forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathTaintedPath.js
More file actions
217 lines (163 loc) · 8.6 KB
/
TaintedPath.js
File metadata and controls
217 lines (163 loc) · 8.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
var fs = require('fs'),
http = require('http'),
url = require('url'),
sanitize = require('sanitize-filename'),
pathModule = require('path')
;
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path; // $ Source
res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system
res.write(fs.readFileSync("/home/user/" + path)); // $ Alert - This could still read any file on the file system
if (path.startsWith("/home/user/"))
res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation
if (path.indexOf("secret") == -1)
res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation
if (fs.existsSync(path))
res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation
if (path === 'foo.txt')
res.write(fs.readFileSync(path)); // OK - Path is compared to white-list
if (path === 'foo.txt' || path === 'bar.txt')
res.write(fs.readFileSync(path)); // OK - Path is compared to white-list
if (path === 'foo.txt' || path === 'bar.txt' || someOpaqueCondition())
res.write(fs.readFileSync(path)); // $ Alert - Path is incompletely compared to white-list
path = sanitize(path);
res.write(fs.readFileSync(path)); // OK - Path is sanitized
path = url.parse(req.url, true).query.path; // $ Source
// OK - basename is safe
res.write(fs.readFileSync(pathModule.basename(path)));
res.write(fs.readFileSync(pathModule.dirname(path))); // $ Alert - taint is preserved
// OK - extname is safe
res.write(fs.readFileSync(pathModule.extname(path)));
res.write(fs.readFileSync(pathModule.join(path))); // $ Alert - taint is preserved
res.write(fs.readFileSync(pathModule.join(x, y, path, z))); // $ Alert - taint is preserved
res.write(fs.readFileSync(pathModule.normalize(path))); // $ Alert - taint is preserved
res.write(fs.readFileSync(pathModule.relative(x, path))); // $ Alert - taint is preserved
res.write(fs.readFileSync(pathModule.relative(path, x))); // $ Alert - taint is preserved
res.write(fs.readFileSync(pathModule.resolve(path))); // $ Alert - taint is preserved
res.write(fs.readFileSync(pathModule.resolve(x, y, path, z))); // $ Alert - taint is preserved
res.write(fs.readFileSync(pathModule.toNamespacedPath(path))); // $ Alert - taint is preserved
});
var server = http.createServer(function(req, res) {
// tests for a few uri-libraries
res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert
res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert
res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert
});
(function(){
var express = require('express');
var application = express();
var views_local = (req, res) => res.render(req.params[0]); // $ Alert
application.get('/views/*', views_local);
var views_imported = require("./views");
application.get('/views/*', views_imported);
})();
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path; // $ Source
res.write(fs.readFileSync(fs.realpathSync(path))); // $ Alert
fs.realpath(path,
function(err, realpath){
res.write(fs.readFileSync(realpath)); // $ Alert
}
);
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
if (path) { // sanitization
path = path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''); // remove all invalid characters from states plus slashes
path = path.replace(/\.\./g, ''); // remove all ".."
}
res.write(fs.readFileSync(path)); // OK - Is sanitized above.
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;
if (!path) {
} else { // sanitization
path = path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''); // remove all invalid characters from states plus slashes
path = path.replace(/\.\./g, ''); // remove all ".."
}
res.write(fs.readFileSync(path)); // OK - Is sanitized above.
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path; // $ Source
require('send')(req, path); // $ Alert
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path; // $ Source
fs.readFileSync(path); // $ Alert
var split = path.split("/");
fs.readFileSync(split.join("/")); // $ Alert
fs.readFileSync(prefix + split[split.length - 1])
fs.readFileSync(split[x]) // $ Alert
fs.readFileSync(prefix + split[x]) // $ Alert
var concatted = prefix.concat(split);
fs.readFileSync(concatted.join("/")); // $ Alert
var concatted2 = split.concat(prefix);
fs.readFileSync(concatted2.join("/")); // $ Alert
fs.readFileSync(split.pop()); // $ Alert
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path; // $ Source
// Removal of forward-slash or dots.
res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, '')));
res.write(fs.readFileSync(path.replace(/[abcd]/g, ''))); // $ Alert
res.write(fs.readFileSync(path.replace(/[./]/g, '')));
res.write(fs.readFileSync(path.replace(/[foobar/foobar]/g, '')));
res.write(fs.readFileSync(path.replace(/\//g, '')));
res.write(fs.readFileSync(path.replace(/\.|\//g, '')));
res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // $ Alert - can be absolute
res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // $ Alert - can be absolute
res.write(fs.readFileSync(path.replace(/\./g, ''))); // $ Alert - can be absolute
res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // $ Alert - can be absolute
if (!pathModule.isAbsolute(path)) {
res.write(fs.readFileSync(path.replace(/[.]/g, '')));
res.write(fs.readFileSync(path.replace(/[..]/g, '')));
res.write(fs.readFileSync(path.replace(/\./g, '')));
res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, '')));
}
// removing of "../" from prefix.
res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, '')));
res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.[\/\\])+/, '')));
res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)+/, '')));
res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)*/, '')));
res.write(fs.readFileSync("prefix" + path.replace(/^(\.\.[\/\\])+/, ''))); // $ Alert - not normalized
res.write(fs.readFileSync(pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // $ Alert - can be absolute
});
import normalizeUrl from 'normalize-url';
var server = http.createServer(function(req, res) {
// tests for a few more uri-libraries
const qs = require("qs");
res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert
res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert
const parseqs = require("parseqs");
res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert
});
const cp = require("child_process");
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path; // $ Source
cp.execSync("foobar", {cwd: path}); // $ Alert
cp.execFileSync("foobar", ["args"], {cwd: path}); // $ Alert
cp.execFileSync("foobar", {cwd: path}); // $ Alert
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path; // $ Source
// Removal of forward-slash or dots.
res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), '')));
res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", ''), ''))); // $ Alert
res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", unknownFlags()), ''))); // OK - Might be okay depending on what unknownFlags evaluates to.
});
var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path; // $ Source
res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // $ Alert - can be absolute
if (!pathModule.isAbsolute(path)) {
res.write(fs.readFileSync(path.replace(new RegExp("[.]", ''), ''))); // $ Alert
res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), '')));
res.write(fs.readFileSync(path.replace(new RegExp("[.]", unknownFlags()), '')));
}
});
var srv = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path; // $ Source
const improperEscape = escape(path);
res.write(fs.readFileSync(improperEscape)); // $ Alert
const improperEscape2 = unescape(path);
res.write(fs.readFileSync(improperEscape2)); // $ Alert
});