Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 7a1aead

Browse files
asgerfasgerf
committed
JS: Port ZipSlip
1 parent e9189f9 commit 7a1aead

3 files changed

Lines changed: 61 additions & 117 deletions

File tree

javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll

Lines changed: 34 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,39 @@ private class ConcreteSplitPath extends TaintedPath::Label::SplitPath {
2020
}
2121

2222
/** A taint tracking configuration for unsafe archive extraction. */
23-
class Configuration extends DataFlow::Configuration {
23+
module ZipSlipConfig implements DataFlow::StateConfigSig {
24+
class FlowState = DataFlow::FlowLabel;
25+
26+
predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
27+
label = source.(Source).getAFlowLabel()
28+
}
29+
30+
predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
31+
label = sink.(Sink).getAFlowLabel()
32+
}
33+
34+
predicate isBarrier(DataFlow::Node node) {
35+
node instanceof TaintedPath::Sanitizer or
36+
node = DataFlow::MakeBarrierGuard<TaintedPath::BarrierGuard>::getABarrierNode()
37+
}
38+
39+
predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
40+
node = DataFlow::MakeLabeledBarrierGuard<TaintedPath::BarrierGuard>::getABarrierNode(label)
41+
}
42+
43+
predicate isAdditionalFlowStep(
44+
DataFlow::Node node1, DataFlow::FlowLabel state1, DataFlow::Node node2,
45+
DataFlow::FlowLabel state2
46+
) {
47+
TaintedPath::isAdditionalTaintedPathFlowStep(node1, node2, state1, state2)
48+
}
49+
}
50+
51+
/** A taint tracking configuration for unsafe archive extraction. */
52+
module ZipSlipFlow = DataFlow::GlobalWithState<ZipSlipConfig>;
53+
54+
/** A taint tracking configuration for unsafe archive extraction. */
55+
deprecated class Configuration extends DataFlow::Configuration {
2456
Configuration() { this = "ZipSlip" }
2557

2658
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
@@ -44,6 +76,6 @@ class Configuration extends DataFlow::Configuration {
4476
DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
4577
DataFlow::FlowLabel dstlabel
4678
) {
47-
TaintedPath::isAdditionalTaintedPathFlowStep(src, dst, srclabel, dstlabel)
79+
ZipSlipConfig::isAdditionalFlowStep(src, srclabel, dst, dstlabel)
4880
}
4981
}

javascript/ql/src/Security/CWE-022/ZipSlip.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,10 @@
1414

1515
import javascript
1616
import semmle.javascript.security.dataflow.ZipSlipQuery
17-
import DataFlow::PathGraph
17+
import DataFlow::DeduplicatePathGraph<ZipSlipFlow::PathNode, ZipSlipFlow::PathGraph>
1818

19-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
20-
where cfg.hasFlowPath(source, sink)
19+
from PathNode source, PathNode sink
20+
where ZipSlipFlow::flowPath(source.getAnOriginalPathNode(), sink.getAnOriginalPathNode())
2121
select source.getNode(), source, sink,
2222
"Unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
2323
"file system operation"

javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected

Lines changed: 24 additions & 112 deletions
Original file line numberDiff line numberDiff line change
@@ -1,130 +1,42 @@
11
nodes
2-
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName |
3-
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName |
4-
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName |
5-
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName |
6-
| TarSlipBad.js:6:36:6:46 | header.name |
7-
| TarSlipBad.js:6:36:6:46 | header.name |
8-
| TarSlipBad.js:6:36:6:46 | header.name |
9-
| TarSlipBad.js:6:36:6:46 | header.name |
10-
| TarSlipBad.js:9:17:9:31 | header.linkname |
11-
| TarSlipBad.js:9:17:9:31 | header.linkname |
12-
| TarSlipBad.js:9:17:9:31 | header.linkname |
13-
| TarSlipBad.js:9:17:9:31 | header.linkname |
14-
| ZipSlipBad2.js:5:9:5:46 | fileName |
15-
| ZipSlipBad2.js:5:9:5:46 | fileName |
16-
| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
17-
| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
18-
| ZipSlipBad2.js:5:37:5:46 | entry.path |
19-
| ZipSlipBad2.js:5:37:5:46 | entry.path |
20-
| ZipSlipBad2.js:5:37:5:46 | entry.path |
21-
| ZipSlipBad2.js:6:22:6:29 | fileName |
22-
| ZipSlipBad2.js:6:22:6:29 | fileName |
23-
| ZipSlipBad2.js:6:22:6:29 | fileName |
24-
| ZipSlipBad.js:7:11:7:31 | fileName |
25-
| ZipSlipBad.js:7:11:7:31 | fileName |
26-
| ZipSlipBad.js:7:22:7:31 | entry.path |
27-
| ZipSlipBad.js:7:22:7:31 | entry.path |
28-
| ZipSlipBad.js:7:22:7:31 | entry.path |
29-
| ZipSlipBad.js:8:37:8:44 | fileName |
30-
| ZipSlipBad.js:8:37:8:44 | fileName |
31-
| ZipSlipBad.js:8:37:8:44 | fileName |
32-
| ZipSlipBad.js:15:11:15:31 | fileName |
33-
| ZipSlipBad.js:15:11:15:31 | fileName |
34-
| ZipSlipBad.js:15:22:15:31 | entry.path |
35-
| ZipSlipBad.js:15:22:15:31 | entry.path |
36-
| ZipSlipBad.js:15:22:15:31 | entry.path |
37-
| ZipSlipBad.js:16:30:16:37 | fileName |
38-
| ZipSlipBad.js:16:30:16:37 | fileName |
39-
| ZipSlipBad.js:16:30:16:37 | fileName |
40-
| ZipSlipBad.js:22:11:22:31 | fileName |
41-
| ZipSlipBad.js:22:11:22:31 | fileName |
42-
| ZipSlipBad.js:22:22:22:31 | entry.path |
43-
| ZipSlipBad.js:22:22:22:31 | entry.path |
44-
| ZipSlipBad.js:22:22:22:31 | entry.path |
45-
| ZipSlipBad.js:23:28:23:35 | fileName |
46-
| ZipSlipBad.js:23:28:23:35 | fileName |
47-
| ZipSlipBad.js:23:28:23:35 | fileName |
48-
| ZipSlipBad.js:30:14:30:17 | name |
49-
| ZipSlipBad.js:30:14:30:17 | name |
50-
| ZipSlipBad.js:30:14:30:17 | name |
51-
| ZipSlipBad.js:31:26:31:29 | name |
52-
| ZipSlipBad.js:31:26:31:29 | name |
53-
| ZipSlipBad.js:31:26:31:29 | name |
54-
| ZipSlipBad.js:34:16:34:19 | name |
55-
| ZipSlipBad.js:34:16:34:19 | name |
56-
| ZipSlipBad.js:34:16:34:19 | name |
57-
| ZipSlipBad.js:35:26:35:29 | name |
58-
| ZipSlipBad.js:35:26:35:29 | name |
59-
| ZipSlipBad.js:35:26:35:29 | name |
60-
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
61-
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
62-
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path |
63-
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path |
64-
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path |
65-
| ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
66-
| ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
67-
| ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
2+
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName | semmle.label | zipEntry.entryName |
3+
| TarSlipBad.js:6:36:6:46 | header.name | semmle.label | header.name |
4+
| TarSlipBad.js:9:17:9:31 | header.linkname | semmle.label | header.linkname |
5+
| ZipSlipBad2.js:5:9:5:46 | fileName | semmle.label | fileName |
6+
| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | semmle.label | 'output ... ry.path |
7+
| ZipSlipBad2.js:5:37:5:46 | entry.path | semmle.label | entry.path |
8+
| ZipSlipBad2.js:6:22:6:29 | fileName | semmle.label | fileName |
9+
| ZipSlipBad.js:7:11:7:31 | fileName | semmle.label | fileName |
10+
| ZipSlipBad.js:7:22:7:31 | entry.path | semmle.label | entry.path |
11+
| ZipSlipBad.js:8:37:8:44 | fileName | semmle.label | fileName |
12+
| ZipSlipBad.js:15:11:15:31 | fileName | semmle.label | fileName |
13+
| ZipSlipBad.js:15:22:15:31 | entry.path | semmle.label | entry.path |
14+
| ZipSlipBad.js:16:30:16:37 | fileName | semmle.label | fileName |
15+
| ZipSlipBad.js:22:11:22:31 | fileName | semmle.label | fileName |
16+
| ZipSlipBad.js:22:22:22:31 | entry.path | semmle.label | entry.path |
17+
| ZipSlipBad.js:23:28:23:35 | fileName | semmle.label | fileName |
18+
| ZipSlipBad.js:30:14:30:17 | name | semmle.label | name |
19+
| ZipSlipBad.js:31:26:31:29 | name | semmle.label | name |
20+
| ZipSlipBad.js:34:16:34:19 | name | semmle.label | name |
21+
| ZipSlipBad.js:35:26:35:29 | name | semmle.label | name |
22+
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | semmle.label | fileName |
23+
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | semmle.label | entry.path |
24+
| ZipSlipBadUnzipper.js:8:37:8:44 | fileName | semmle.label | fileName |
6825
edges
69-
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName | AdmZipBad.js:6:24:6:41 | zipEntry.entryName |
70-
| TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name |
71-
| TarSlipBad.js:9:17:9:31 | header.linkname | TarSlipBad.js:9:17:9:31 | header.linkname |
72-
| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName |
73-
| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName |
74-
| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName |
7526
| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName |
7627
| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | ZipSlipBad2.js:5:9:5:46 | fileName |
77-
| ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | ZipSlipBad2.js:5:9:5:46 | fileName |
78-
| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
79-
| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
8028
| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
81-
| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
82-
| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName |
83-
| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName |
8429
| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName |
85-
| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName |
86-
| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName |
8730
| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName |
88-
| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName |
89-
| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName |
90-
| ZipSlipBad.js:15:11:15:31 | fileName | ZipSlipBad.js:16:30:16:37 | fileName |
9131
| ZipSlipBad.js:15:11:15:31 | fileName | ZipSlipBad.js:16:30:16:37 | fileName |
92-
| ZipSlipBad.js:15:11:15:31 | fileName | ZipSlipBad.js:16:30:16:37 | fileName |
93-
| ZipSlipBad.js:15:11:15:31 | fileName | ZipSlipBad.js:16:30:16:37 | fileName |
94-
| ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:15:11:15:31 | fileName |
9532
| ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:15:11:15:31 | fileName |
96-
| ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:15:11:15:31 | fileName |
97-
| ZipSlipBad.js:15:22:15:31 | entry.path | ZipSlipBad.js:15:11:15:31 | fileName |
98-
| ZipSlipBad.js:22:11:22:31 | fileName | ZipSlipBad.js:23:28:23:35 | fileName |
99-
| ZipSlipBad.js:22:11:22:31 | fileName | ZipSlipBad.js:23:28:23:35 | fileName |
100-
| ZipSlipBad.js:22:11:22:31 | fileName | ZipSlipBad.js:23:28:23:35 | fileName |
10133
| ZipSlipBad.js:22:11:22:31 | fileName | ZipSlipBad.js:23:28:23:35 | fileName |
10234
| ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:22:11:22:31 | fileName |
103-
| ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:22:11:22:31 | fileName |
104-
| ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:22:11:22:31 | fileName |
105-
| ZipSlipBad.js:22:22:22:31 | entry.path | ZipSlipBad.js:22:11:22:31 | fileName |
106-
| ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:31:26:31:29 | name |
107-
| ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:31:26:31:29 | name |
108-
| ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:31:26:31:29 | name |
10935
| ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:31:26:31:29 | name |
110-
| ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:31:26:31:29 | name |
111-
| ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:31:26:31:29 | name |
112-
| ZipSlipBad.js:30:14:30:17 | name | ZipSlipBad.js:31:26:31:29 | name |
113-
| ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:35:26:35:29 | name |
114-
| ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:35:26:35:29 | name |
11536
| ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:35:26:35:29 | name |
116-
| ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:35:26:35:29 | name |
117-
| ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:35:26:35:29 | name |
118-
| ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:35:26:35:29 | name |
119-
| ZipSlipBad.js:34:16:34:19 | name | ZipSlipBad.js:35:26:35:29 | name |
120-
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
12137
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
122-
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
123-
| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
124-
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
125-
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
126-
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
12738
| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
39+
subpaths
12840
#select
12941
| AdmZipBad.js:6:24:6:41 | zipEntry.entryName | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | Unsanitized archive entry, which may contain '..', is used in a $@. | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | file system operation |
13042
| TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | Unsanitized archive entry, which may contain '..', is used in a $@. | TarSlipBad.js:6:36:6:46 | header.name | file system operation |

0 commit comments

Comments
 (0)