Skip to content

Commit c2cce70

Browse files
NapalysNapalys
committed
JS: Now also regexp constructor is escaped in tainted path
1 parent 99d6717 commit c2cce70

File tree

3 files changed

+4
-86
lines changed

3 files changed

+4
-86
lines changed

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -221,10 +221,10 @@ module TaintedPath {
221221
this instanceof StringReplaceCall and
222222
input = this.getReceiver() and
223223
output = this and
224-
not exists(RegExpLiteral literal, RegExpTerm term |
225-
this.(StringReplaceCall).getRegExp().asExpr() = literal and
224+
not exists(DataFlow::RegExpCreationNode regexp, RegExpTerm term |
225+
this.(StringReplaceCall).getRegExp() = regexp and
226226
this.(StringReplaceCall).isGlobal() and
227-
literal.getRoot() = term
227+
regexp.getRoot() = term
228228
|
229229
term.getAMatchedString() = "/" or
230230
term.getAMatchedString() = "." or

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

Lines changed: 0 additions & 82 deletions
Original file line numberDiff line numberDiff line change
@@ -1586,39 +1586,6 @@ nodes
15861586
| TaintedPath.js:202:24:202:30 | req.url |
15871587
| TaintedPath.js:202:24:202:30 | req.url |
15881588
| TaintedPath.js:202:24:202:30 | req.url |
1589-
| TaintedPath.js:205:29:205:32 | path |
1590-
| TaintedPath.js:205:29:205:32 | path |
1591-
| TaintedPath.js:205:29:205:32 | path |
1592-
| TaintedPath.js:205:29:205:32 | path |
1593-
| TaintedPath.js:205:29:205:32 | path |
1594-
| TaintedPath.js:205:29:205:32 | path |
1595-
| TaintedPath.js:205:29:205:32 | path |
1596-
| TaintedPath.js:205:29:205:32 | path |
1597-
| TaintedPath.js:205:29:205:32 | path |
1598-
| TaintedPath.js:205:29:205:32 | path |
1599-
| TaintedPath.js:205:29:205:32 | path |
1600-
| TaintedPath.js:205:29:205:32 | path |
1601-
| TaintedPath.js:205:29:205:32 | path |
1602-
| TaintedPath.js:205:29:205:32 | path |
1603-
| TaintedPath.js:205:29:205:32 | path |
1604-
| TaintedPath.js:205:29:205:32 | path |
1605-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1606-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1607-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1608-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1609-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1610-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1611-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1612-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1613-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1614-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1615-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1616-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1617-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1618-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1619-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1620-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
1621-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') |
16221589
| TaintedPath.js:206:29:206:32 | path |
16231590
| TaintedPath.js:206:29:206:32 | path |
16241591
| TaintedPath.js:206:29:206:32 | path |
@@ -6848,22 +6815,6 @@ edges
68486815
| TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) |
68496816
| TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) |
68506817
| TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) |
6851-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6852-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6853-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6854-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6855-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6856-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6857-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6858-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6859-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6860-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6861-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6862-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6863-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6864-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6865-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
6866-
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:205:29:205:32 | path |
68676818
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
68686819
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
68696820
| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path |
@@ -6976,38 +6927,6 @@ edges
69766927
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
69776928
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
69786929
| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) |
6979-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6980-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6981-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6982-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6983-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6984-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6985-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6986-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6987-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6988-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6989-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6990-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6991-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6992-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6993-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6994-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6995-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6996-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6997-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6998-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
6999-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
7000-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
7001-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
7002-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
7003-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
7004-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
7005-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
7006-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
7007-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
7008-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
7009-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
7010-
| TaintedPath.js:205:29:205:32 | path | TaintedPath.js:205:29:205:86 | path.re ... '), '') |
70116930
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:81 | path.re ... "), '') |
70126931
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:81 | path.re ... "), '') |
70136932
| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:81 | path.re ... "), '') |
@@ -10891,7 +10810,6 @@ edges
1089110810
| TaintedPath.js:196:31:196:34 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:196:31:196:34 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
1089210811
| TaintedPath.js:197:45:197:48 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:197:45:197:48 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
1089310812
| TaintedPath.js:198:35:198:38 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:198:35:198:38 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
10894-
| TaintedPath.js:205:29:205:86 | path.re ... '), '') | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:205:29:205:86 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value |
1089510813
| TaintedPath.js:206:29:206:81 | path.re ... "), '') | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:206:29:206:81 | path.re ... "), '') | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value |
1089610814
| TaintedPath.js:207:29:207:93 | path.re ... lags()) | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:207:29:207:93 | path.re ... lags()) | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value |
1089710815
| examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -202,7 +202,7 @@ var server = http.createServer(function(req, res) {
202202
let path = url.parse(req.url, true).query.path;
203203

204204
// Removal of forward-slash or dots.
205-
res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); // OK. -- This should not be flagged but currently only literals escaped.
205+
res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); // OK
206206
res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]"), ''))); // NOT OK.
207207
res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]"), unknownFlags()))); // OK -- Might be okay depending on what unknownFlags evaluates to.
208208
});

0 commit comments

Comments
 (0)