@@ -18,9 +18,7 @@ module ZipSlip {
1818 /**
1919 * A sanitizer guard for unsafe zip extraction.
2020 */
21- abstract class SanitizerGuard extends
22- TaintTracking:: SanitizerGuardNode ,
23- DataFlow:: ValueNode { }
21+ abstract class SanitizerGuard extends TaintTracking:: SanitizerGuardNode , DataFlow:: ValueNode { }
2422
2523 /** A taint tracking configuration for Zip Slip */
2624 class Configuration extends TaintTracking:: Configuration {
@@ -53,10 +51,12 @@ module ZipSlip {
5351 class UnzipEntrySource extends Source {
5452 UnzipEntrySource ( ) {
5553 exists ( DataFlow:: MethodCallNode pipe , DataFlow:: MethodCallNode on |
56- pipe .getMethodName ( ) = "pipe"
57- and pipe .getArgument ( 0 ) .getALocalSource ( ) = DataFlow:: moduleImport ( "unzip" ) .getAMemberCall ( "Parse" )
58- and on = pipe .getAMemberCall ( "on" )
59- and this = on .getCallback ( 1 ) .getParameter ( 0 ) .getAPropertyRead ( "path" ) )
54+ pipe .getMethodName ( ) = "pipe" and
55+ pipe .getArgument ( 0 ) .getALocalSource ( ) = DataFlow:: moduleImport ( "unzip" )
56+ .getAMemberCall ( "Parse" ) and
57+ on = pipe .getAMemberCall ( "on" ) and
58+ this = on .getCallback ( 1 ) .getParameter ( 0 ) .getAPropertyRead ( "path" )
59+ )
6060 }
6161 }
6262
@@ -75,29 +75,25 @@ module ZipSlip {
7575
7676 /** A sink that is a file path that gets written to. */
7777 class FileSystemWriteSink extends Sink {
78- FileSystemWriteSink ( ) {
79- exists ( FileSystemWriteAccess fsw | fsw .getAPathArgument ( ) = this )
80- }
78+ FileSystemWriteSink ( ) { exists ( FileSystemWriteAccess fsw | fsw .getAPathArgument ( ) = this ) }
8179 }
8280
8381 /**
8482 * Gets a string which suffices to search for to ensure that a
8583 * filepath will not refer to parent directories.
8684 */
87- string getAParentDirName ( ) {
88- result = any ( string s | s = ".." or s = "../" )
89- }
85+ string getAParentDirName ( ) { result = any ( string s | s = ".." or s = "../" ) }
9086
9187 /** A check that a path string does not include '..' */
9288 class NoParentDirSanitizerGuard extends SanitizerGuard {
9389 StringOps:: Includes incl ;
9490
95- NoParentDirSanitizerGuard ( ) { this = incl }
91+ NoParentDirSanitizerGuard ( ) { this = incl }
9692
9793 override predicate sanitizes ( boolean outcome , Expr e ) {
98- incl .getPolarity ( ) .booleanNot ( ) = outcome
99- and incl .getBaseString ( ) .asExpr ( ) = e
100- and incl .getSubstring ( ) .mayHaveStringValue ( getAParentDirName ( ) )
94+ incl .getPolarity ( ) .booleanNot ( ) = outcome and
95+ incl .getBaseString ( ) .asExpr ( ) = e and
96+ incl .getSubstring ( ) .mayHaveStringValue ( getAParentDirName ( ) )
10197 }
10298 }
10399}
0 commit comments