don't treated a property from a tainted object as tainted when there exists a dominating write

erik-krogh · erik-krogh · commit 2b2d691e450b · 2020-06-25T23:00:52.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -260,7 +260,8 @@ module TaintTracking {
     not any(PromiseAllCreation call).getArrayNode() = succ
     or
     // reading from a tainted object yields a tainted result
-    succ.(DataFlow::PropRead).getBase() = pred
+    succ.(DataFlow::PropRead).getBase() = pred and
+    not AccessPath::DominatingPaths::hasDominatingWrite(succ)
     or
     // iterating over a tainted iterator taints the loop variable
     exists(ForOfStmt fos |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
@@ -161,9 +161,6 @@ nodes
 | lib/lib.js:268:22:268:24 | obj |
 | lib/lib.js:268:22:268:32 | obj.version |
 | lib/lib.js:268:22:268:32 | obj.version |
-| lib/lib.js:272:22:272:24 | obj |
-| lib/lib.js:272:22:272:32 | obj.version |
-| lib/lib.js:272:22:272:32 | obj.version |
 | lib/lib.js:276:8:276:11 | opts |
 | lib/lib.js:276:8:276:11 | opts |
 | lib/lib.js:277:23:277:26 | opts |
@@ -373,12 +370,8 @@ edges
 | lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
 | lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:24 | obj |
 | lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:24 | obj |
-| lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:24 | obj |
-| lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:24 | obj |
 | lib/lib.js:268:22:268:24 | obj | lib/lib.js:268:22:268:32 | obj.version |
 | lib/lib.js:268:22:268:24 | obj | lib/lib.js:268:22:268:32 | obj.version |
-| lib/lib.js:272:22:272:24 | obj | lib/lib.js:272:22:272:32 | obj.version |
-| lib/lib.js:272:22:272:24 | obj | lib/lib.js:272:22:272:32 | obj.version |
 | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
 | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
 | lib/lib.js:277:23:277:26 | opts | lib/lib.js:277:23:277:30 | opts.bla |
@@ -444,7 +437,6 @@ edges
 | lib/lib.js:258:10:258:25 | "rm -rf " + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:258:10:258:25 | "rm -rf " + name | String concatenation | lib/lib.js:258:2:258:26 | cp.exec ... + name) | shell command |
 | lib/lib.js:261:11:261:33 | "rm -rf ...  + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name | $@ based on libary input is later used in $@. | lib/lib.js:261:11:261:33 | "rm -rf ...  + name | String concatenation | lib/lib.js:261:3:261:34 | cp.exec ... + name) | shell command |
 | lib/lib.js:268:10:268:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:268:10:268:32 | "rm -rf ... version | String concatenation | lib/lib.js:268:2:268:33 | cp.exec ... ersion) | shell command |
-| lib/lib.js:272:10:272:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:272:10:272:32 | "rm -rf ... version | String concatenation | lib/lib.js:272:2:272:33 | cp.exec ... ersion) | shell command |
 | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:30 | opts.bla | $@ based on libary input is later used in $@. | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | String concatenation | lib/lib.js:277:3:277:31 | cp.exec ... ts.bla) | shell command |
 | lib/lib.js:308:11:308:26 | "rm -rf " + name | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:308:11:308:26 | "rm -rf " + name | String concatenation | lib/lib.js:308:3:308:27 | cp.exec ... + name) | shell command |
 | lib/lib.js:315:10:315:25 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:315:10:315:25 | "rm -rf " + name | String concatenation | lib/lib.js:315:2:315:26 | cp.exec ... + name) | shell command |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -269,7 +269,7 @@ module.exports.sanitizerProperty = function (obj) {
 
 	obj.version = "";
 
-	cp.exec("rm -rf " + obj.version); // OK - but FP
+	cp.exec("rm -rf " + obj.version); // OK
 }
 
 module.exports.Foo = class Foo {

Original file line number	Diff line number	Diff line change
`@@ -269,7 +269,7 @@ module.exports.sanitizerProperty = function (obj) {`
`269`	`269`
`270`	`270`	`obj.version = "";`
`271`	`271`
`272`		`- cp.exec("rm -rf " + obj.version); // OK - but FP`
	`272`	`+ cp.exec("rm -rf " + obj.version); // OK`
`273`	`273`	`}`
`274`	`274`
`275`	`275`	`module.exports.Foo = class Foo {`