JS: Accept alerts for DecompressionBomb

Author: asgerf

javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/adm-zip.js

@@ -25,13 +25,13 @@ function zipBomb(tarFile) {
     const zipEntries = admZip.getEntries();
     zipEntries.forEach(function (zipEntry) {
         if (zipEntry.entryName === "my_file.txt") {
-            console.log(zipEntry.getData().toString("utf8"));
+            console.log(zipEntry.getData().toString("utf8")); // $ Alert
         }
     });
     // outputs the content of file named 10GB
-    console.log(admZip.readAsText("10GB"));
+    console.log(admZip.readAsText("10GB")); // $ Alert
     // extracts the specified file to the specified location
-    admZip.extractEntryTo("10GB", "/tmp/", false, true);
+    admZip.extractEntryTo("10GB", "/tmp/", false, true); // $ Alert
     // extracts everything
-    admZip.extractAllTo("./tmp", true);
+    admZip.extractAllTo("./tmp", true); // $ Alert
 }

javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/decompress.js

@@ -8,7 +8,7 @@ app.listen(3000, () => {
 });
 
 app.post('/upload', async (req, res) => {
-    decompress(req.query.filePath, 'dist').then(files => {
+    decompress(req.query.filePath, 'dist').then(files => { // $ Alert
         console.log('done!');
     });
 

javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/jszip.js

@@ -30,7 +30,7 @@ function zipBombSafe(zipFile) {
 }
 
 function zipBomb(zipFile) {
-    jszipp.loadAsync(zipFile.data).then(function (zip) {
+    jszipp.loadAsync(zipFile.data).then(function (zip) { // $ Alert
         zip.files["10GB"].async("uint8array").then(function (u8) {
             console.log(u8);
         });

javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/node-tar.js

@@ -21,7 +21,7 @@ function zipBomb(tarFile) {
     const inputFile = Readable.from(tarFile.data);
     const outputFile = fs.createWriteStream('/tmp/untar');
     inputFile.pipe(
-        tar.x()
+        tar.x() // $ Alert
     ).pipe(outputFile);
 
     // scenario 2
@@ -30,7 +30,7 @@ function zipBomb(tarFile) {
         tar.x({
             strip: 1,
             C: 'some-dir'
-        })
+        }) // $ Alert
     )
     // safe https://github.com/isaacs/node-tar/blob/8c5af15e43a769fd24aa7f1c84d93e54824d19d2/lib/list.js#L90
     fs.createReadStream(tarFile.name).pipe(
@@ -47,16 +47,16 @@ function zipBomb(tarFile) {
     ).pipe(
         tar.x({
             cwd: "dest"
-        })
+        }) // $ Alert
     )
 
     // scenario 4
     fs.writeFileSync(tarFile.name, tarFile.data);
     // or using fs.writeFile
     // file path is a tmp file name that can get from DB after saving to DB with remote file upload
     // so the input file name will come from a DB source
-    tar.x({ file: tarFile.name })
-    tar.extract({ file: tarFile.name })
+    tar.x({ file: tarFile.name }) // $ Alert
+    tar.extract({ file: tarFile.name }) // $ Alert
     // safe https://github.com/isaacs/node-tar/blob/8c5af15e43a769fd24aa7f1c84d93e54824d19d2/lib/list.js#L90
     tar.x({
         file: tarFile.name,

javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/pako.js

@@ -18,7 +18,7 @@ function zipBomb1(zipFile) {
     const myArray = Buffer.from(new Uint8Array(zipFile.data.buffer));
     let output;
     try {
-        output = pako.inflate(myArray);
+        output = pako.inflate(myArray); // $ Alert
         console.log(output);
     } catch (err) {
         console.log(err);
@@ -29,7 +29,7 @@ function zipBomb2(zipFile) {
     const myArray = new Uint8Array(zipFile.data.buffer).buffer;
     let output;
     try {
-        output = pako.inflate(myArray);
+        output = pako.inflate(myArray); // $ Alert
         console.log(output);
     } catch (err) {
         console.log(err);

javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unbzip2.js

@@ -9,5 +9,5 @@ app.listen(3000, () => {
 });
 
 app.post('/upload', async (req, res) => {
-    fs.createReadStream(req.query.FilePath).pipe(bz2()).pipe(process.stdout);
+    fs.createReadStream(req.query.FilePath).pipe(bz2()).pipe(process.stdout); // $ Alert
 });

javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unzipper.js

@@ -13,15 +13,15 @@ app.post('/upload', async (req, res) => {
     const RemoteStream = Readable.from(req.files.ZipFile.data);
 
     // Unsafe
-    RemoteStream.pipe(unzipper.Extract({ path: 'output/path' }));
+    RemoteStream.pipe(unzipper.Extract({ path: 'output/path' })); // $ Alert
 
     // Unsafe
-    RemoteStream.pipe(unzipper.ParseOne())
+    RemoteStream.pipe(unzipper.ParseOne()) // $ Alert
         .pipe(createWriteStream('firstFile.txt'));
 
     // Safe because of uncompressedSize
     RemoteStream
-        .pipe(unzipper.Parse())
+        .pipe(unzipper.Parse()) // $ Alert
         .on('entry', function (entry) {
             const size = entry.vars.uncompressedSize;
             if (size < 1024 * 1024 * 1024) {
@@ -31,14 +31,14 @@ app.post('/upload', async (req, res) => {
 
     // Unsafe
     RemoteStream
-        .pipe(unzipper.Parse())
+        .pipe(unzipper.Parse()) // $ Alert
         .on('entry', function (entry) {
             const size = entry.vars.uncompressedSize;
             entry.pipe(createWriteStream('output/path'));
         });
 
     // Unsafe
-    const zip = RemoteStream.pipe(unzipper.Parse({ forceStream: true }));
+    const zip = RemoteStream.pipe(unzipper.Parse({ forceStream: true })); // $ Alert
     for await (const entry of zip) {
         const fileName = entry.path;
         if (fileName === "this IS the file I'm looking for") {
@@ -48,7 +48,7 @@ app.post('/upload', async (req, res) => {
         }
     }
     // Safe
-    const zip2 = RemoteStream.pipe(unzipper.Parse({ forceStream: true }));
+    const zip2 = RemoteStream.pipe(unzipper.Parse({ forceStream: true })); // $ Alert
     for await (const entry of zip2) {
         const size = entry.vars.uncompressedSize;
         if (size < 1024 * 1024 * 1024) {
@@ -57,7 +57,7 @@ app.post('/upload', async (req, res) => {
     }
 
     // Safe  because of uncompressedSize
-    RemoteStream.pipe(unzipper.Parse())
+    RemoteStream.pipe(unzipper.Parse()) // $ Alert
         .pipe(stream.Transform({
             objectMode: true,
             transform: function (entry, e, cb) {
@@ -70,7 +70,7 @@ app.post('/upload', async (req, res) => {
         }));
 
     // Unsafe
-    RemoteStream.pipe(unzipper.Parse())
+    RemoteStream.pipe(unzipper.Parse()) // $ Alert
         .pipe(stream.Transform({
             objectMode: true,
             transform: function (entry, e, cb) {

javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/yauzl.js

@@ -9,9 +9,9 @@ app.listen(3000, () => {
 });
 
 app.post('/upload', (req, res) => {
-    yauzl.fromFd(req.files.zipFile.data)
-    yauzl.fromBuffer(req.files.zipFile.data)
-    yauzl.fromRandomAccessReader(req.files.zipFile.data)
+    yauzl.fromFd(req.files.zipFile.data) // $ Alert
+    yauzl.fromBuffer(req.files.zipFile.data) // $ Alert
+    yauzl.fromRandomAccessReader(req.files.zipFile.data) // $ Alert
     // Safe
     yauzl.open(req.query.filePath, { lazyEntries: true }, function (err, zipfile) {
         if (err) throw err;
@@ -36,11 +36,11 @@ app.post('/upload', (req, res) => {
     // Unsafe
     yauzl.open(req.query.filePath, { lazyEntries: true }, function (err, zipfile) {
         if (err) throw err;
-        zipfile.readEntry();
+        zipfile.readEntry(); // $ Alert
         zipfile.on("entry", function (entry) {
-            zipfile.openReadStream(entry, async function (err, readStream) {
+            zipfile.openReadStream(entry, async function (err, readStream) { // $ Alert
                 readStream.on("end", function () {
-                    zipfile.readEntry();
+                    zipfile.readEntry(); // $ Alert
                 });
                 const outputFile = fs.createWriteStream('testiness');
                 await pipeline(

javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/zlib.js

@@ -26,16 +26,16 @@ app.post('/upload', async (req, res) => {
 
 function zlibBombAsync(zipFile) {
     zlib.gunzip(
-        zipFile.data,
+        zipFile.data, // $ Alert
         (err, buffer) => {
         });
     zlib.unzip(
-        zipFile.data,
+        zipFile.data, // $ Alert
         (err, buffer) => {
         });
 
     zlib.brotliDecompress(
-        zipFile.data,
+        zipFile.data, // $ Alert
         (err, buffer) => {
         });
 }
@@ -60,9 +60,9 @@ function zlibBombAsyncSafe(zipFile) {
 }
 
 function zlibBombSync(zipFile) {
-    zlib.gunzipSync(zipFile.data, { finishFlush: zlib.constants.Z_SYNC_FLUSH });
-    zlib.unzipSync(zipFile.data);
-    zlib.brotliDecompressSync(zipFile.data);
+    zlib.gunzipSync(zipFile.data, { finishFlush: zlib.constants.Z_SYNC_FLUSH }); // $ Alert
+    zlib.unzipSync(zipFile.data); // $ Alert
+    zlib.brotliDecompressSync(zipFile.data); // $ Alert
 }
 
 function zlibBombSyncSafe(zipFile) {
@@ -74,17 +74,17 @@ function zlibBombSyncSafe(zipFile) {
 function zlibBombPipeStream(zipFile) {
     const inputStream = Readable.from(zipFile.data);
     const outputFile = fs.createWriteStream('unzip.txt');
-    inputStream.pipe(zlib.createGunzip()).pipe(outputFile);
-    inputStream.pipe(zlib.createUnzip()).pipe(outputFile);
-    inputStream.pipe(zlib.createBrotliDecompress()).pipe(outputFile);
+    inputStream.pipe(zlib.createGunzip()).pipe(outputFile); // $ Alert
+    inputStream.pipe(zlib.createUnzip()).pipe(outputFile); // $ Alert
+    inputStream.pipe(zlib.createBrotliDecompress()).pipe(outputFile); // $ Alert
 }
 
 async function zlibBombPipeStreamPromises(zipFile) {
     const inputStream = Readable.from(zipFile.data);
     const outputFile = fs.createWriteStream('unzip.txt');
     await stream.pipeline(
         inputStream,
-        zlib.createGunzip(),
+        zlib.createGunzip(), // $ Alert
         outputFile
     )
 }