CodeQL library for JavaScript
Search

Module TaintedPath

Import path

import semmle.javascript.security.dataflow.TaintedPathCustomizations

Predicates

isAdditionalTaintedPathFlowStep

Holds if there is a step src -> dst mapping srclabel to dstlabel relevant for path traversal vulnerabilities.

isRelative

Holds if s is a relative path.

Classes

AngularJSTemplateUrlSink

A templateUrl member of an AngularJS directive.

BarrierGuardNode

A barrier guard for tainted-path vulnerabilities.

ContainsDotDotSanitizer

An expression of form x.includes("..") or similar.

DotDotSlashPrefixRemovingReplace

A call that removes all instances of “../” in the prefix of the string.

DotRemovingReplaceCall

A call that removes all “.” or “..” from a path, without also removing all forward slashes.

ExpressRenderSink

A path argument to the Express res.render method.

FsPathSink

A path argument to a file system access.

IsAbsoluteSanitizer

A call to path.isAbsolute as a sanitizer for relative paths in true branch, and a sanitizer for absolute paths in the false branch.

IsInsideCheckSanitizer

An expression of form isInside(x, y) or similar, where isInside is a library check for the relation between x and y.

MembershipTestBarrierGuard

A check of the form whitelist.includes(x) or equivalent, which sanitizes x in its “then” branch.

ModulePathSink

An expression whose value is interpreted as a path to a module, making it a data flow sink for tainted-path vulnerabilities.

NormalizingPathCall

A call that normalizes a path.

NormalizingRelativePathCall

A call that normalizes a path and converts it to a relative path.

PreservingPathCall

A call that preserves taint without changing the flow label.

RelativePathStartsWithSanitizer

A sanitizer that recognizes the following pattern: var relative = path.relative(webroot, pathname); if(relative.startsWith(".." + path.sep) || relative == "..") { // pathname is unsafe } else { // pathname is safe }

RemoteFlowSourceAsSource

A source of remote user input, considered as a flow source for tainted-path vulnerabilities.

ResolvingPathCall

A call that converts a path to an absolute normalized path.

Sanitizer

A sanitizer for tainted-path vulnerabilities.

SendPathSink

The path argument of a send call, viewed as a sink.

Sink

A data flow sink for tainted-path vulnerabilities.

Source

A data flow source for tainted-path vulnerabilities.

StartsWithDirSanitizer

A check of form x.startsWith(dir) that sanitizes normalized absolute paths, since it is then known to be in a subdirectory of dir.

StartsWithDotDotSanitizer

A check of form x.startsWith("../") or similar.

Modules