Skip to content

Commit 1f7dda7

Browse files
erik-krogherik-krogh
committed
add dataflow barrier for if(xrandr)
1 parent aa8ebf4 commit 1f7dda7

File tree

3 files changed

+39
-11
lines changed

3 files changed

+39
-11
lines changed

javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -348,17 +348,6 @@ class PropNameTracking extends DataFlow::Configuration {
348348
)
349349
}
350350

351-
override predicate isBarrier(DataFlow::Node node) {
352-
super.isBarrier(node)
353-
or
354-
exists(ConditionGuardNode guard, SsaRefinementNode refinement |
355-
node = DataFlow::ssaDefinitionNode(refinement) and
356-
refinement.getGuard() = guard and
357-
guard.getTest() instanceof VarAccess and
358-
guard.getOutcome() = false
359-
)
360-
}
361-
362351
override predicate isBarrierGuard(DataFlow::BarrierGuardNode node) {
363352
node instanceof BlacklistEqualityGuard or
364353
node instanceof WhitelistEqualityGuard or

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1480,3 +1480,18 @@ private class AdditionalBarrierGuardCall extends AdditionalBarrierGuardNode, Dat
14801480

14811481
override predicate appliesTo(Configuration cfg) { f.appliesTo(cfg) }
14821482
}
1483+
1484+
/** A check of the `if(x)`, which sanitizes `x` in its "else" branch. */
1485+
private class VarAccessBarrierGuard extends AdditionalBarrierGuardNode, DataFlow::Node {
1486+
VarAccess var;
1487+
1488+
VarAccessBarrierGuard() {
1489+
var = this.getEnclosingExpr()
1490+
}
1491+
1492+
override predicate blocks(boolean outcome, Expr e) {
1493+
var = e and outcome = false
1494+
}
1495+
1496+
override predicate appliesTo(Configuration cfg) { any() }
1497+
}

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -114,3 +114,27 @@ var server = http.createServer(function(req, res) {
114114
);
115115

116116
});
117+
118+
var server = http.createServer(function(req, res) {
119+
let path = url.parse(req.url, true).query.path;
120+
121+
if (path) { // sanitization
122+
path = path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''); // remove all invalid characters from states plus slashes
123+
path = path.replace(/\.\./g, ''); // remove all ".."
124+
}
125+
126+
res.write(fs.readFileSync(path)); // OK. Is sanitized above.
127+
});
128+
129+
var server = http.createServer(function(req, res) {
130+
let path = url.parse(req.url, true).query.path;
131+
132+
if (!path) {
133+
134+
} else { // sanitization
135+
path = path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''); // remove all invalid characters from states plus slashes
136+
path = path.replace(/\.\./g, ''); // remove all ".."
137+
}
138+
139+
res.write(fs.readFileSync(path)); // OK. Is sanitized above.
140+
});

0 commit comments

Comments
 (0)