Skip to content

JS: model path-is-inside+is-path-inside for js/path-injection #2723

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 25, 2020
Merged

JS: model path-is-inside+is-path-inside for js/path-injection #2723

merged 2 commits into from
Feb 25, 2020

Conversation

esbena
Copy link
Contributor

@esbena esbena commented Jan 29, 2020
edited
Loading

The following pattern sanitizes paths wrt. path injection.

const isPathInside = require('path-is-inside');

if (!isPathInside(file, process.cwd())) {
    this.body = 'Bad Request';
    this.status = 400;
}

This PR models two confusingly similar packages: 'path-is-inside' and 'is-'path-inside' for that purpose.

Evaluation is pending.

@esbena esbena added the JS label Jan 29, 2020
@esbena esbena requested a review from a team as a code owner January 29, 2020 20:41
@erik-krogh
Copy link
Contributor 

var inside = require("path-is-inside")
inside("foo/bar/../../../../../etc/passwd", "foo/bar") === true

The is-path-inside library actually works, as it uses path.resolve(..) to "compress" the paths.

asgerf
asgerf reviewed Jan 30, 2020
View reviewed changes
javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll Outdated
outcome = true
// Note that `is-path-inside` states:
// > "Note that relative paths are resolved against process.cwd() to make them absolute."
// so it may be possible to undo this sanitization by later prepending some other path to the sanitized path.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you mean to leave this comment here? Doesn't seem like something we need to worry about.

@esbena esbena added the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Feb 3, 2020
asgerf
asgerf reviewed Feb 3, 2020
View reviewed changes
javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll Outdated

IsInsideCheckSanitizer() {
exists(string name, DataFlow::CallNode check |
name = "path-is-inside" or
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In line with @erik-krogh's comment, could you make path-is-inside only sanitize normalized absolute paths?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am waiting to see if Erik's PR against path-is-inside gets accepted.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That PR seems to have entered the void. path-is-inside is now a weaker sanitizer.

@esbena esbena force-pushed the js/support-path-is-inside branch from 9d4b0df to 63a0d6b Compare February 24, 2020 22:00
@esbena esbena force-pushed the js/support-path-is-inside branch from 63a0d6b to 0061c0e Compare February 24, 2020 22:09
@esbena esbena force-pushed the js/support-path-is-inside branch from 0061c0e to 5baba62 Compare February 24, 2020 22:11
@esbena
Copy link
Contributor Author

esbena commented Feb 25, 2020

I forgot about --dpm, but the evaluation seems uneventful. I believe this can be merged now.

@esbena esbena removed the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Feb 25, 2020
@semmle-qlci semmle-qlci merged commit 03b8823 into github:master Feb 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgerf asgerf asgerf approved these changes

Assignees
No one assigned
Labels
JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@esbena @erik-krogh @asgerf @semmle-qlci