File tree Expand file tree Collapse file tree
javascript/ql/src/semmle/javascript/security/dataflow Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -93,13 +93,38 @@ module TaintedPath {
9393 |
9494 name = argumentlessMethodName
9595 )
96- or
96+ )
97+ or
98+ // array method calls of interest
99+ exists ( DataFlow:: MethodCallNode mcn , string name | dst = mcn and mcn .calls ( src , name ) |
100+ // A `str.split()` call can either split into path elements (`str.split("/")`) or split by some other string.
97101 name = "split" and
98- not exists ( DataFlow:: Node splitBy | splitBy = mcn .getArgument ( 0 ) |
99- splitBy .mayHaveStringValue ( "/" ) or
100- any ( DataFlow:: RegExpLiteralNode reg | reg .getRoot ( ) .getAMatchedString ( ) = "/" )
101- .flowsTo ( splitBy )
102+ (
103+ if
104+ exists ( DataFlow:: Node splitBy | splitBy = mcn .getArgument ( 0 ) |
105+ splitBy .mayHaveStringValue ( "/" ) or
106+ any ( DataFlow:: RegExpLiteralNode reg | reg .getRoot ( ) .getAMatchedString ( ) = "/" )
107+ .flowsTo ( splitBy )
108+ )
109+ then
110+ srclabel .( Label:: PosixPath ) .canContainDotDotSlash ( ) and
111+ dstlabel instanceof Label:: SplitPath
112+ else srclabel = dstlabel
102113 )
114+ or
115+ (
116+ name = "pop" or
117+ name = "shift" or
118+ name = "slice" or
119+ name = "splice"
120+ ) and
121+ dstlabel instanceof Label:: SplitPath and
122+ srclabel instanceof Label:: SplitPath
123+ or
124+ name = "join" and
125+ mcn .getArgument ( 0 ) .mayHaveStringValue ( "/" ) and
126+ srclabel instanceof Label:: SplitPath and
127+ dstlabel .( Label:: PosixPath ) .canContainDotDotSlash ( )
103128 )
104129 }
105130
Original file line number Diff line number Diff line change @@ -108,6 +108,12 @@ module TaintedPath {
108108 not ( isNormalized ( ) and isAbsolute ( ) )
109109 }
110110 }
111+
112+ class SplitPath extends DataFlow:: FlowLabel {
113+ SplitPath ( ) {
114+ this = "splitPath"
115+ }
116+ }
111117 }
112118
113119 /**
You can’t perform that action at this time.
0 commit comments