JavaScript: Add test and fix change note.

jcreedcmu · jcreedcmu · commit 4475dd4b9fdf · 2019-03-15T14:40:48.000-04:00
diff --git a/change-notes/1.21/analysis-javascript.md b/change-notes/1.21/analysis-javascript.md
@@ -19,6 +19,6 @@
 |--------------------------------|------------------------------|---------------------------------------------------------------------------|
 | Expression has no effect       | Fewer false-positive results | This rule now treats uses of `Object.defineProperty` more conservatively. |
 | Useless assignment to property | Fewer false-positive results | This rule now ignore reads of additional getters. |
-| ZipSlip                        | More results                 | This rule now considers more libraries, including tar as well as zip. |
+| Arbitrary file write during zip extraction ("Zip Slip") | More results | This rule now considers more libraries, including tar as well as zip. |
 
 ## Changes to QL libraries
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected
@@ -7,13 +7,19 @@ nodes
 | ZipSlipBad.js:7:11:7:31 | fileName |
 | ZipSlipBad.js:7:22:7:31 | entry.path |
 | ZipSlipBad.js:8:37:8:44 | fileName |
+| ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
+| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path |
+| ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
 edges
 | ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName |
 | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | ZipSlipBad2.js:5:9:5:46 | fileName |
 | ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
 | ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName |
 | ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName |
+| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName |
+| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName |
 #select
 | TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | TarSlipBad.js:6:36:6:46 | header.name | item path |
 | ZipSlipBad2.js:6:22:6:29 | fileName | ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:6:22:6:29 | fileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBad2.js:5:37:5:46 | entry.path | item path |
 | ZipSlipBad.js:8:37:8:44 | fileName | ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:8:37:8:44 | fileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBad.js:7:22:7:31 | entry.path | item path |
+| ZipSlipBadUnzipper.js:8:37:8:44 | fileName | ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:8:37:8:44 | fileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | item path |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js
@@ -0,0 +1,9 @@
+const fs = require('fs');
+const unzipper = require('unzipper');
+
+fs.createReadStream('path/to/archive.zip')
+  .pipe(unzipper.Parse())
+  .on('entry', function (entry) {
+    var fileName = entry.path;
+    entry.pipe(fs.createWriteStream(fileName));
+  });
