Skip to content

JS: Share implementation between TaintedPath and ZipSlip #3525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
May 20, 2020
Merged

JS: Share implementation between TaintedPath and ZipSlip #3525

merged 6 commits into from
May 20, 2020

Conversation

erik-krogh
Copy link
Contributor

I tried out 2 different strategies for sharing implementation between the TaintedPath and ZipSlip queries.

  1. Use a shared DataFlow::Configuration with sources/sinks for both queries, and then select the source/sink in the where clause.
  2. Share classes and predicates, but use separate DataFlow::Configurations.

I like 2. the best, and it also turns out that this strategy has the best performance.

The source in ZlipSlip is a relative non-normalized path.
I couldn't find an existing archive with a non-normalized path, but I managed to create a .tar file with such a path.

An evaluation on nightly looks good.

@erik-krogh erik-krogh added the JS label May 20, 2020
@erik-krogh erik-krogh requested a review from a team as a code owner May 20, 2020 08:26
asgerf
asgerf reviewed May 20, 2020
View reviewed changes
Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The source in ZlipSlip is a relative non-normalized path.

Are you sure it can't be a normalized relative path, like ../../../foo?

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll Outdated
DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
DataFlow::FlowLabel dstlabel
) {
isTaintedPathStep(src, dst, srclabel, dstlabel)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to merge these two predicates now? Otherwise, I'd suggest renaming the other one to isPosixPathStep or something like that. Right now the naming and separation is a little weird.

@erik-krogh
Copy link
Contributor Author

The source in ZlipSlip is a relative non-normalized path.

Are you sure it can't be a normalized relative path, like ../../../foo?

Yes... I meant relative, and both normalized and non-normalized. That is also what the implementation does.

@semmle-qlci semmle-qlci merged commit 8df7b7c into github:master May 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgerf asgerf asgerf approved these changes

Assignees
No one assigned
Labels
JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@erik-krogh @asgerf @semmle-qlci