Merge pull request github#4708 from erik-krogh/emptyName

codeql-ci · web-flow · commit 4be158b36295 · 2020-11-24T17:34:55.000Z
Approved by asgerf
diff --git a/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql b/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
@@ -80,10 +80,14 @@ Folder getAPackageJSONFolder() { result = any(PackageJSON json).getFile().getPar
 DataFlow::Node getALeakingFolder(string description) {
   exists(ModuleScope ms | result.asExpr() = ms.getVariable("__dirname").getAnAccess()) and
   result.getFile().getParentContainer() = getAPackageJSONFolder() and
-  description = "the folder " + result.getFile().getParentContainer().getRelativePath()
+  (
+    if result.getFile().getParentContainer().getRelativePath().trim() != ""
+    then description = "the folder " + result.getFile().getParentContainer().getRelativePath()
+    else description = "the source root folder"
+  )
   or
   result = DataFlow::moduleImport("os").getAMemberCall("homedir") and
-  description = "the home folder "
+  description = "the home folder"
   or
   result.mayHaveStringValue("/") and
   description = "the root folder"
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected b/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected
@@ -16,6 +16,7 @@
 | private-file-exposure.js:22:1:22:58 | app.use ... lar/')) | Serves the folder "/node_modules/angular/", which can contain private information. |
 | private-file-exposure.js:40:1:40:88 | app.use ... lar/')) | Serves the folder "/node_modules/angular/", which can contain private information. |
 | private-file-exposure.js:41:1:41:97 | app.use ... lar/')) | Serves the folder "/node_modules/angular/", which can contain private information. |
-| private-file-exposure.js:42:1:42:66 | app.use ... dir())) | Serves the home folder , which can contain private information. |
+| private-file-exposure.js:42:1:42:66 | app.use ... dir())) | Serves the home folder, which can contain private information. |
 | private-file-exposure.js:43:1:43:46 | app.use ... )("/")) | Serves the root folder, which can contain private information. |
 | private-file-exposure.js:51:5:51:88 | app.use ... les'))) | Serves the folder "../node_modules", which can contain private information. |
+| subfolder/private-file-exposure-2.js:6:1:6:34 | app.use ... rname)) | Serves the folder query-tests/Security/CWE-200/subfolder, which can contain private information. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js
@@ -59,4 +59,6 @@ function good() {
 
     app.use("jquery", express.static('./node_modules/jquery/dist')); // OK
     app.use("bootstrap", express.static('./node_modules/bootstrap/dist')); // OK
-}
+}
+
+app.use(express.static(__dirname)) // NOT OK
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/subfolder/package.json b/javascript/ql/test/query-tests/Security/CWE-200/subfolder/package.json
@@ -0,0 +1 @@
+{}
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js b/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js
@@ -0,0 +1,6 @@
+var express = require('express');
+var http = require('http')
+var app = express()
+var server = http.createServer(app)
+// Static files:
+app.use(express.static(__dirname))
