add files uploaded with multer as RemoteFlowSource

erik-krogh · erik-krogh · commit e2fbf8a68ca9 · 2021-02-11T09:33:15.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -509,8 +509,9 @@ module Express {
         this = request.getAPropertyRead("cookies")
         or
         // `req.files`, treated the same as `req.body`.
+        // `express-fileupload` uses .files, and `multer` uses .files or .file
         kind = "body" and
-        this = request.getAPropertyRead("files")
+        this = request.getAPropertyRead(["files", "file"])
       )
       or
       kind = "body" and
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -88,6 +88,18 @@ nodes
 | execSeries.js:18:34:18:40 | req.url |
 | execSeries.js:19:12:19:16 | [cmd] |
 | execSeries.js:19:13:19:15 | cmd |
+| form-parsers.js:9:8:9:39 | "touch  ... nalname |
+| form-parsers.js:9:8:9:39 | "touch  ... nalname |
+| form-parsers.js:9:19:9:26 | req.file |
+| form-parsers.js:9:19:9:26 | req.file |
+| form-parsers.js:9:19:9:39 | req.fil ... nalname |
+| form-parsers.js:13:3:13:11 | req.files |
+| form-parsers.js:13:3:13:11 | req.files |
+| form-parsers.js:13:21:13:24 | file |
+| form-parsers.js:14:10:14:37 | "touch  ... nalname |
+| form-parsers.js:14:10:14:37 | "touch  ... nalname |
+| form-parsers.js:14:21:14:24 | file |
+| form-parsers.js:14:21:14:37 | file.originalname |
 | lib/subLib/index.js:7:32:7:35 | name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -222,6 +234,16 @@ edges
 | execSeries.js:18:34:18:40 | req.url | execSeries.js:18:13:18:47 | require ... , true) |
 | execSeries.js:19:12:19:16 | [cmd] | execSeries.js:13:19:13:26 | commands |
 | execSeries.js:19:13:19:15 | cmd | execSeries.js:19:12:19:16 | [cmd] |
+| form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:19:9:39 | req.fil ... nalname |
+| form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:19:9:39 | req.fil ... nalname |
+| form-parsers.js:9:19:9:39 | req.fil ... nalname | form-parsers.js:9:8:9:39 | "touch  ... nalname |
+| form-parsers.js:9:19:9:39 | req.fil ... nalname | form-parsers.js:9:8:9:39 | "touch  ... nalname |
+| form-parsers.js:13:3:13:11 | req.files | form-parsers.js:13:21:13:24 | file |
+| form-parsers.js:13:3:13:11 | req.files | form-parsers.js:13:21:13:24 | file |
+| form-parsers.js:13:21:13:24 | file | form-parsers.js:14:21:14:24 | file |
+| form-parsers.js:14:21:14:24 | file | form-parsers.js:14:21:14:37 | file.originalname |
+| form-parsers.js:14:21:14:37 | file.originalname | form-parsers.js:14:10:14:37 | "touch  ... nalname |
+| form-parsers.js:14:21:14:37 | file.originalname | form-parsers.js:14:10:14:37 | "touch  ... nalname |
 | lib/subLib/index.js:7:32:7:35 | name | lib/subLib/index.js:8:22:8:25 | name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -293,6 +315,8 @@ edges
 | exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) | exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:10:40:10:46 | command | This command depends on $@. | exec-sh2.js:14:25:14:31 | req.url | a user-provided value |
 | exec-sh.js:15:12:15:61 | cp.spaw ... ptions) | exec-sh.js:19:25:19:31 | req.url | exec-sh.js:15:44:15:50 | command | This command depends on $@. | exec-sh.js:19:25:19:31 | req.url | a user-provided value |
 | execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command depends on $@. | execSeries.js:18:34:18:40 | req.url | a user-provided value |
+| form-parsers.js:9:8:9:39 | "touch  ... nalname | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch  ... nalname | This command depends on $@. | form-parsers.js:9:19:9:26 | req.file | a user-provided value |
+| form-parsers.js:14:10:14:37 | "touch  ... nalname | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:14:10:14:37 | "touch  ... nalname | This command depends on $@. | form-parsers.js:13:3:13:11 | req.files | a user-provided value |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | child_process-test.js:85:37:85:54 | req.query.fileName | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | This command depends on $@. | child_process-test.js:85:37:85:54 | req.query.fileName | a user-provided value |
 | other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js b/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
@@ -0,0 +1,16 @@
+var express = require('express');
+var multer  = require('multer');
+var upload = multer({ dest: 'uploads/' });
+ 
+var app = express();
+var exec = require("child_process").exec;
+ 
+app.post('/profile', upload.single('avatar'), function (req, res, next) {
+  exec("touch " + req.file.originalname); // NOT OK
+});
+ 
+app.post('/photos/upload', upload.array('photos', 12), function (req, res, next) {
+  req.files.forEach(file => {
+    exec("touch " + file.originalname); // NOT OK
+  })
+});
