-| TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
-| TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
-| TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
-| TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
-| TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
 | TaintedPath.js:202:50:202:53 | path | TaintedPath.js:202:29:202:54 | pathMod ... e(path) |
