|
| 1 | +/** |
| 2 | + * @name Arbitrary file write during zip extraction ("Zip Slip") |
| 3 | + * @description Extracting files from a malicious zip archive without validating that the |
| 4 | + * destination file path is within the destination directory can cause files outside |
| 5 | + * the destination directory to be overwritten. |
| 6 | + * @kind path-problem |
| 7 | + * @id cs/zipslip |
| 8 | + * @problem.severity error |
| 9 | + * @precision high |
| 10 | + * @tags security |
| 11 | + * external/cwe/cwe-022 |
| 12 | + */ |
| 13 | + |
| 14 | +import javascript |
| 15 | +import semmle.javascript.security.dataflow.ZipSlip::ZipSlip |
| 16 | +import DataFlow::PathGraph |
| 17 | + |
| 18 | +from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink |
| 19 | +where cfg.hasFlowPath(source, sink) |
| 20 | +select sink.getNode(), source, sink, |
| 21 | + "Unsanitized zip archive $@, which may contain '..', is used in a file system operation.", |
| 22 | + source.getNode(), "item path" |
| 23 | + |
| 24 | + |
| 25 | + |
| 26 | +// class Configuration extends TaintTracking::Configuration { |
| 27 | +// Configuration() { this = "TarSlip" } |
| 28 | + |
| 29 | +// override predicate isSource(DataFlow::Node nd) { |
| 30 | +// isEntrySource(nd) |
| 31 | +// } |
| 32 | + |
| 33 | +// override predicate isSink(DataFlow::Node sink) { |
| 34 | +// isFuncSink(sink.asExpr()) |
| 35 | +// } |
| 36 | + |
| 37 | +// override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode nd) { |
| 38 | +// nd instanceof AbsentStringSanitizer |
| 39 | +// } |
| 40 | +// } |
| 41 | + |
| 42 | +// /** |
| 43 | +// * A guard that suffices to sanitize a value by establishing that it |
| 44 | +// * does *not* contain a certain bad substring. For example, |
| 45 | +// * |
| 46 | +// * if (s.indexOf("..") == -1) { ... } |
| 47 | +// * |
| 48 | +// * is considered to sanitize s. |
| 49 | +// */ |
| 50 | +// class AbsentStringSanitizer extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode { |
| 51 | +// MethodCallExpr indexOf; |
| 52 | +// override EqualityTest astNode; |
| 53 | + |
| 54 | +// AbsentStringSanitizer() { |
| 55 | +// indexOf.getMethodName() = "indexOf" and |
| 56 | +// astNode.getAnOperand().getIntValue() = -1 and |
| 57 | +// astNode.getAnOperand() = indexOf |
| 58 | +// } |
| 59 | + |
| 60 | +// override predicate sanitizes(boolean outcome, Expr e) { |
| 61 | +// outcome = true and |
| 62 | +// e = indexOf.getReceiver() |
| 63 | +// } |
| 64 | +// } |
| 65 | + |
| 66 | +// /** |
| 67 | +// * Holds if `nd` is the argument of a tar-archive file-entry event |
| 68 | +// * callback that contains the main bundle of metadata about the file |
| 69 | +// * entry, which includes its file name. |
| 70 | +// */ |
| 71 | +// predicate isEntrySource(DataFlow::Node nd) { |
| 72 | +// exists(MethodCallExpr mce | |
| 73 | +// mce.getMethodName() = "on" |
| 74 | +// and mce.getArgument(0).(StringLiteral).getStringValue() = "entry" |
| 75 | +// and DataFlow::parameterNode(mce.getArgument(1).(Function).getParameter(0)) = nd |
| 76 | +// ) |
| 77 | +// } |
| 78 | + |
| 79 | +// /** |
| 80 | +// * Holds if `s` is the name of a method whose first argument is |
| 81 | +// * a filename that may be written to. |
| 82 | +// */ |
| 83 | +// predicate isFileWritingMethod(string s) { |
| 84 | +// /* FIXME: Perhaps this should be unified with the related (private) |
| 85 | +// predicates in semmle.javascript.frameworks.NodeJSLib */ |
| 86 | +// s = "createWriteStream" or |
| 87 | +// s = "writeFile" or |
| 88 | +// s = "writeFileSync" |
| 89 | +// } |
| 90 | + |
| 91 | +// /** |
| 92 | +// * Holds if `e` is an expression that is at risk of |
| 93 | +// * being used as a filename which is written to. |
| 94 | +// */ |
| 95 | +// predicate isFuncSink(Expr e) { |
| 96 | +// exists(MethodCallExpr mce | |
| 97 | +// e = mce.getArgument(0) and |
| 98 | +// isFileWritingMethod(mce.getMethodName()) |
| 99 | +// ) |
| 100 | +// } |
| 101 | + |
| 102 | +// from DataFlow::Node src, DataFlow::Node tgt, Configuration cfg |
| 103 | +// where cfg.hasFlow(src, tgt) |
| 104 | +// select src, tgt |
0 commit comments