Skip to content

Commit 76ba48c

Browse files
authored
Merge pull request #2790 from esbena/js/model-send
Approved by asgerf
2 parents 3c8aeb9 + 736ccb9 commit 76ba48c

File tree

4 files changed

+214
-0
lines changed

4 files changed

+214
-0
lines changed

change-notes/1.24/analysis-javascript.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424
- [lazy-cache](https://www.npmjs.com/package/lazy-cache)
2525
- [for-in](https://www.npmjs.com/package/for-in)
2626
- [for-own](https://www.npmjs.com/package/for-own)
27+
- [send](https://www.npmjs.com/package/send)
2728

2829
## New queries
2930

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -428,4 +428,11 @@ module TaintedPath {
428428
class AngularJSTemplateUrlSink extends Sink, DataFlow::ValueNode {
429429
AngularJSTemplateUrlSink() { this = any(AngularJS::CustomDirective d).getMember("templateUrl") }
430430
}
431+
432+
/**
433+
* The path argument of a [send](https://www.npmjs.com/package/send) call, viewed as a sink.
434+
*/
435+
class SendPathSink extends Sink, DataFlow::ValueNode {
436+
SendPathSink() { this = DataFlow::moduleImport("send").getACall().getArgument(1) }
437+
}
431438
}

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

Lines changed: 199 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -801,6 +801,92 @@ nodes
801801
| TaintedPath.js:112:45:112:52 | realpath |
802802
| TaintedPath.js:112:45:112:52 | realpath |
803803
| TaintedPath.js:112:45:112:52 | realpath |
804+
| TaintedPath.js:119:6:119:47 | path |
805+
| TaintedPath.js:119:6:119:47 | path |
806+
| TaintedPath.js:119:6:119:47 | path |
807+
| TaintedPath.js:119:6:119:47 | path |
808+
| TaintedPath.js:119:6:119:47 | path |
809+
| TaintedPath.js:119:6:119:47 | path |
810+
| TaintedPath.js:119:6:119:47 | path |
811+
| TaintedPath.js:119:6:119:47 | path |
812+
| TaintedPath.js:119:6:119:47 | path |
813+
| TaintedPath.js:119:6:119:47 | path |
814+
| TaintedPath.js:119:6:119:47 | path |
815+
| TaintedPath.js:119:6:119:47 | path |
816+
| TaintedPath.js:119:6:119:47 | path |
817+
| TaintedPath.js:119:6:119:47 | path |
818+
| TaintedPath.js:119:6:119:47 | path |
819+
| TaintedPath.js:119:6:119:47 | path |
820+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
821+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
822+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
823+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
824+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
825+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
826+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
827+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
828+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
829+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
830+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
831+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
832+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
833+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
834+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
835+
| TaintedPath.js:119:13:119:36 | url.par ... , true) |
836+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
837+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
838+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
839+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
840+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
841+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
842+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
843+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
844+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
845+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
846+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
847+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
848+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
849+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
850+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
851+
| TaintedPath.js:119:13:119:42 | url.par ... ).query |
852+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
853+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
854+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
855+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
856+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
857+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
858+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
859+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
860+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
861+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
862+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
863+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
864+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
865+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
866+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
867+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
868+
| TaintedPath.js:119:23:119:29 | req.url |
869+
| TaintedPath.js:119:23:119:29 | req.url |
870+
| TaintedPath.js:119:23:119:29 | req.url |
871+
| TaintedPath.js:119:23:119:29 | req.url |
872+
| TaintedPath.js:119:23:119:29 | req.url |
873+
| TaintedPath.js:121:23:121:26 | path |
874+
| TaintedPath.js:121:23:121:26 | path |
875+
| TaintedPath.js:121:23:121:26 | path |
876+
| TaintedPath.js:121:23:121:26 | path |
877+
| TaintedPath.js:121:23:121:26 | path |
878+
| TaintedPath.js:121:23:121:26 | path |
879+
| TaintedPath.js:121:23:121:26 | path |
880+
| TaintedPath.js:121:23:121:26 | path |
881+
| TaintedPath.js:121:23:121:26 | path |
882+
| TaintedPath.js:121:23:121:26 | path |
883+
| TaintedPath.js:121:23:121:26 | path |
884+
| TaintedPath.js:121:23:121:26 | path |
885+
| TaintedPath.js:121:23:121:26 | path |
886+
| TaintedPath.js:121:23:121:26 | path |
887+
| TaintedPath.js:121:23:121:26 | path |
888+
| TaintedPath.js:121:23:121:26 | path |
889+
| TaintedPath.js:121:23:121:26 | path |
804890
| normalizedPaths.js:11:7:11:27 | path |
805891
| normalizedPaths.js:11:7:11:27 | path |
806892
| normalizedPaths.js:11:7:11:27 | path |
@@ -2996,6 +3082,118 @@ edges
29963082
| TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath |
29973083
| TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath |
29983084
| TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath |
3085+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3086+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3087+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3088+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3089+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3090+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3091+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3092+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3093+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3094+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3095+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3096+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3097+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3098+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3099+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3100+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3101+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3102+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3103+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3104+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3105+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3106+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3107+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3108+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3109+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3110+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3111+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3112+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3113+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3114+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3115+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3116+
| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
3117+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3118+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3119+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3120+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3121+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3122+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3123+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3124+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3125+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3126+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3127+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3128+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3129+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3130+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3131+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3132+
| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
3133+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3134+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3135+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3136+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3137+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3138+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3139+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3140+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3141+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3142+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3143+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3144+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3145+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3146+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3147+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3148+
| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
3149+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3150+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3151+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3152+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3153+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3154+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3155+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3156+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3157+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3158+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3159+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3160+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3161+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3162+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3163+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3164+
| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
3165+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3166+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3167+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3168+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3169+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3170+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3171+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3172+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3173+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3174+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3175+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3176+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3177+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3178+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3179+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3180+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3181+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3182+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3183+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3184+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3185+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3186+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3187+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3188+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3189+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3190+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3191+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3192+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3193+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3194+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3195+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
3196+
| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
29993197
| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path |
30003198
| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path |
30013199
| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path |
@@ -4171,6 +4369,7 @@ edges
41714369
| TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | This path depends on $@. | TaintedPath.js:94:48:94:60 | req.params[0] | a user-provided value |
41724370
| TaintedPath.js:109:28:109:48 | fs.real ... c(path) | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value |
41734371
| TaintedPath.js:112:45:112:52 | realpath | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:112:45:112:52 | realpath | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value |
4372+
| TaintedPath.js:121:23:121:26 | path | TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:121:23:121:26 | path | This path depends on $@. | TaintedPath.js:119:23:119:29 | req.url | a user-provided value |
41744373
| normalizedPaths.js:13:19:13:22 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:19:13:22 | path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
41754374
| normalizedPaths.js:14:19:14:29 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:19:14:29 | './' + path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
41764375
| normalizedPaths.js:15:19:15:38 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -114,3 +114,10 @@ var server = http.createServer(function(req, res) {
114114
);
115115

116116
});
117+
118+
var server = http.createServer(function(req, res) {
119+
let path = url.parse(req.url, true).query.path;
120+
121+
require('send')(req, path); // NOT OK
122+
123+
});

0 commit comments

Comments
 (0)