File tree Expand file tree Collapse file tree 3 files changed +44
-0
lines changed
src/semmle/javascript/frameworks
test/library-tests/frameworks/UriLibraries Expand file tree Collapse file tree 3 files changed +44
-0
lines changed Original file line number Diff line number Diff line change @@ -401,4 +401,33 @@ private module ClosureLibraryUri {
401401 succ = uri
402402 }
403403 }
404+
405+ /**
406+ * Provides classes for working with [path](https://nodejs.org/api/path.html) code.
407+ */
408+ module path {
409+ /**
410+ * A taint step in the path module.
411+ */
412+ private class Step extends UriLibraryStep , DataFlow:: CallNode {
413+ DataFlow:: Node src ;
414+
415+ Step ( ) {
416+ exists ( DataFlow:: SourceNode ref |
417+ ref = NodeJSLib:: Path:: moduleMember ( "parse" ) or
418+ // a ponyfill: https://www.npmjs.com/package/path-parse
419+ ref = DataFlow:: moduleImport ( "path-parse" ) or
420+ ref = DataFlow:: moduleMember ( "path-parse" , "posix" ) or
421+ ref = DataFlow:: moduleMember ( "path-parse" , "win32" )
422+ |
423+ this = ref .getACall ( ) and
424+ src = getAnArgument ( )
425+ )
426+ }
427+
428+ override predicate step ( DataFlow:: Node pred , DataFlow:: Node succ ) {
429+ pred = src and succ = this
430+ }
431+ }
432+ }
404433}
Original file line number Diff line number Diff line change 2424| closureUri.js:23:1:23:18 | utils.getPath(uri) | closureUri.js:23:15:23:17 | uri | closureUri.js:23:1:23:18 | utils.getPath(uri) |
2525| closureUri.js:27:1:27:23 | stringU ... code(x) | closureUri.js:27:22:27:22 | x | closureUri.js:27:1:27:23 | stringU ... code(x) |
2626| closureUri.js:28:1:28:23 | stringU ... code(x) | closureUri.js:28:22:28:22 | x | closureUri.js:28:1:28:23 | stringU ... code(x) |
27+ | path-parse.js:4:1:4:13 | path.parse(x) | path-parse.js:4:12:4:12 | x | path-parse.js:4:1:4:13 | path.parse(x) |
28+ | path-parse.js:5:1:5:13 | path_parse(x) | path-parse.js:5:12:5:12 | x | path-parse.js:5:1:5:13 | path_parse(x) |
29+ | path-parse.js:6:1:6:19 | path.posix.parse(x) | path-parse.js:6:18:6:18 | x | path-parse.js:6:1:6:19 | path.posix.parse(x) |
30+ | path-parse.js:7:1:7:19 | path_parse.posix(x) | path-parse.js:7:18:7:18 | x | path-parse.js:7:1:7:19 | path_parse.posix(x) |
31+ | path-parse.js:8:1:8:19 | path.win32.parse(x) | path-parse.js:8:18:8:18 | x | path-parse.js:8:1:8:19 | path.win32.parse(x) |
32+ | path-parse.js:9:1:9:19 | path_parse.win32(x) | path-parse.js:9:18:9:18 | x | path-parse.js:9:1:9:19 | path_parse.win32(x) |
2733| punycode.js:3:9:3:26 | punycode.decode(x) | punycode.js:3:25:3:25 | x | punycode.js:3:9:3:26 | punycode.decode(x) |
2834| punycode.js:5:5:5:22 | punycode.encode(x) | punycode.js:5:21:5:21 | x | punycode.js:5:5:5:22 | punycode.encode(x) |
2935| punycode.js:7:5:7:25 | punycod ... code(x) | punycode.js:7:24:7:24 | x | punycode.js:7:5:7:25 | punycod ... code(x) |
Original file line number Diff line number Diff line change 1+ const path = require ( 'path' ) ;
2+ const path_parse = require ( 'path-parse' ) ;
3+
4+ path . parse ( x ) ;
5+ path_parse ( x ) ;
6+ path . posix . parse ( x ) ;
7+ path_parse . posix ( x ) ;
8+ path . win32 . parse ( x ) ;
9+ path_parse . win32 ( x ) ;
You can’t perform that action at this time.
0 commit comments