Module TaintedPath
Import path
import semmle.javascript.security.dataflow.TaintedPathCustomizations
Predicates
isAdditionalTaintedPathFlowStep |
Holds if there is a step |
isRelative |
Holds if |
Classes
AngularJSTemplateUrlSink |
A |
BarrierGuardNode |
A barrier guard for tainted-path vulnerabilities. |
ContainsDotDotRegExpSanitizer |
An expression of form |
ContainsDotDotSanitizer |
An expression of form |
DotDotSlashPrefixRemovingReplace |
A call that removes all instances of “../” in the prefix of the string. |
DotRemovingReplaceCall |
A call that removes all “.” or “..” from a path, without also removing all forward slashes. |
ExpressRenderSink |
A path argument to the Express |
FsPathSink |
A path argument to a file system access. |
IsAbsoluteSanitizer |
A call to |
IsInsideCheckSanitizer |
An expression of form |
MembershipTestBarrierGuard |
A check of the form |
ModulePathSink |
An expression whose value is interpreted as a path to a module, making it a data flow sink for tainted-path vulnerabilities. |
NormalizingPathCall |
A call that normalizes a path. |
NormalizingRelativePathCall |
A call that normalizes a path and converts it to a relative path. |
PreservingPathCall |
A call that preserves taint without changing the flow label. |
RelativePathStartsWithSanitizer |
A sanitizer that recognizes the following pattern: |
RemoteFlowSourceAsSource |
A source of remote user input, considered as a flow source for tainted-path vulnerabilities. |
ResolveModuleSink |
An expression whose value is resolved to a module using the resolve library. |
ResolvingPathCall |
A call that converts a path to an absolute normalized path. |
Sanitizer |
A sanitizer for tainted-path vulnerabilities. |
SendPathSink |
The path argument of a send call, viewed as a sink. |
Sink |
A data flow sink for tainted-path vulnerabilities. |
Source |
A data flow source for tainted-path vulnerabilities. |
StartsWithDirSanitizer |
A check of form |
StartsWithDotDotSanitizer |
A check of form |