Skip to content

JS: Add result.download to Express as Path Traversal Sink#18749

Merged
asgerf merged 3 commits intogithub:mainfrom
Kwstubbs:express
Feb 19, 2025
Merged

JS: Add result.download to Express as Path Traversal Sink#18749
asgerf merged 3 commits intogithub:mainfrom
Kwstubbs:express

Conversation

@Kwstubbs
Copy link
Contributor

@Kwstubbs Kwstubbs commented Feb 12, 2025

Add result.download to Express as Path Traversal Sink

Copilot AI review requested due to automatic review settings February 12, 2025 08:11
@Kwstubbs Kwstubbs requested a review from a team as a code owner February 12, 2025 08:11
Copilot AI reviewed Feb 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Overview

This pull request adds new test cases to ensure that Express’s res.download method is correctly analyzed as a path traversal sink. It enhances security tests by covering various file download invocations that combine un-sanitized input with path concatenation.

  • Added test cases in tainted-sendFile.js to simulate unsafe usage scenarios of res.download.
  • Updated change notes to document the new result.download() support for security analysis.

Changes

File Description
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js Added several test cases for res.download to highlight path traversal vulnerabilities.
javascript/ql/lib/change-notes/2025-02-12-express-download.md Added a change note entry describing the new addition of result.download support.

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (2)

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js:30

  • [nitpick] The code uses 'req.param' to access a parameter, whereas other cases use 'req.params'. For clarity and consistency, consider standardizing on one approach (e.g., 'req.params' or 'req.query') depending on your intended parameter source.
res.download(req.param("gimme"));

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js:38

  • [nitpick] The use of 'req.param' in this invocation differs from the use of 'req.params' elsewhere in the file. Standardizing the parameter access method will improve code readability and reduce potential confusion about where the parameters originate from.
res.download(req.param("file"), { root: req.param("dir") });

Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more

asgerf
asgerf reviewed Feb 12, 2025
View reviewed changes
Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looks great! I'd just like to formulate the change note in a way that makes more sense to end users.

@Kwstubbs Kwstubbs requested a review from asgerf February 18, 2025 17:07
@asgerf asgerf merged commit e1c2805 into github:main Feb 19, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@asgerf asgerf asgerf approved these changes

Assignees

No one assigned

Labels

documentation JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Kwstubbs @asgerf