add typeof sanitizer to js/shell-command-constructed-from-input

erik-krogh · erik-krogh · commit 876ba7ef2d19 · 2020-12-21T14:16:55.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -189,4 +189,25 @@ module UnsafeShellCommandConstruction {
       )
     }
   }
+
+  /**
+   * A check of the form `type x === "X"`, where x is  "number", or "boolean",
+   * which sanitized `x` in its "then" branch.
+   */
+  class TypeOfSanitizer extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
+    Expr x;
+    override EqualityTest astNode;
+
+    TypeOfSanitizer() {
+      exists(StringLiteral str, TypeofExpr typeof | astNode.hasOperands(str, typeof) |
+        str.getValue() = ["number", "boolean"] and // "undefined" is already handled in TaintTracking.qll
+        typeof.getOperand() = x
+      )
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      outcome = astNode.getPolarity() and
+      e = x
+    }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -339,3 +339,9 @@ module.exports.unproblematic = function() {
 module.exports.problematic = function(n) {
 	cp.exec("rm -rf " + id(n)); // NOT OK
 };
+
+module.exports.typeofNumber = function(n) {
+	if (typeof n === "number") {
+		cp.exec("rm -rf " + n); // OK
+	}
+};
