Add CDS Utils path injection query #224
Conversation
knewbury01
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| const taint5 = isfile(userinputthree) // taint step | ||
|
|
||
| const pkg = await read(taint1) // sink |
Check failure
Code scanning / CodeQL
Use of user controlled input in CAP CDS file system utilies High test
|
|
||
| const pkg = await read(taint1) // sink | ||
|
|
||
| const pdir = await readdir(taint2) // sink |
Check failure
Code scanning / CodeQL
Use of user controlled input in CAP CDS file system utilies High test
|
|
||
| const pdir = await readdir(taint2) // sink | ||
|
|
||
| const s = await stat(taint3) // sink |
Check failure
Code scanning / CodeQL
Use of user controlled input in CAP CDS file system utilies High test
|
|
||
| const s = await stat(taint3) // sink | ||
|
|
||
| const f = await find(taint4) // sink |
Check failure
Code scanning / CodeQL
Use of user controlled input in CAP CDS file system utilies High test
|
|
||
| const f = await find(taint4) // sink | ||
|
|
||
| await append('db/data').to(taint5) // sink |
Check failure
Code scanning / CodeQL
Use of user controlled input in CAP CDS file system utilies High test
| await mkdirp(userinput) // sink | ||
|
|
||
| await rmdir(userinput, 'db', 'data') // sink | ||
| await rmdir(userinput) // sink |
Check failure
Code scanning / CodeQL
Use of user controlled input in CAP CDS file system utilies High test
| await rmdir(userinput, 'db', 'data') // sink | ||
| await rmdir(userinput) // sink | ||
|
|
||
| await rimraf(userinput, 'db', 'data') // sink |
Check failure
Code scanning / CodeQL
Use of user controlled input in CAP CDS file system utilies High test
| await rmdir(userinput) // sink | ||
|
|
||
| await rimraf(userinput, 'db', 'data') // sink | ||
| await rimraf(userinput) // sink |
Check failure
Code scanning / CodeQL
Use of user controlled input in CAP CDS file system utilies High test
| await rimraf(userinput, 'db', 'data') // sink | ||
| await rimraf(userinput) // sink | ||
|
|
||
| await rm(userinput, 'db', 'data') // sink |
Check failure
Code scanning / CodeQL
Use of user controlled input in CAP CDS file system utilies High test
| await rimraf(userinput) // sink | ||
|
|
||
| await rm(userinput, 'db', 'data') // sink | ||
| await rm(userinput) // sink |
Check failure
Code scanning / CodeQL
Use of user controlled input in CAP CDS file system utilies High test
There was a problem hiding this comment.
Nice work. I'd like to suggest two things:
Lack of barriers
A barrier is lacking in this example. Research some well-known ways to neutralize path traversal and ones that are specific to CAP, and add both to the Recommendations section of the help file and to the isBarrier predicate of the configuration.
CDSAdditionalFlowStep hard to understand at first glance
It's a bit hard to follow the logic of CDSAdditionalFlowStep, and much of it is coming from the fact that conceptually a flow step is a pair of two dataflow nodes but the implementation at the moment is a DataFlow::Node.
But admittedly encoding a tuple can be a bit verbose to model in QL. So I think it's better to remove the hierarchy only for additional flow steps and directly inline the class definition into the isAdditionalStep predicate. It seems like the default queries are following this practice.
What This PR Contributes
PathInjection.qlFuture Works
Add additional unit tests if the extra API cases described here in the future works are covered in the future.