add sanitizer for relative ".." in js/path-injection

erik-krogh · erik-krogh · commit 3a146514cea9 · 2020-02-14T10:51:48.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@@ -35,7 +35,8 @@ module TaintedPath {
       guard instanceof StartsWithDotDotSanitizer or
       guard instanceof StartsWithDirSanitizer or
       guard instanceof IsAbsoluteSanitizer or
-      guard instanceof ContainsDotDotSanitizer
+      guard instanceof ContainsDotDotSanitizer or
+      guard instanceof RelativePathContainsDotDotGuard
     }
 
     override predicate isAdditionalFlowStep(
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -12,19 +12,17 @@ module TaintedPath {
    */
   abstract class Source extends DataFlow::Node {
     /** Gets a flow label denoting the type of value for which this is a source. */
-    DataFlow::FlowLabel getAFlowLabel() {
-      result instanceof Label::PosixPath
-    }
+    DataFlow::FlowLabel getAFlowLabel() { result instanceof Label::PosixPath }
   }
 
   /**
    * A data flow sink for tainted-path vulnerabilities.
    */
   abstract class Sink extends DataFlow::Node {
+    Sink() { not this instanceof Sanitizer }
+
     /** Gets a flow label denoting the type of value for which this is a sink. */
-    DataFlow::FlowLabel getAFlowLabel() {
-      result instanceof Label::PosixPath
-    }
+    DataFlow::FlowLabel getAFlowLabel() { result instanceof Label::PosixPath }
   }
 
   /**
@@ -355,6 +353,35 @@ module TaintedPath {
     }
   }
 
+  /**
+   * A sanitizer that recognizes the following pattern:
+   *   var relative = path.relative(webroot, pathname);
+   *   if(relative.startsWith(".." + path.sep) || relative == "..") {
+   *     // pathname is unsafe
+   *   } else {
+   *     // pathname is safe
+   *   }
+   */
+  class RelativePathContainsDotDotGuard extends DataFlow::BarrierGuardNode {
+    StringOps::StartsWith startsWith;
+    DataFlow::CallNode relativeCall;
+
+    RelativePathContainsDotDotGuard() {
+      this = startsWith and
+      relativeCall = DataFlow::moduleImport("path").getAMemberCall("relative") and
+      startsWith.getBaseString().getALocalSource() = relativeCall and
+      exists(DataFlow::Node subString | subString = startsWith.getSubstring() |
+        subString.mayHaveStringValue("..")
+        or
+        subString.(StringOps::ConcatenationRoot).getFirstLeaf().mayHaveStringValue("..")
+      )
+    }
+
+    override predicate blocks(boolean outcome, Expr e) {
+      e = relativeCall.getArgument(1).asExpr() and outcome = false
+    }
+  }
+
   /**
    * A source of remote user input, considered as a flow source for
    * tainted-path vulnerabilities.
@@ -396,9 +423,7 @@ module TaintedPath {
    * A path argument to a file system access, which disallows upward navigation.
    */
   private class FsPathSinkWithoutUpwardNavigation extends FsPathSink {
-    FsPathSinkWithoutUpwardNavigation() {
-      fileSystemAccess.isUpwardNavigationRejected(this)
-    }
+    FsPathSinkWithoutUpwardNavigation() { fileSystemAccess.isUpwardNavigationRejected(this) }
 
     override DataFlow::FlowLabel getAFlowLabel() {
       // The protection is ineffective if the ../ segments have already
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -1259,6 +1259,34 @@ nodes
 | normalizedPaths.js:250:21:250:24 | path |
 | normalizedPaths.js:250:21:250:24 | path |
 | normalizedPaths.js:250:21:250:24 | path |
+| normalizedPaths.js:254:7:254:47 | path |
+| normalizedPaths.js:254:7:254:47 | path |
+| normalizedPaths.js:254:7:254:47 | path |
+| normalizedPaths.js:254:7:254:47 | path |
+| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
+| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
+| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
+| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
+| normalizedPaths.js:254:33:254:46 | req.query.path |
+| normalizedPaths.js:254:33:254:46 | req.query.path |
+| normalizedPaths.js:254:33:254:46 | req.query.path |
+| normalizedPaths.js:254:33:254:46 | req.query.path |
+| normalizedPaths.js:254:33:254:46 | req.query.path |
+| normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:270:21:270:24 | path |
+| normalizedPaths.js:270:21:270:24 | path |
+| normalizedPaths.js:270:21:270:24 | path |
+| normalizedPaths.js:270:21:270:24 | path |
+| normalizedPaths.js:270:21:270:24 | path |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
@@ -3630,6 +3658,42 @@ edges
 | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
 | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
 | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:236:14:236:47 | pathMod ... y.path) |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:256:19:256:22 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:262:21:262:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
+| normalizedPaths.js:254:7:254:47 | path | normalizedPaths.js:270:21:270:24 | path |
+| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | normalizedPaths.js:254:7:254:47 | path |
+| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | normalizedPaths.js:254:7:254:47 | path |
+| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | normalizedPaths.js:254:7:254:47 | path |
+| normalizedPaths.js:254:14:254:47 | pathMod ... y.path) | normalizedPaths.js:254:7:254:47 | path |
+| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
+| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
+| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
+| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
+| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
+| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
+| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
+| normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:254:14:254:47 | pathMod ... y.path) |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
 | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") |
@@ -4411,6 +4475,9 @@ edges
 | normalizedPaths.js:238:19:238:22 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:238:19:238:22 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
 | normalizedPaths.js:245:21:245:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:245:21:245:24 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
 | normalizedPaths.js:250:21:250:24 | path | normalizedPaths.js:236:33:236:46 | req.query.path | normalizedPaths.js:250:21:250:24 | path | This path depends on $@. | normalizedPaths.js:236:33:236:46 | req.query.path | a user-provided value |
+| normalizedPaths.js:256:19:256:22 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:256:19:256:22 | path | This path depends on $@. | normalizedPaths.js:254:33:254:46 | req.query.path | a user-provided value |
+| normalizedPaths.js:262:21:262:24 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:262:21:262:24 | path | This path depends on $@. | normalizedPaths.js:254:33:254:46 | req.query.path | a user-provided value |
+| normalizedPaths.js:270:21:270:24 | path | normalizedPaths.js:254:33:254:46 | req.query.path | normalizedPaths.js:270:21:270:24 | path | This path depends on $@. | normalizedPaths.js:254:33:254:46 | req.query.path | a user-provided value |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | a user-provided value |
 | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
@@ -249,3 +249,26 @@ app.get('/resolve-path', (req, res) => {
   else
     fs.readFileSync(path); // NOT OK - wrong polarity
 });
+
+app.get('/relative-startswith', (req, res) => {
+  let path = pathModule.resolve(req.query.path);
+
+  fs.readFileSync(path); // NOT OK
+
+  var self = something();
+	
+  var relative = pathModule.relative(self.webroot, path);
+  if(relative.startsWith(".." + pathModule.sep) || relative == "..") {
+    fs.readFileSync(path); // NOT OK! 
+  } else {
+    fs.readFileSync(path); // OK! 
+  }
+
+  let newpath = pathModule.normalize(p);
+  var relativePath = path.relative(path.normalize(workspaceDir), newpath);
+  if (relativePath.indexOf('..' + pathModule.sep) === 0) {
+    fs.readFileSync(path); // NOT OK!
+  } else {
+	  fs.readFileSync(newpath); // OK! 
+  }
+});

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,8 @@ module TaintedPath {`
`35`	`35`	`guard instanceof StartsWithDotDotSanitizer or`
`36`	`36`	`guard instanceof StartsWithDirSanitizer or`
`37`	`37`	`guard instanceof IsAbsoluteSanitizer or`
`38`		`- guard instanceof ContainsDotDotSanitizer`
	`38`	`+ guard instanceof ContainsDotDotSanitizer or`
	`39`	`+ guard instanceof RelativePathContainsDotDotGuard`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`override predicate isAdditionalFlowStep(`