add support for fs-extra methods in insecure-temporary-file

erik-krogh · erik-krogh · commit 35999a7f8ff9 · 2022-02-02T15:14:43.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileCustomizations.qll
@@ -30,7 +30,12 @@ module InsecureTemporaryFile {
     string methodName;
 
     OpenFileCall() {
-      methodName = ["open", "openSync", "writeFile", "writeFileSync"] and
+      methodName =
+        [
+          "open", "openSync", "writeFile", "writeFileSync", "writeJson", "writeJSON",
+          "writeJsonSync", "writeJSONSync", "outputJson", "outputJSON", "outputJsonSync",
+          "outputJSONSync", "outputFile", "outputFileSync"
+        ] and
       this = NodeJSLib::FS::moduleMember(methodName).getACall()
     }
 
@@ -40,7 +45,7 @@ module InsecureTemporaryFile {
       methodName = ["open", "openSync"] and
       result = this.getArgument(2)
       or
-      methodName = ["writeFile", "writeFileSync"] and
+      not methodName = ["open", "openSync"] and
       result = this.getOptionArgument(2, "mode")
     }
   }
@@ -88,7 +93,8 @@ module InsecureTemporaryFile {
         not this = root.getFirstLeaf()
       )
       or
-      exists(DataFlow::CallNode join | join = DataFlow::moduleMember("path", "join").getACall() |
+      exists(DataFlow::CallNode join |
+        join = DataFlow::moduleMember("path", "join").getACall() and
         this = join.getArgument([1 .. join.getNumArgument() - 1])
       )
     }

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,12 @@ module InsecureTemporaryFile {`
`30`	`30`	`string methodName;`
`31`	`31`
`32`	`32`	`OpenFileCall() {`
`33`		`- methodName = ["open", "openSync", "writeFile", "writeFileSync"] and`
	`33`	`+ methodName =`
	`34`	`+ [`
	`35`	`+ "open", "openSync", "writeFile", "writeFileSync", "writeJson", "writeJSON",`
	`36`	`+ "writeJsonSync", "writeJSONSync", "outputJson", "outputJSON", "outputJsonSync",`
	`37`	`+ "outputJSONSync", "outputFile", "outputFileSync"`
	`38`	`+ ] and`
`34`	`39`	`this = NodeJSLib::FS::moduleMember(methodName).getACall()`
`35`	`40`	`}`
`36`	`41`
`@@ -40,7 +45,7 @@ module InsecureTemporaryFile {`
`40`	`45`	`methodName = ["open", "openSync"] and`
`41`	`46`	`result = this.getArgument(2)`
`42`	`47`	`or`
`43`		`- methodName = ["writeFile", "writeFileSync"] and`
	`48`	`+ not methodName = ["open", "openSync"] and`
`44`	`49`	`result = this.getOptionArgument(2, "mode")`
`45`	`50`	`}`
`46`	`51`	`}`
`@@ -88,7 +93,8 @@ module InsecureTemporaryFile {`
`88`	`93`	`not this = root.getFirstLeaf()`
`89`	`94`	`)`
`90`	`95`	`or`
`91`		`- exists(DataFlow::CallNode join \| join = DataFlow::moduleMember("path", "join").getACall() \|`
	`96`	`+ exists(DataFlow::CallNode join \|`
	`97`	`+ join = DataFlow::moduleMember("path", "join").getACall() and`
`92`	`98`	`this = join.getArgument([1 .. join.getNumArgument() - 1])`
`93`	`99`	`)`
`94`	`100`	`}`