Module TaintedPath

Import path

import semmle.javascript.security.dataflow.TaintedPathCustomizations

Predicates

isAdditionalFlowStep	Holds if there is a step `node1 -> node2` mapping `state1` to `state2` relevant for path traversal vulnerabilities.
isAdditionalTaintedPathFlowStep	DEPRECATED. Use `isAdditionalFlowStep` instead.
isRelative	Holds if `s` is a relative path.

Classes

AngularJSTemplateUrlSink	DEPRECATED. This is no longer seen as a path-injection sink. It is tentatively handled by the client-side URL redirection query for now.
BarrierGuard	A barrier guard for tainted-path vulnerabilities.
ContainsDotDotRegExpSanitizer	An expression of form `x.matches(/\.\./)` or similar.
ContainsDotDotSanitizer	An expression of form `x.includes("..")` or similar.
DotDotSlashPrefixRemovingReplace	A call that removes all instances of “../” in the prefix of the string.
DotRemovingReplaceCall	A call that removes all “.” or “..” from a path, without also removing all forward slashes.
ExpressRenderSink	A path argument to the Express `res.render` method.
FsPathSink	A path argument to a file system access.
IsAbsoluteSanitizer	A call to `path.isAbsolute` as a sanitizer for relative paths in true branch, and a sanitizer for absolute paths in the false branch.
IsInsideCheckSanitizer	An expression of form `isInside(x, y)` or similar, where `isInside` is a library check for the relation between `x` and `y`.
MembershipTestBarrierGuard	A check of the form `whitelist.includes(x)` or equivalent, which sanitizes `x` in its “then” branch.
ModulePathSink	An expression whose value is interpreted as a path to a module, making it a data flow sink for tainted-path vulnerabilities.
NormalizingPathCall	A call that normalizes a path.
NormalizingRelativePathCall	A call that normalizes a path and converts it to a relative path.
PreservingPathCall	A call that preserves taint without changing the flow label.
RelativePathStartsWithSanitizer	A sanitizer that recognizes the following pattern: `var relative = path.relative(webroot, pathname); if(relative.startsWith(".." + path.sep) \|\| relative == "..") { // pathname is unsafe } else { // pathname is safe }`
RemoteFlowSourceAsSource	DEPRECATED: Use `ActiveThreatModelSource` from Concepts instead!
ResolveModuleSink	An expression whose value is resolved to a module using the resolve library.
ResolvingPathCall	A call that converts a path to an absolute normalized path.
Sanitizer	A sanitizer for tainted-path vulnerabilities.
SendPathSink	The path argument of a send call, viewed as a sink.
Sink	A data flow sink for tainted-path vulnerabilities.
Source	A data flow source for tainted-path vulnerabilities.
StartsWithDirSanitizer	A check of form `x.startsWith(dir)` that sanitizes normalized absolute paths, since it is then known to be in a subdirectory of `dir`.
StartsWithDotDotSanitizer	A check of form `x.startsWith("../")` or similar.

Modules

FlowState	Module containing details of individual flow states.
Label

Aliases

BarrierGuardNode	A barrier guard for tainted-path vulnerabilities.
FlowState	The flow state to associate with a tainted value. See also `FlowState::PosixPath`.