Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit e6d46b9

Browse files
erik-krogherik-krogh
committed
add test for new prefix check on TaintedPath
1 parent b6611b1 commit e6d46b9

2 files changed

Lines changed: 85 additions & 0 deletions

File tree

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1145,6 +1145,34 @@ nodes
11451145
| normalizedPaths.js:228:21:228:24 | path |
11461146
| normalizedPaths.js:228:21:228:24 | path |
11471147
| normalizedPaths.js:228:21:228:24 | path |
1148+
| normalizedPaths.js:236:7:236:47 | path |
1149+
| normalizedPaths.js:236:7:236:47 | path |
1150+
| normalizedPaths.js:236:7:236:47 | path |
1151+
| normalizedPaths.js:236:7:236:47 | path |
1152+
| normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
1153+
| normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
1154+
| normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
1155+
| normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
1156+
| normalizedPaths.js:236:33:236:46 | req.query.path |
1157+
| normalizedPaths.js:236:33:236:46 | req.query.path |
1158+
| normalizedPaths.js:236:33:236:46 | req.query.path |
1159+
| normalizedPaths.js:236:33:236:46 | req.query.path |
1160+
| normalizedPaths.js:236:33:236:46 | req.query.path |
1161+
| normalizedPaths.js:238:19:238:22 | path |
1162+
| normalizedPaths.js:238:19:238:22 | path |
1163+
| normalizedPaths.js:238:19:238:22 | path |
1164+
| normalizedPaths.js:238:19:238:22 | path |
1165+
| normalizedPaths.js:238:19:238:22 | path |
1166+
| normalizedPaths.js:245:21:245:24 | path |
1167+
| normalizedPaths.js:245:21:245:24 | path |
1168+
| normalizedPaths.js:245:21:245:24 | path |
1169+
| normalizedPaths.js:245:21:245:24 | path |
1170+
| normalizedPaths.js:245:21:245:24 | path |
1171+
| normalizedPaths.js:250:21:250:24 | path |
1172+
| normalizedPaths.js:250:21:250:24 | path |
1173+
| normalizedPaths.js:250:21:250:24 | path |
1174+
| normalizedPaths.js:250:21:250:24 | path |
1175+
| normalizedPaths.js:250:21:250:24 | path |
11481176
| tainted-require.js:7:19:7:37 | req.param("module") |
11491177
| tainted-require.js:7:19:7:37 | req.param("module") |
11501178
| tainted-require.js:7:19:7:37 | req.param("module") |
@@ -2903,6 +2931,42 @@ edges
29032931
| normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:226:14:226:49 | pathMod ... y.path) |
29042932
| normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:226:14:226:49 | pathMod ... y.path) |
29052933
| normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:226:14:226:49 | pathMod ... y.path) |
2934+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:238:19:238:22 | path |
2935+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:238:19:238:22 | path |
2936+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:238:19:238:22 | path |
2937+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:238:19:238:22 | path |
2938+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:238:19:238:22 | path |
2939+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:238:19:238:22 | path |
2940+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:238:19:238:22 | path |
2941+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:238:19:238:22 | path |
2942+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:245:21:245:24 | path |
2943+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:245:21:245:24 | path |
2944+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:245:21:245:24 | path |
2945+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:245:21:245:24 | path |
2946+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:245:21:245:24 | path |
2947+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:245:21:245:24 | path |
2948+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:245:21:245:24 | path |
2949+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:245:21:245:24 | path |
2950+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:250:21:250:24 | path |
2951+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:250:21:250:24 | path |
2952+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:250:21:250:24 | path |
2953+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:250:21:250:24 | path |
2954+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:250:21:250:24 | path |
2955+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:250:21:250:24 | path |
2956+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:250:21:250:24 | path |
2957+
| normalizedPaths.js:236:7:236:47 | path | normalizedPaths.js:250:21:250:24 | path |
2958+
| normalizedPaths.js:236:14:236:47 | pathMod ... y.path) | normalizedPaths.js:236:7:236:47 | path |
2959+
| normalizedPaths.js:236:14:236:47 | pathMod ... y.path) | normalizedPaths.js:236:7:236:47 | path |
2960+
| normalizedPaths.js:236:14:236:47 | pathMod ... y.path) | normalizedPaths.js:236:7:236:47 | path |
2961+
| normalizedPaths.js:236:14:236:47 | pathMod ... y.path) | normalizedPaths.js:236:7:236:47 | path |
2962+
| normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
2963+
| normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
2964+
| normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
2965+
| normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
2966+
| normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
2967+
| normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
2968+
| normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
2969+
| normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
29062970
| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") |
29072971
| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
29082972
| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") |
@@ -3016,6 +3080,9 @@ edges
30163080
| normalizedPaths.js:210:21:210:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:21:210:34 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value |
30173081
| normalizedPaths.js:222:21:222:24 | path | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:222:21:222:24 | path | This path depends on $@. | normalizedPaths.js:214:35:214:48 | req.query.path | a user-provided value |
30183082
| normalizedPaths.js:228:21:228:24 | path | normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:228:21:228:24 | path | This path depends on $@. | normalizedPaths.js:226:35:226:48 | req.query.path | a user-provided value |
3083+
| normalizedPaths.js:238:19:238:22 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:238:19:238:22 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
3084+
| normalizedPaths.js:245:21:245:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:245:21:245:24 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
3085+
| normalizedPaths.js:250:21:250:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:250:21:250:24 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
30193086
| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
30203087
| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | a user-provided value |
30213088
| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -231,3 +231,21 @@ app.get('/replace', (req, res) => {
231231
fs.readFileSync(path); // OK
232232
}
233233
});
234+
235+
app.get('/resolve-path', (req, res) => {
236+
let path = pathModule.resolve(req.query.path);
237+
238+
fs.readFileSync(path); // NOT OK
239+
240+
var self = something();
241+
242+
if (path.substring(0, self.dir.length) === self.dir)
243+
fs.readFileSync(path); // OK
244+
else
245+
fs.readFileSync(path); // NOT OK - wrong polarity
246+
247+
if (path.slice(0, self.dir.length) === self.dir)
248+
fs.readFileSync(path); // OK
249+
else
250+
fs.readFileSync(path); // NOT OK - wrong polarity
251+
});

0 commit comments

Comments
 (0)