add more libraries that serve static files to js/exposure-of-private-files

erik-krogh · erik-krogh · commit 6675ddae121c · 2020-06-17T10:00:59.000+02:00
diff --git a/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql b/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
@@ -105,7 +105,10 @@ DataFlow::Node getAPrivateFolderPath(string description) {
  * Gest a call that serves the folder `path` to the public.
  */
 DataFlow::CallNode servesAPrivateFolder(string description) {
-  result = DataFlow::moduleMember("express", "static").getACall() and
+  result = DataFlow::moduleMember(["express", "connect"], "static").getACall() and
+  result.getArgument(0) = getAPrivateFolderPath(description)
+  or
+  result = DataFlow::moduleImport("serve-static").getACall() and
   result.getArgument(0) = getAPrivateFolderPath(description)
 }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected b/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected
@@ -14,3 +14,5 @@
 | private-file-exposure.js:18:1:18:74 | app.use ... les"))) | Serves the folder "/node_modules", which can contain private information. |
 | private-file-exposure.js:19:1:19:88 | app.use ... lar/')) | Serves the folder "/node_modules/angular/", which can contain private information. |
 | private-file-exposure.js:22:1:22:58 | app.use ... lar/')) | Serves the folder "/node_modules/angular/", which can contain private information. |
+| private-file-exposure.js:40:1:40:88 | app.use ... lar/')) | Serves the folder "/node_modules/angular/", which can contain private information. |
+| private-file-exposure.js:41:1:41:97 | app.use ... lar/')) | Serves the folder "/node_modules/angular/", which can contain private information. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js
@@ -35,3 +35,7 @@ app.use('/js/', express.static('node_modules/bootstrap/dist/js'))
 app.use('/css/', express.static('node_modules/font-awesome/css'));
 app.use('basedir', express.static(__dirname)); // GOOD, because there is no package.json in the same folder.
 app.use('/monthly', express.static(__dirname + '/')); // GOOD, because there is no package.json in the same folder.
+
+const connect = require("connect");
+app.use('/angular', connect.static(path.join(__dirname, "/node_modules") + '/angular/')); // NOT OK
+app.use('/angular', require('serve-static')(path.join(__dirname, "/node_modules") + '/angular/')); // NOT OK
