Merge pull request #2202 from asger-semmle/express-sendfile

semmle-qlci · web-flow · commit 33374ee089c5 · 2019-10-28T09:24:34.000Z
Approved by esbena
diff --git a/change-notes/1.23/analysis-javascript.md b/change-notes/1.23/analysis-javascript.md
@@ -43,6 +43,7 @@
 | Reflected cross-site scripting (`js/reflected-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
 | Stored cross-site scripting (`js/stored-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now treats responses from servers as untrusted. |
+| Uncontrolled data used in path expression (`js/path-injection`) | Fewer false-positive results | This query now recognizes calls to Express `sendFile` as safe in some cases. |
 
 ## Changes to QL libraries
 
diff --git a/javascript/ql/src/semmle/javascript/Concepts.qll b/javascript/ql/src/semmle/javascript/Concepts.qll
@@ -39,6 +39,14 @@ abstract class FileSystemAccess extends DataFlow::Node {
    * sanitization to prevent the path arguments from traversing outside the root folder.
    */
   DataFlow::Node getRootPathArgument() { none() }
+
+  /**
+   * Holds if this file system access will reject paths containing upward navigation
+   * segments (`../`).
+   *
+   * `argument` should refer to the relevant path argument or root path argument.
+   */
+  predicate isUpwardNavigationRejected(DataFlow::Node argument) { none() }
 }
 
 /**
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -839,6 +839,10 @@ module Express {
     override DataFlow::Node getRootPathArgument() {
       result = this.(DataFlow::CallNode).getOptionArgument(1, "root")
     }
+
+    override predicate isUpwardNavigationRejected(DataFlow::Node argument) {
+      argument = getAPathArgument()
+    }
   }
 
   /**
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@@ -19,13 +19,11 @@ module TaintedPath {
     Configuration() { this = "TaintedPath" }
 
     override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-      source instanceof Source and
-      label instanceof Label::PosixPath
+      label = source.(Source).getAFlowLabel()
     }
 
     override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-      sink instanceof Sink and
-      label instanceof Label::PosixPath
+      label = sink.(Sink).getAFlowLabel()
     }
 
     override predicate isBarrier(DataFlow::Node node) {
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -10,12 +10,22 @@ module TaintedPath {
   /**
    * A data flow source for tainted-path vulnerabilities.
    */
-  abstract class Source extends DataFlow::Node { }
+  abstract class Source extends DataFlow::Node {
+    /** Gets a flow label denoting the type of value for which this is a source. */
+    DataFlow::FlowLabel getAFlowLabel() {
+      result instanceof Label::PosixPath
+    }
+  }
 
   /**
    * A data flow sink for tainted-path vulnerabilities.
    */
-  abstract class Sink extends DataFlow::Node { }
+  abstract class Sink extends DataFlow::Node {
+    /** Gets a flow label denoting the type of value for which this is a sink. */
+    DataFlow::FlowLabel getAFlowLabel() {
+      result instanceof Label::PosixPath
+    }
+  }
 
   /**
    * A sanitizer for tainted-path vulnerabilities.
@@ -369,17 +379,36 @@ module TaintedPath {
    * A path argument to a file system access.
    */
   class FsPathSink extends Sink, DataFlow::ValueNode {
+    FileSystemAccess fileSystemAccess;
+
     FsPathSink() {
-      exists(FileSystemAccess fs |
-        this = fs.getAPathArgument() and
-        not exists(fs.getRootPathArgument())
+      (
+        this = fileSystemAccess.getAPathArgument() and
+        not exists(fileSystemAccess.getRootPathArgument())
         or
-        this = fs.getRootPathArgument()
+        this = fileSystemAccess.getRootPathArgument()
       ) and
       not this = any(ResolvingPathCall call).getInput()
     }
   }
 
+  /**
+   * A path argument to a file system access, which disallows upward navigation.
+   */
+  private class FsPathSinkWithoutUpwardNavigation extends FsPathSink {
+    FsPathSinkWithoutUpwardNavigation() {
+      fileSystemAccess.isUpwardNavigationRejected(this)
+    }
+
+    override DataFlow::FlowLabel getAFlowLabel() {
+      // The protection is ineffective if the ../ segments have already
+      // cancelled out against the intended root dir using path.join or similar.
+      // Only flag normalized paths, as this corresponds to the output
+      // of a normalizing call that had a malicious input.
+      result.(Label::PosixPath).isNormalized()
+    }
+  }
+
   /**
    * A path argument to the Express `res.render` method.
    */
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
@@ -1 +1 @@
-| normalizedPaths.js:208:35:208:60 | // OK - ...  anyway | Spurious alert |
+| normalizedPaths.js:208:38:208:63 | // OK - ...  anyway | Spurious alert |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js

Original file line number	Diff line number	Diff line change
`@@ -839,6 +839,10 @@ module Express {`
`839`	`839`	`override DataFlow::Node getRootPathArgument() {`
`840`	`840`	`result = this.(DataFlow::CallNode).getOptionArgument(1, "root")`
`841`	`841`	`}`
	`842`	`+`
	`843`	`+ override predicate isUpwardNavigationRejected(DataFlow::Node argument) {`
	`844`	`+ argument = getAPathArgument()`
	`845`	`+ }`
`842`	`846`	`}`
`843`	`847`
`844`	`848`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -19,13 +19,11 @@ module TaintedPath {`
`19`	`19`	`Configuration() { this = "TaintedPath" }`
`20`	`20`
`21`	`21`	`override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {`
`22`		`- source instanceof Source and`
`23`		`- label instanceof Label::PosixPath`
	`22`	`+ label = source.(Source).getAFlowLabel()`
`24`	`23`	`}`
`25`	`24`
`26`	`25`	`override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {`
`27`		`- sink instanceof Sink and`
`28`		`- label instanceof Label::PosixPath`
	`26`	`+ label = sink.(Sink).getAFlowLabel()`
`29`	`27`	`}`
`30`	`28`
`31`	`29`	`override predicate isBarrier(DataFlow::Node node) {`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-\| normalizedPaths.js:208:35:208:60 \| // OK - ... anyway \| Spurious alert \|`
	`1`	`+\| normalizedPaths.js:208:38:208:63 \| // OK - ... anyway \| Spurious alert \|`