JS: Added tests for DotRemovingReplaceCall with RegExp Object.

github · Nov 27, 2024 · 0c937cd · 0c937cd
1 parent 2f7df2d
commit 0c937cd
Show file tree

Hide file tree

Showing 3 changed files with 133 additions and 0 deletions.
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
@@ -0,0 +1 @@
+| TaintedPath.js:213 | expected an alert, but found none | NOT OK (can be absolute) |  |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -1619,6 +1619,60 @@ nodes
 | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
 | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
 | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:24:211:30 | req.url |
+| TaintedPath.js:211:24:211:30 | req.url |
+| TaintedPath.js:211:24:211:30 | req.url |
+| TaintedPath.js:211:24:211:30 | req.url |
+| TaintedPath.js:211:24:211:30 | req.url |
+| TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:69 | path.re ... '), '') |
 | examples/TaintedPath.js:8:7:8:52 | filePath |
 | examples/TaintedPath.js:8:7:8:52 | filePath |
 | examples/TaintedPath.js:8:7:8:52 | filePath |
@@ -6910,6 +6964,70 @@ edges
 | TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
 | TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
 | TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') |
+| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
+| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') |
 | examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath |
 | examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath |
 | examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath |
@@ -10730,6 +10848,7 @@ edges
 | TaintedPath.js:197:45:197:48 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:197:45:197:48 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
 | TaintedPath.js:198:35:198:38 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:198:35:198:38 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value |
 | TaintedPath.js:206:29:206:85 | path.re ... '), '') | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:206:29:206:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value |
+| TaintedPath.js:216:31:216:69 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:216:31:216:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value |
 | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value |
 | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value |
 | handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value |

diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
@@ -206,3 +206,16 @@ var server = http.createServer(function(req, res) {
   res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", ''), ''))); // NOT OK.
   res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", unknownFlags()), ''))); // OK -- Might be okay depending on what unknownFlags evaluates to.
 });
+
+var server = http.createServer(function(req, res) {
+  let path = url.parse(req.url, true).query.path;
+
+  res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // NOT OK (can be absolute) -- Currently not flagged because it is not a literal
+
+  if (!pathModule.isAbsolute(path)) {
+    res.write(fs.readFileSync(path.replace(new RegExp("[.]", ''), ''))); // NOT OK
+    res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // OK
+    res.write(fs.readFileSync(path.replace(new RegExp("[.]", unknownFlags()), ''))); // OK
+  }
+});
+
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		\| TaintedPath.js:213 \| expected an alert, but found none \| NOT OK (can be absolute) \| \|