JS: Allow path.basename sanitization in zipslip.

jcreedcmu · jcreedcmu · commit 0a91d919b093 · 2019-03-06T09:46:41.000Z
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ZipSlip.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ZipSlip.qll
@@ -15,6 +15,11 @@ module ZipSlip {
    */
   abstract class Sink extends DataFlow::Node { }
 
+  /**
+   * A sanitizer for unsafe zip extraction.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
   /**
    * A sanitizer guard for unsafe zip extraction.
    */
@@ -28,6 +33,8 @@ module ZipSlip {
 
     override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
+    override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }
+
     override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode nd) {
       nd instanceof SanitizerGuard
     }
@@ -90,6 +97,13 @@ module ZipSlip {
     FileSystemWriteSink() { exists(FileSystemWriteAccess fsw | fsw.getAPathArgument() = this) }
   }
 
+  /** An expression that sanitizes by calling path.basename */
+  class BasenameSanitizer extends Sanitizer {
+    BasenameSanitizer() {
+      this = DataFlow::moduleImport("path").getAMemberCall("basename")
+    }
+  }
+
   /**
    * Gets a string which is sufficient to exclude to make
    * a filepath definitely not refer to parent directories.
