Skip to content

JS: recognize reading/wrinting calls to fstream #3451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 12, 2020
Merged

JS: recognize reading/wrinting calls to fstream #3451

merged 3 commits into from
May 12, 2020

Conversation

erik-krogh
Copy link
Contributor

Recognizes code like the below as a writing file-system call (and likewise for reading calls):

var Writer = require('fstream').Writer;
Writer({path: somePath});

This recognizes the sink in CVE-2018-1002203.

@erik-krogh erik-krogh requested a review from a team as a code owner May 12, 2020 12:24
@erik-krogh erik-krogh added the JS label May 12, 2020
@esbena
Copy link
Contributor

esbena commented May 12, 2020

LGTM. I wonder how many other missing extends FileSystemWriteAccess we are missing in general. I would have expected extends FileSystemAccess to be sufficient.

@semmle-qlci semmle-qlci merged commit 6fb047a into github:master May 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@esbena esbena esbena approved these changes

Assignees
No one assigned
Labels
JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@erik-krogh @esbena @semmle-qlci