Skip to content

Commit 915aa3d

Browse files
asgerfasgerf
committed
JS: Add Source expectations
1 parent 0f33bf1 commit 915aa3d

File tree

15 files changed

+61
-61
lines changed

15 files changed

+61
-61
lines changed

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ import { parse } from 'url';
44
import { join } from 'path';
55

66
var server = createServer(function(req, res) {
7-
let path = parse(req.url, true).query.path;
7+
let path = parse(req.url, true).query.path; // $ Source
88

99
res.write(readFileSync(join("public", path))); // $ Alert - This could read any file on the file system
1010
});

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ var fs = require('fs'),
66
;
77

88
var server = http.createServer(function(req, res) {
9-
let path = url.parse(req.url, true).query.path;
9+
let path = url.parse(req.url, true).query.path; // $ Source
1010

1111
res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system
1212

@@ -33,7 +33,7 @@ var server = http.createServer(function(req, res) {
3333
path = sanitize(path);
3434
res.write(fs.readFileSync(path)); // OK - Path is sanitized
3535

36-
path = url.parse(req.url, true).query.path;
36+
path = url.parse(req.url, true).query.path; // $ Source
3737
// OK - basename is safe
3838
res.write(fs.readFileSync(pathModule.basename(path)));
3939
res.write(fs.readFileSync(pathModule.dirname(path))); // $ Alert - taint is preserved
@@ -51,9 +51,9 @@ var server = http.createServer(function(req, res) {
5151

5252
var server = http.createServer(function(req, res) {
5353
// tests for a few uri-libraries
54-
res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert
55-
res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert
56-
res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert
54+
res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert Source
55+
res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert Source
56+
res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert Source
5757
});
5858

5959
(function(){
@@ -70,7 +70,7 @@ var server = http.createServer(function(req, res) {
7070
})();
7171

7272
var server = http.createServer(function(req, res) {
73-
let path = url.parse(req.url, true).query.path;
73+
let path = url.parse(req.url, true).query.path; // $ Source
7474

7575
res.write(fs.readFileSync(fs.realpathSync(path))); // $ Alert
7676
fs.realpath(path,
@@ -106,13 +106,13 @@ var server = http.createServer(function(req, res) {
106106
});
107107

108108
var server = http.createServer(function(req, res) {
109-
let path = url.parse(req.url, true).query.path;
109+
let path = url.parse(req.url, true).query.path; // $ Source
110110

111111
require('send')(req, path); // $ Alert
112112
});
113113

114114
var server = http.createServer(function(req, res) {
115-
let path = url.parse(req.url, true).query.path;
115+
let path = url.parse(req.url, true).query.path; // $ Source
116116

117117
fs.readFileSync(path); // $ Alert
118118

@@ -136,7 +136,7 @@ var server = http.createServer(function(req, res) {
136136
});
137137

138138
var server = http.createServer(function(req, res) {
139-
let path = url.parse(req.url, true).query.path;
139+
let path = url.parse(req.url, true).query.path; // $ Source
140140

141141
// Removal of forward-slash or dots.
142142
res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, '')));
@@ -173,22 +173,22 @@ import normalizeUrl from 'normalize-url';
173173
var server = http.createServer(function(req, res) {
174174
// tests for a few more uri-libraries
175175
const qs = require("qs");
176-
res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert
177-
res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert
176+
res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert Source
177+
res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert Source
178178
const parseqs = require("parseqs");
179-
res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert
179+
res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert Source
180180
});
181181

182182
const cp = require("child_process");
183183
var server = http.createServer(function(req, res) {
184-
let path = url.parse(req.url, true).query.path;
184+
let path = url.parse(req.url, true).query.path; // $ Source
185185
cp.execSync("foobar", {cwd: path}); // $ Alert
186186
cp.execFileSync("foobar", ["args"], {cwd: path}); // $ Alert
187187
cp.execFileSync("foobar", {cwd: path}); // $ Alert
188188
});
189189

190190
var server = http.createServer(function(req, res) {
191-
let path = url.parse(req.url, true).query.path;
191+
let path = url.parse(req.url, true).query.path; // $ Source
192192

193193
// Removal of forward-slash or dots.
194194
res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), '')));
@@ -197,7 +197,7 @@ var server = http.createServer(function(req, res) {
197197
});
198198

199199
var server = http.createServer(function(req, res) {
200-
let path = url.parse(req.url, true).query.path;
200+
let path = url.parse(req.url, true).query.path; // $ Source
201201

202202
res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // $ Alert - can be absolute
203203

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ const fs = require('fs'),
55
const ROOT = "/var/www/";
66

77
var server = http.createServer(function(req, res) {
8-
let filePath = url.parse(req.url, true).query.path;
8+
let filePath = url.parse(req.url, true).query.path; // $ Source
99

1010
res.write(fs.readFileSync(ROOT + filePath, 'utf8')); // $ Alert - This function uses unsanitized input that can read any file on the file system.
1111
});

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ function init() {
2626
init();
2727

2828
app.get('/some/path1', function (req, res) {
29-
res.send(data.compiledFileAccess({ path: req.params.path })); // template uses vulnerable catFile
29+
res.send(data.compiledFileAccess({ path: req.params.path })); // $ Source - template uses vulnerable catFile
3030
});
3131

3232
app.get('/some/path2', function (req, res) {
@@ -40,7 +40,7 @@ app.get('/some/path3', function (req, res) {
4040
app.get('/some/path4', function (req, res) {
4141
res.send(data.compiledMixed({
4242
prefix: ">>> ",
43-
path: req.params.path // template uses vulnerable helper
43+
path: req.params.path // $ Source - template uses vulnerable helper
4444
}));
4545
});
4646

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js

Lines changed: 25 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ var fs = require('fs'),
88
let app = express();
99

1010
app.get('/basic', (req, res) => {
11-
let path = req.query.path;
11+
let path = req.query.path; // $ Source
1212

1313
fs.readFileSync(path); // $ Alert
1414
fs.readFileSync('./' + path); // $ Alert
@@ -18,7 +18,7 @@ app.get('/basic', (req, res) => {
1818
});
1919

2020
app.get('/normalize', (req, res) => {
21-
let path = pathModule.normalize(req.query.path);
21+
let path = pathModule.normalize(req.query.path); // $ Source
2222

2323
fs.readFileSync(path); // $ Alert
2424
fs.readFileSync('./' + path); // $ Alert
@@ -28,7 +28,7 @@ app.get('/normalize', (req, res) => {
2828
});
2929

3030
app.get('/normalize-notAbsolute', (req, res) => {
31-
let path = pathModule.normalize(req.query.path);
31+
let path = pathModule.normalize(req.query.path); // $ Source
3232

3333
if (pathModule.isAbsolute(path))
3434
return;
@@ -51,7 +51,7 @@ app.get('/normalize-notAbsolute', (req, res) => {
5151
});
5252

5353
app.get('/normalize-noInitialDotDot', (req, res) => {
54-
let path = pathModule.normalize(req.query.path);
54+
let path = pathModule.normalize(req.query.path); // $ Source
5555

5656
if (path.startsWith(".."))
5757
return;
@@ -70,7 +70,7 @@ app.get('/normalize-noInitialDotDot', (req, res) => {
7070

7171
app.get('/prepend-normalize', (req, res) => {
7272
// Coerce to relative prior to normalization
73-
let path = pathModule.normalize('./' + req.query.path);
73+
let path = pathModule.normalize('./' + req.query.path); // $ Source
7474

7575
if (!path.startsWith(".."))
7676
fs.readFileSync(path);
@@ -79,7 +79,7 @@ app.get('/prepend-normalize', (req, res) => {
7979
});
8080

8181
app.get('/absolute', (req, res) => {
82-
let path = req.query.path;
82+
let path = req.query.path; // $ Source
8383

8484
if (!pathModule.isAbsolute(path))
8585
return;
@@ -91,7 +91,7 @@ app.get('/absolute', (req, res) => {
9191
});
9292

9393
app.get('/normalized-absolute', (req, res) => {
94-
let path = pathModule.normalize(req.query.path);
94+
let path = pathModule.normalize(req.query.path); // $ Source
9595

9696
if (!pathModule.isAbsolute(path))
9797
return;
@@ -114,7 +114,7 @@ app.get('/combined-check', (req, res) => {
114114
});
115115

116116
app.get('/realpath', (req, res) => {
117-
let path = fs.realpathSync(req.query.path);
117+
let path = fs.realpathSync(req.query.path); // $ Source
118118

119119
fs.readFileSync(path); // $ Alert
120120
fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert
@@ -127,7 +127,7 @@ app.get('/realpath', (req, res) => {
127127
});
128128

129129
app.get('/coerce-relative', (req, res) => {
130-
let path = pathModule.join('.', req.query.path);
130+
let path = pathModule.join('.', req.query.path); // $ Source
131131

132132
if (!path.startsWith('..'))
133133
fs.readFileSync(path);
@@ -136,7 +136,7 @@ app.get('/coerce-relative', (req, res) => {
136136
});
137137

138138
app.get('/coerce-absolute', (req, res) => {
139-
let path = pathModule.join('/home/user/www', req.query.path);
139+
let path = pathModule.join('/home/user/www', req.query.path); // $ Source
140140

141141
if (path.startsWith('/home/user/www'))
142142
fs.readFileSync(path);
@@ -145,7 +145,7 @@ app.get('/coerce-absolute', (req, res) => {
145145
});
146146

147147
app.get('/concat-after-normalization', (req, res) => {
148-
let path = 'foo/' + pathModule.normalize(req.query.path);
148+
let path = 'foo/' + pathModule.normalize(req.query.path); // $ Source
149149

150150
if (!path.startsWith('..'))
151151
fs.readFileSync(path); // $ Alert - prefixing foo/ invalidates check
@@ -157,7 +157,7 @@ app.get('/concat-after-normalization', (req, res) => {
157157
});
158158

159159
app.get('/noDotDot', (req, res) => {
160-
let path = pathModule.normalize(req.query.path);
160+
let path = pathModule.normalize(req.query.path); // $ Source
161161

162162
if (path.includes('..'))
163163
return;
@@ -171,7 +171,7 @@ app.get('/noDotDot', (req, res) => {
171171
});
172172

173173
app.get('/join-regression', (req, res) => {
174-
let path = req.query.path;
174+
let path = req.query.path; // $ Source
175175

176176
// Regression test for a specific corner case:
177177
// Some guard nodes sanitize both branches, but for a different set of flow labels.
@@ -211,7 +211,7 @@ app.get('/join-regression', (req, res) => {
211211
});
212212

213213
app.get('/decode-after-normalization', (req, res) => {
214-
let path = pathModule.normalize(req.query.path);
214+
let path = pathModule.normalize(req.query.path); // $ Source
215215

216216
if (!pathModule.isAbsolute(path) && !path.startsWith('..'))
217217
fs.readFileSync(path);
@@ -223,7 +223,7 @@ app.get('/decode-after-normalization', (req, res) => {
223223
});
224224

225225
app.get('/replace', (req, res) => {
226-
let path = pathModule.normalize(req.query.path).replace(/%20/g, ' ');
226+
let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); // $ Source
227227
if (!pathModule.isAbsolute(path)) {
228228
fs.readFileSync(path); // $ Alert
229229

@@ -233,7 +233,7 @@ app.get('/replace', (req, res) => {
233233
});
234234

235235
app.get('/resolve-path', (req, res) => {
236-
let path = pathModule.resolve(req.query.path);
236+
let path = pathModule.resolve(req.query.path); // $ Source
237237

238238
fs.readFileSync(path); // $ Alert
239239

@@ -251,7 +251,7 @@ app.get('/resolve-path', (req, res) => {
251251
});
252252

253253
app.get('/relative-startswith', (req, res) => {
254-
let path = pathModule.resolve(req.query.path);
254+
let path = pathModule.resolve(req.query.path); // $ Source
255255

256256
fs.readFileSync(path); // $ Alert
257257

@@ -300,7 +300,7 @@ app.get('/relative-startswith', (req, res) => {
300300
var isPathInside = require("is-path-inside"),
301301
pathIsInside = require("path-is-inside");
302302
app.get('/pseudo-normalizations', (req, res) => {
303-
let path = req.query.path;
303+
let path = req.query.path; // $ Source
304304
fs.readFileSync(path); // $ Alert
305305
if (isPathInside(path, SAFE)) {
306306
fs.readFileSync(path);
@@ -336,7 +336,7 @@ app.get('/pseudo-normalizations', (req, res) => {
336336
});
337337

338338
app.get('/yet-another-prefix', (req, res) => {
339-
let path = pathModule.resolve(req.query.path);
339+
let path = pathModule.resolve(req.query.path); // $ Source
340340

341341
fs.readFileSync(path); // $ Alert
342342

@@ -351,7 +351,7 @@ app.get('/yet-another-prefix', (req, res) => {
351351

352352
var rootPath = process.cwd();
353353
app.get('/yet-another-prefix2', (req, res) => {
354-
let path = req.query.path;
354+
let path = req.query.path; // $ Source
355355

356356
fs.readFileSync(path); // $ Alert
357357

@@ -374,15 +374,15 @@ app.get('/yet-another-prefix2', (req, res) => {
374374

375375
import slash from 'slash';
376376
app.get('/slash-stuff', (req, res) => {
377-
let path = req.query.path;
377+
let path = req.query.path; // $ Source
378378

379379
fs.readFileSync(path); // $ Alert
380380

381381
fs.readFileSync(slash(path)); // $ Alert
382382
});
383383

384384
app.get('/dotdot-regexp', (req, res) => {
385-
let path = pathModule.normalize(req.query.x);
385+
let path = pathModule.normalize(req.query.x); // $ Source
386386
if (pathModule.isAbsolute(path))
387387
return;
388388
fs.readFileSync(path); // $ Alert
@@ -404,12 +404,12 @@ app.get('/dotdot-regexp', (req, res) => {
404404
});
405405

406406
app.get('/join-spread', (req, res) => {
407-
fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // $ Alert
408-
fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // $ Alert
407+
fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // $ Alert Source
408+
fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // $ Alert Source
409409
});
410410

411411
app.get('/dotdot-matchAll-regexp', (req, res) => {
412-
let path = pathModule.normalize(req.query.x);
412+
let path = pathModule.normalize(req.query.x); // $ Source
413413
if (pathModule.isAbsolute(path))
414414
return;
415415
fs.readFileSync(path); // $ Alert

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ var http = require("http"),
66
originalFs = require("original-fs");
77

88
var server = http.createServer(function(req, res) {
9-
var path = url.parse(req.url, true).query.path;
9+
var path = url.parse(req.url, true).query.path; // $ Source
1010

1111
fs.readFileSync(path); // $ Alert
1212
gracefulFs.readFileSync(path); // $ Alert
@@ -35,7 +35,7 @@ function getFsModule(special) {
3535
var util = require("util");
3636

3737
http.createServer(function(req, res) {
38-
var path = url.parse(req.url, true).query.path;
38+
var path = url.parse(req.url, true).query.path; // $ Source
3939

4040
util.promisify(fs.readFileSync)(path); // $ Alert
4141
require("bluebird").promisify(fs.readFileSync)(path); // $ Alert
@@ -46,7 +46,7 @@ http.createServer(function(req, res) {
4646
const asyncFS = require("./my-async-fs-module");
4747

4848
http.createServer(function(req, res) {
49-
var path = url.parse(req.url, true).query.path;
49+
var path = url.parse(req.url, true).query.path; // $ Source
5050

5151
fs.readFileSync(path); // $ Alert
5252
asyncFS.readFileSync(path); // $ Alert
@@ -65,7 +65,7 @@ http.createServer(function(req, res) {
6565

6666
const mkdirp = require("mkdirp");
6767
http.createServer(function(req, res) {
68-
var path = url.parse(req.url, true).query.path;
68+
var path = url.parse(req.url, true).query.path; // $ Source
6969

7070
fs.readFileSync(path); // $ Alert
7171
mkdirp(path); // $ Alert
@@ -78,7 +78,7 @@ function func(x) {
7878

7979
const fsp = require("fs/promises");
8080
http.createServer(function(req, res) {
81-
var path = url.parse(req.url, true).query.path;
81+
var path = url.parse(req.url, true).query.path; // $ Source
8282

8383
fsp.readFile(path); // $ Alert
8484
});

0 commit comments

Comments
 (0)