Added tests forIncompleteHostnameRegExp and normalizedPaths using matchAll

Napalys · Napalys · commit b239bfabf189 · 2024-11-05T09:22:26.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected
@@ -25,3 +25,4 @@
 | tst-IncompleteHostnameRegExp.js:53:14:53:35 | test.example.com$ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:53:13:53:36 | 'test.' ... e.com$' | here |
 | tst-IncompleteHostnameRegExp.js:55:14:55:38 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:55:13:55:39 | '^http: ... le.com' | here |
 | tst-IncompleteHostnameRegExp.js:59:5:59:20 | foo.example\\.com | This regular expression has an unescaped '.' before 'example\\.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:59:2:59:32 | /^(foo. ... ever)$/ | here |
+| tst-IncompleteHostnameRegExp.js:61:18:61:41 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:61:17:61:42 | "^http: ... le.com" | here |
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js
@@ -57,4 +57,6 @@
 	/^http:\/\/(..|...)\.example\.com\/index\.html/; // OK, wildcards are intentional
 	/^http:\/\/.\.example\.com\/index\.html/; // OK, the wildcard is intentional
 	/^(foo.example\.com|whatever)$/; // kinda OK - one disjunction doesn't even look like a hostname
+
+	if (s.matchAll("^http://test.example.com")) {} // NOT OK
 });
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -2237,6 +2237,19 @@ nodes
 | normalizedPaths.js:408:38:408:59 | req.que ... it('/') |
 | normalizedPaths.js:408:38:408:59 | req.que ... it('/') |
 | normalizedPaths.js:408:38:408:59 | req.que ... it('/') |
+| normalizedPaths.js:412:7:412:46 | path |
+| normalizedPaths.js:412:7:412:46 | path |
+| normalizedPaths.js:412:14:412:46 | pathMod ... uery.x) |
+| normalizedPaths.js:412:14:412:46 | pathMod ... uery.x) |
+| normalizedPaths.js:412:35:412:45 | req.query.x |
+| normalizedPaths.js:412:35:412:45 | req.query.x |
+| normalizedPaths.js:412:35:412:45 | req.query.x |
+| normalizedPaths.js:415:19:415:22 | path |
+| normalizedPaths.js:415:19:415:22 | path |
+| normalizedPaths.js:415:19:415:22 | path |
+| normalizedPaths.js:426:21:426:24 | path |
+| normalizedPaths.js:426:21:426:24 | path |
+| normalizedPaths.js:426:21:426:24 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
 | other-fs-libraries.js:9:7:9:48 | path |
@@ -7524,6 +7537,20 @@ edges
 | normalizedPaths.js:408:38:408:59 | req.que ... it('/') | normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) |
 | normalizedPaths.js:408:38:408:59 | req.que ... it('/') | normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) |
 | normalizedPaths.js:408:38:408:59 | req.que ... it('/') | normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) |
+| normalizedPaths.js:412:7:412:46 | path | normalizedPaths.js:415:19:415:22 | path |
+| normalizedPaths.js:412:7:412:46 | path | normalizedPaths.js:415:19:415:22 | path |
+| normalizedPaths.js:412:7:412:46 | path | normalizedPaths.js:415:19:415:22 | path |
+| normalizedPaths.js:412:7:412:46 | path | normalizedPaths.js:415:19:415:22 | path |
+| normalizedPaths.js:412:7:412:46 | path | normalizedPaths.js:426:21:426:24 | path |
+| normalizedPaths.js:412:7:412:46 | path | normalizedPaths.js:426:21:426:24 | path |
+| normalizedPaths.js:412:7:412:46 | path | normalizedPaths.js:426:21:426:24 | path |
+| normalizedPaths.js:412:7:412:46 | path | normalizedPaths.js:426:21:426:24 | path |
+| normalizedPaths.js:412:14:412:46 | pathMod ... uery.x) | normalizedPaths.js:412:7:412:46 | path |
+| normalizedPaths.js:412:14:412:46 | pathMod ... uery.x) | normalizedPaths.js:412:7:412:46 | path |
+| normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:412:14:412:46 | pathMod ... uery.x) |
+| normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:412:14:412:46 | pathMod ... uery.x) |
+| normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:412:14:412:46 | pathMod ... uery.x) |
+| normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:412:14:412:46 | pathMod ... uery.x) |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
 | other-fs-libraries.js:9:7:9:48 | path | other-fs-libraries.js:11:19:11:22 | path |
@@ -10539,6 +10566,8 @@ edges
 | normalizedPaths.js:399:21:399:24 | path | normalizedPaths.js:385:35:385:45 | req.query.x | normalizedPaths.js:399:21:399:24 | path | This path depends on a $@. | normalizedPaths.js:385:35:385:45 | req.query.x | user-provided value |
 | normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | normalizedPaths.js:407:45:407:55 | req.query.x | normalizedPaths.js:407:19:407:67 | pathMod ... t('/')) | This path depends on a $@. | normalizedPaths.js:407:45:407:55 | req.query.x | user-provided value |
 | normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | normalizedPaths.js:408:38:408:48 | req.query.x | normalizedPaths.js:408:19:408:60 | pathMod ... t('/')) | This path depends on a $@. | normalizedPaths.js:408:38:408:48 | req.query.x | user-provided value |
+| normalizedPaths.js:415:19:415:22 | path | normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:415:19:415:22 | path | This path depends on a $@. | normalizedPaths.js:412:35:412:45 | req.query.x | user-provided value |
+| normalizedPaths.js:426:21:426:24 | path | normalizedPaths.js:412:35:412:45 | req.query.x | normalizedPaths.js:426:21:426:24 | path | This path depends on a $@. | normalizedPaths.js:412:35:412:45 | req.query.x | user-provided value |
 | other-fs-libraries.js:11:19:11:22 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:11:19:11:22 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value |
 | other-fs-libraries.js:12:27:12:30 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:12:27:12:30 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value |
 | other-fs-libraries.js:13:24:13:27 | path | other-fs-libraries.js:9:24:9:30 | req.url | other-fs-libraries.js:13:24:13:27 | path | This path depends on a $@. | other-fs-libraries.js:9:24:9:30 | req.url | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
@@ -407,3 +407,25 @@ app.get('/join-spread', (req, res) => {
   fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // NOT OK
   fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // NOT OK
 });
+
+app.get('/dotdot-matchAll-regexp', (req, res) => {
+  let path = pathModule.normalize(req.query.x);
+  if (pathModule.isAbsolute(path))
+    return;
+  fs.readFileSync(path); // NOT OK
+  if (!path.matchAll(/\./)) {
+    fs.readFileSync(path); // OK
+  }
+  if (!path.matchAll(/\.\./)) {
+    fs.readFileSync(path); // OK
+  }
+  if (!path.matchAll(/\.\.\//)) {
+    fs.readFileSync(path); // OK
+  }
+  if (!path.matchAll(/\.\.\/foo/)) {
+    fs.readFileSync(path); // NOT OK
+  }
+  if (!path.matchAll(/(\.\.\/|\.\.\\)/)) {
+    fs.readFileSync(path); // OK
+  }
+});
