add support for path.normalize(path.realtive(...))

erik-krogh · erik-krogh · commit a6d644bac09f · 2020-02-14T13:10:35.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -367,7 +367,16 @@ module TaintedPath {
     RelativePathContainsDotDotGuard() {
       this = startsWith and
       relativeCall = DataFlow::moduleImport("path").getAMemberCall("relative") and
-      startsWith.getBaseString().getALocalSource() = relativeCall and
+      (
+        startsWith.getBaseString().getALocalSource() = relativeCall
+        or
+        startsWith
+            .getBaseString()
+            .getALocalSource()
+            .(NormalizingPathCall)
+            .getInput()
+            .getALocalSource() = relativeCall
+      ) and
       exists(DataFlow::Node subString, string prefix |
         subString = startsWith.getSubstring() and
         (prefix = ".." or prefix = "../")
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -1316,6 +1316,23 @@ nodes
 | normalizedPaths.js:278:21:278:27 | newpath |
 | normalizedPaths.js:278:21:278:27 | newpath |
 | normalizedPaths.js:278:21:278:27 | newpath |
+| normalizedPaths.js:283:7:283:42 | newpath |
+| normalizedPaths.js:283:7:283:42 | newpath |
+| normalizedPaths.js:283:7:283:42 | newpath |
+| normalizedPaths.js:283:7:283:42 | newpath |
+| normalizedPaths.js:283:17:283:42 | pathMod ... e(path) |
+| normalizedPaths.js:283:17:283:42 | pathMod ... e(path) |
+| normalizedPaths.js:283:17:283:42 | pathMod ... e(path) |
+| normalizedPaths.js:283:17:283:42 | pathMod ... e(path) |
+| normalizedPaths.js:283:38:283:41 | path |
+| normalizedPaths.js:283:38:283:41 | path |
+| normalizedPaths.js:283:38:283:41 | path |
+| normalizedPaths.js:283:38:283:41 | path |
+| normalizedPaths.js:286:21:286:27 | newpath |
+| normalizedPaths.js:286:21:286:27 | newpath |
+| normalizedPaths.js:286:21:286:27 | newpath |
+| normalizedPaths.js:286:21:286:27 | newpath |
+| normalizedPaths.js:286:21:286:27 | newpath |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
@@ -3711,6 +3728,10 @@ edges
 | normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:275:38:275:41 | path |
 | normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:275:38:275:41 | path |
 | normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:275:38:275:41 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:283:38:283:41 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:283:38:283:41 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:283:38:283:41 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:283:38:283:41 | path |
 | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | normalizedPaths.js:254:7:254:47 | path |
 | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | normalizedPaths.js:254:7:254:47 | path |
 | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | normalizedPaths.js:254:7:254:47 | path |
@@ -3755,6 +3776,22 @@ edges
 | normalizedPaths.js:275:38:275:41 | path | normalizedPaths.js:275:17:275:42 | pathMod ... e(path) |
 | normalizedPaths.js:275:38:275:41 | path | normalizedPaths.js:275:17:275:42 | pathMod ... e(path) |
 | normalizedPaths.js:275:38:275:41 | path | normalizedPaths.js:275:17:275:42 | pathMod ... e(path) |
+| normalizedPaths.js:283:7:283:42 | newpath | normalizedPaths.js:286:21:286:27 | newpath |
+| normalizedPaths.js:283:7:283:42 | newpath | normalizedPaths.js:286:21:286:27 | newpath |
+| normalizedPaths.js:283:7:283:42 | newpath | normalizedPaths.js:286:21:286:27 | newpath |
+| normalizedPaths.js:283:7:283:42 | newpath | normalizedPaths.js:286:21:286:27 | newpath |
+| normalizedPaths.js:283:7:283:42 | newpath | normalizedPaths.js:286:21:286:27 | newpath |
+| normalizedPaths.js:283:7:283:42 | newpath | normalizedPaths.js:286:21:286:27 | newpath |
+| normalizedPaths.js:283:7:283:42 | newpath | normalizedPaths.js:286:21:286:27 | newpath |
+| normalizedPaths.js:283:7:283:42 | newpath | normalizedPaths.js:286:21:286:27 | newpath |
+| normalizedPaths.js:283:17:283:42 | pathMod ... e(path) | normalizedPaths.js:283:7:283:42 | newpath |
+| normalizedPaths.js:283:17:283:42 | pathMod ... e(path) | normalizedPaths.js:283:7:283:42 | newpath |
+| normalizedPaths.js:283:17:283:42 | pathMod ... e(path) | normalizedPaths.js:283:7:283:42 | newpath |
+| normalizedPaths.js:283:17:283:42 | pathMod ... e(path) | normalizedPaths.js:283:7:283:42 | newpath |
+| normalizedPaths.js:283:38:283:41 | path | normalizedPaths.js:283:17:283:42 | pathMod ... e(path) |
+| normalizedPaths.js:283:38:283:41 | path | normalizedPaths.js:283:17:283:42 | pathMod ... e(path) |
+| normalizedPaths.js:283:38:283:41 | path | normalizedPaths.js:283:17:283:42 | pathMod ... e(path) |
+| normalizedPaths.js:283:38:283:41 | path | normalizedPaths.js:283:17:283:42 | pathMod ... e(path) |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
 | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") |
@@ -4540,6 +4577,7 @@ edges
 | normalizedPaths.js:262:21:262:24 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:262:21:262:24 | path | This path depends on $@. | normalizedPaths.js:254:33:254:46 | req.query.path | a user-provided value |
 | normalizedPaths.js:270:21:270:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:270:21:270:27 | newpath | This path depends on $@. | normalizedPaths.js:254:33:254:46 | req.query.path | a user-provided value |
 | normalizedPaths.js:278:21:278:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:278:21:278:27 | newpath | This path depends on $@. | normalizedPaths.js:254:33:254:46 | req.query.path | a user-provided value |
+| normalizedPaths.js:286:21:286:27 | newpath | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:286:21:286:27 | newpath | This path depends on $@. | normalizedPaths.js:254:33:254:46 | req.query.path | a user-provided value |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | a user-provided value |
 | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
@@ -279,4 +279,12 @@ app.get('/relative-startswith', (req, res) => {
   } else {
     fs.readFileSync(newpath); // OK! 
   }
+
+  let newpath = pathModule.normalize(path);
+  var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath);
+  if (pathModule.normalize(relativePath).indexOf('../') === 0) {
+    fs.readFileSync(newpath); // NOT OK!
+  } else {
+    fs.readFileSync(newpath); // OK! 
+  }
 });
