JS: add tests with res.sendFile root option

asger-semmle · asger-semmle · commit f84301e47696 · 2018-12-19T10:25:15.000Z
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected
@@ -84,6 +84,9 @@ nodes
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-sendFile.js:7:16:7:33 | req.param("gimme") |
 | tainted-sendFile.js:9:16:9:33 | req.param("gimme") |
+| tainted-sendFile.js:12:16:12:33 | req.param("gimme") |
+| tainted-sendFile.js:14:16:14:33 | req.param("gimme") |
+| tainted-sendFile.js:17:16:17:32 | req.param("file") |
 | views.js:1:43:1:55 | req.params[0] |
 edges
 | TaintedPath-es6.js:7:7:7:44 | path | TaintedPath-es6.js:10:41:10:44 | path |
@@ -188,4 +191,7 @@ edges
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
 | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | a user-provided value |
 | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | a user-provided value |
+| tainted-sendFile.js:12:16:12:33 | req.param("gimme") | tainted-sendFile.js:12:16:12:33 | req.param("gimme") | tainted-sendFile.js:12:16:12:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:12:16:12:33 | req.param("gimme") | a user-provided value |
+| tainted-sendFile.js:14:16:14:33 | req.param("gimme") | tainted-sendFile.js:14:16:14:33 | req.param("gimme") | tainted-sendFile.js:14:16:14:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:14:16:14:33 | req.param("gimme") | a user-provided value |
+| tainted-sendFile.js:17:16:17:32 | req.param("file") | tainted-sendFile.js:17:16:17:32 | req.param("file") | tainted-sendFile.js:17:16:17:32 | req.param("file") | This path depends on $@. | tainted-sendFile.js:17:16:17:32 | req.param("file") | a user-provided value |
 | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on $@. | views.js:1:43:1:55 | req.params[0] | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/tainted-sendFile.js b/javascript/ql/test/query-tests/Security/CWE-022/tainted-sendFile.js
@@ -7,4 +7,12 @@ app.get('/some/path', function(req, res) {
   res.sendFile(req.param("gimme"));
   // BAD: same as above
   res.sendfile(req.param("gimme"));
+
+  // GOOD: ensures files cannot be accessed outside of root folder
+  res.sendFile(req.param("gimme"), { root: process.cwd() });
+  // GOOD: ensures files cannot be accessed outside of root folder
+  res.sendfile(req.param("gimme"), { root: process.cwd() });
+
+  // BAD: doesn't help if user controls root
+  res.sendFile(req.param("file"), { root: req.param("dir") });
 });
