Add barrier to PathInjection query

Author: knewbury01

javascript/frameworks/cap/src/path-traversal/PathInjection.md

@@ -38,6 +38,14 @@ module.exports = class Service1 extends cds.ApplicationService {
     this.on("send1", async (req) => {
       let userinput = req.data
       await write(userinput).to('db/data') // Path injection alert
+
+      // GOOD: the path can not be controlled by an attacker
+      let allowedDirectories = [
+        'this-is-a-safe-directory'
+      ];
+      if (allowedDirectories.includes(userinput)) {
+        await rm(userinput) // sanitized - No Path injection alert
+      }
     }
   }
 }

javascript/frameworks/cap/src/path-traversal/PathInjection.ql

@@ -17,7 +17,7 @@ import javascript
 import advanced_security.javascript.frameworks.cap.CAPPathInjectionQuery
 import advanced_security.javascript.frameworks.cap.RemoteFlowSources
 private import semmle.javascript.security.dataflow.TaintedPathCustomizations
-private import semmle.javascript.security.dataflow.TaintedPathQuery
+private import semmle.javascript.security.dataflow.TaintedPathQuery as tq
 
 module PathInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
@@ -33,7 +33,7 @@ module PathInjectionConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof TaintedPath::Sanitizer
     or
-    TaintedPathConfig::isBarrier(node)
+    tq::TaintedPathConfig::isBarrier(node)
   }
 }
 

javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js

@@ -48,6 +48,13 @@ module.exports = class Service1 extends cds.ApplicationService {
 
             await rm(userinput, 'db', 'data') // sink
             await rm(userinput) // sink
+
+            let allowedDirectories = [
+                'this-is-a-safe-directory'
+            ];
+            if (allowedDirectories.includes(userinput)) {
+                await rm(userinput) // sanitized
+            }
         });
 
         super.init();