Rewrite XSJSZipSlip using modern APIs

jeongsoolee09 · jeongsoolee09 · commit 8083f2326958 · 2025-09-15T19:36:38.000-04:00
diff --git a/javascript/frameworks/xsjs/ext/xsjs.model.yml b/javascript/frameworks/xsjs/ext/xsjs.model.yml
@@ -35,19 +35,14 @@ extensions:
       extensible: sourceModel
     data:
       # ========== 1. Retrieving Web Request Body ==========
-      - [WebRequestBody, "Member[asArrayBuffer].ReturnValue", remote]
-      - [WebRequestBody, "Member[asString].ReturnValue", remote]
-      - [WebRequestBody, "Member[asWebRequest].ReturnValue", remote]
+      - [WebRequestBody, "", remote]
 
       # ========== 2. Retrieving Web Request Parameter Value ==========
       - [WebRequestParameters, "Member[get].ReturnValue", remote]
       - [WebRequestParameters, AnyMember, remote]
 
       # ========== 3. Receiving Response through HTTPClient ==========
       - [HTTPClient, "InboundResponse.Member[body]", remote]
-      - [HTTPClient, "InboundResponse.Member[body].Member[asArrayBuffer].ReturnValue", remote]
-      - [HTTPClient, "InboundResponse.Member[body].Member[asString].ReturnValue", remote]
-      - [HTTPClient, "InboundResponse.Member[body].Member[asWebRequest].ReturnValue", remote]
       - [HTTPClient, "InboundResponse.Member[cacheControl]", remote]
       - [HTTPClient, "InboundResponse.Member[contentType]", remote]
       - [HTTPClient, "InboundResponse.Member[cookies]", remote]
@@ -60,12 +55,15 @@ extensions:
       extensible: sinkModel
     data:
       - [WebResponse, "Member[setBody].Argument[0]", html-injection]
-      # - [Mail, "Member[send].Argument[this]", "???"]
-      # - [SMTPConnection, "Member[send].Argument[0]", "???"]
-      # - ["HTTPClient", "Member[request].Argument[0]", "???"]
 
   - addsTo:
       pack: codeql/javascript-all
       extensible: summaryModel
     data:
-      - [global, "Member[JSON].Member[parse]", "Argument[0]", "ReturnValue", taint]
+      - [global, "Member[JSON].Member[parse]", "Argument[0]", "ReturnValue", taint]
+      - [WebRequestBody, "Member[asArrayBuffer]", "Argument[this]", "ReturnValue", taint]
+      - [WebRequestBody, "Member[asString]", "Argument[this]", "ReturnValue", taint]
+      - [WebRequestBody, "Member[asWebRequest]", "Argument[this]", "ReturnValue", taint]
+      - [InboundResponse, "Member[body].Member[asArrayBuffer]", "Argument[this]", "ReturnValue", taint]
+      - [InboundResponse, "Member[body].Member[asString]", "Argument[this]", "ReturnValue", taint]
+      - [InboundResponse, "Member[body].Member[asWebRequest]", "Argument[this]", "ReturnValue", taint]
diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll
@@ -4,45 +4,15 @@ import semmle.javascript.security.dataflow.ZipSlipQuery as ZipSlip
 import semmle.javascript.security.dataflow.TaintedPathCustomizations::TaintedPath as TaintedPath
 
 /**
- * An instance of `$.util.Zip`, but the argument to the constructor call is reachable from a remote flow source.
- */
-class XSJSZipInstanceDependingOnRemoteFlowSource extends XSJSZipInstance {
-  RemoteFlowSource remoteArgument;
-
-  XSJSZipInstanceDependingOnRemoteFlowSource() {
-    this.getAnArgument().getALocalSource() = remoteArgument
-  }
-
-  RemoteFlowSource getRemoteArgument() { result = remoteArgument }
-}
-
-class XSJSRemoteFlowSourceToZipInstanceStep extends DataFlow::SharedFlowStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(XSJSZipInstanceDependingOnRemoteFlowSource dollarUtilZip |
-      pred = dollarUtilZip.getRemoteArgument() and
-      succ = dollarUtilZip
-    )
-  }
-}
-
-class ForInLoopDomainToVariableStep extends DataFlow::SharedFlowStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(ForInStmt forLoop |
-      pred = forLoop.getIterationDomain().flow() and
-      succ = forLoop.getAnIterationVariable().getAnAccess().flow()
-    )
-  }
-}
-
-/**
- * A node that checks if the path that is being extracted is indeed the prefix of the entry, e.g.
+ * A node that checks if the path that is being extracted is indeed the prefix of the entry.
+ * e.g.
  * ``` javascript
  * if (entryPath.indexOf("SomePrefix") === 0) {
  *   // extract the file with the path.
  * }
  * ```
  */
-class ZipEntryPathIndexOfCallEqualsZeroGuard extends TaintTracking::SanitizerGuardNode {
+class ZipEntryPathIndexOfCallEqualsZeroGuard extends DataFlow::Node {
   EqualityTest equalityTest;
   MethodCallNode indexOfCall;
   ForInStmt forLoop;
@@ -55,53 +25,69 @@ class ZipEntryPathIndexOfCallEqualsZeroGuard extends TaintTracking::SanitizerGua
     equalityTest.getRightOperand().getIntValue() = 0
   }
 
-  override predicate sanitizes(boolean outcome, Expr receiver) {
+  predicate blocksExpr(boolean outcome, Expr receiver) {
     exists(DataFlow::Node targetFilePath, DataFlow::Node forLoopVariable |
       receiver = targetFilePath.asExpr() and
       targetFilePath = indexOfCall.getReceiver() and
       forLoopVariable = forLoop.getAnIterationVariable().getAnAccess().flow() and
-      TaintedPath::isAdditionalTaintedPathFlowStep(forLoopVariable,
-        targetFilePath.getALocalSource(), _, _) and
+      TaintedPath::isAdditionalFlowStep(forLoopVariable, _, targetFilePath.getALocalSource(), _) and
       outcome = equalityTest.getPolarity()
     )
   }
 }
 
-/**
- * A class wraps `TaintedPath::BarrierGuardNode` by delegating its `sanitizes/0` to the `blocks/0` predicate.
- * The characteristic predicate of this class is deliberately left out.
- */
-class TaintedPathSanitizerGuard extends TaintTracking::SanitizerGuardNode {
-  TaintedPathSanitizerGuard() { this = this }
-
-  override predicate sanitizes(boolean outcome, Expr receiver) {
-    exists(TaintedPath::BarrierGuard node | node.blocksExpr(outcome, receiver))
+module XSJSZipSlip implements DataFlow::StateConfigSig {
+  class FlowState extends string {
+    FlowState() { this in ["$.util.Zip uninitialized", "$.util.Zip initialized"] }
   }
-}
 
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "XSJS Zip Slip Query" }
+  predicate isSource(DataFlow::Node node, FlowState state) {
+    node instanceof RemoteFlowSource and
+    state = "$.util.Zip uninitialized"
+  }
 
-  override predicate isSource(DataFlow::Node start) {
-    super.isSource(start)
-    or
-    exists(XSJSZipInstanceDependingOnRemoteFlowSource dollarUtilZip |
-      start = dollarUtilZip.getRemoteArgument()
-    )
+  predicate isSink(DataFlow::Node node, FlowState state) {
+    node instanceof ZipSlip::Sink and
+    state = "$.util.Zip initialized"
   }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) {
-    TaintedPath::isAdditionalTaintedPathFlowStep(src, dst, _, _)
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
+    (
+      node = DataFlow::MakeBarrierGuard<ZipEntryPathIndexOfCallEqualsZeroGuard>::getABarrierNode()
+      or
+      node = DataFlow::MakeBarrierGuard<TaintedPath::BarrierGuard>::getABarrierNode()
+    ) and
+    state = state
   }
 
-  override predicate isSink(DataFlow::Node end) {
-    super.isSink(end)
+  predicate isAdditionalFlowStep(
+    DataFlow::Node start, FlowState preState, DataFlow::Node end, FlowState postState
+  ) {
+    /* 1. `$.util.Zip` initialized */
+    start = start and
+    preState = "$.util.Zip uninitialized" and
+    end instanceof XSJSZipInstance and
+    // start.getBasicBlock().getASuccessor+() = end.getBasicBlock() and
+    postState = "$.util.Zip initialized"
     or
-    end instanceof ZipSlip::Sink
-  }
+    /*
+     * 2. Jump from a domain of a for-in statement to an access of the iteration variable.
+     * e.g.
+     * ``` javascript
+     * for (var x in y) {
+     *   var z = x;
+     * }
+     * ```
+     * This step jumps from `y` to `x` in the body of the for-in loop.
+     */
 
-  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) {
-    node instanceof ZipEntryPathIndexOfCallEqualsZeroGuard or
-    node instanceof TaintedPathSanitizerGuard
+    exists(ForInStmt forLoop |
+      start = forLoop.getIterationDomain().flow() and
+      end = forLoop.getAnIterationVariable().getAnAccess().flow() and
+      preState = postState
+    )
+    or
+    TaintedPath::isAdditionalFlowStep(start, _, end, _) and
+    preState = postState
   }
 }
diff --git a/javascript/frameworks/xsjs/src/XSJSZipSlip/XSJSZipSlip.ql b/javascript/frameworks/xsjs/src/XSJSZipSlip/XSJSZipSlip.ql
@@ -12,8 +12,13 @@
 
 import javascript
 import advanced_security.javascript.frameworks.xsjs.XSJSZipSlipQuery
-import DataFlow::PathGraph
+import semmle.javascript.frameworks.data.ModelsAsData
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink, source, sink, "The path of $@ being saved depends on a $@.", sink, "this zip file", source, "user-provided value"
+module XSJSZipSlipFlow = DataFlow::GlobalWithState<XSJSZipSlip>;
+
+import XSJSZipSlipFlow::PathGraph
+
+from XSJSZipSlipFlow::PathNode source, XSJSZipSlipFlow::PathNode sink
+where XSJSZipSlipFlow::flowPath(source, sink)
+select sink, source, sink, "The path of $@ being saved depends on a $@.", sink, "this zip file",
+  source, "user-provided value"
diff --git a/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected b/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected
@@ -1,26 +1,57 @@
-WARNING: module 'PathGraph' has been deprecated and may be removed in future (XSJSZipSlip.ql:15,8-27)
-WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSZipSlip.ql:17,28-46)
-WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSZipSlip.ql:17,55-73)
-nodes
-| XSJSZipSlip.xsjs:7:7:7:62 | zipArchive |
-| XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) |
-| XSJSZipSlip.xsjs:7:35:7:61 | request ... uffer() |
-| XSJSZipSlip.xsjs:7:35:7:61 | request ... uffer() |
-| XSJSZipSlip.xsjs:10:25:10:34 | zipArchive |
-| XSJSZipSlip.xsjs:11:9:11:74 | targetFilePath |
-| XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) |
-| XSJSZipSlip.xsjs:11:65:11:73 | entryPath |
-| XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath |
-| XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath |
 edges
-| XSJSZipSlip.xsjs:7:7:7:62 | zipArchive | XSJSZipSlip.xsjs:10:25:10:34 | zipArchive |
-| XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | XSJSZipSlip.xsjs:7:7:7:62 | zipArchive |
-| XSJSZipSlip.xsjs:7:35:7:61 | request ... uffer() | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) |
-| XSJSZipSlip.xsjs:7:35:7:61 | request ... uffer() | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) |
-| XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | XSJSZipSlip.xsjs:11:65:11:73 | entryPath |
-| XSJSZipSlip.xsjs:11:9:11:74 | targetFilePath | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath |
-| XSJSZipSlip.xsjs:11:9:11:74 | targetFilePath | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath |
-| XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | XSJSZipSlip.xsjs:11:9:11:74 | targetFilePath |
-| XSJSZipSlip.xsjs:11:65:11:73 | entryPath | XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) |
+| XSJSZipSlip.xsjs:1:19:1:32 | $.request.body | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config |
+| XSJSZipSlip.xsjs:1:19:1:32 | $.request.body | XSJSZipSlip.xsjs:31:7:31:17 | requestBody | provenance |  |
+| XSJSZipSlip.xsjs:1:19:1:32 | $.request.body | XSJSZipSlip.xsjs:32:7:32:17 | requestBody | provenance |  |
+| XSJSZipSlip.xsjs:6:16:6:26 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config |
+| XSJSZipSlip.xsjs:6:16:6:26 | requestBody | XSJSZipSlip.xsjs:7:35:7:45 | requestBody | provenance |  |
+| XSJSZipSlip.xsjs:7:7:7:62 | zipArchive | XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | provenance |  |
+| XSJSZipSlip.xsjs:7:7:7:62 | zipArchive | XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | provenance |  |
+| XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | XSJSZipSlip.xsjs:7:7:7:62 | zipArchive | provenance |  |
+| XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | XSJSZipSlip.xsjs:7:7:7:62 | zipArchive | provenance |  |
+| XSJSZipSlip.xsjs:7:35:7:45 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config |
+| XSJSZipSlip.xsjs:7:35:7:45 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config |
+| XSJSZipSlip.xsjs:7:35:7:45 | requestBody | XSJSZipSlip.xsjs:7:35:7:59 | request ... yBuffer | provenance | Config |
+| XSJSZipSlip.xsjs:7:35:7:59 | request ... yBuffer | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config |
+| XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | XSJSZipSlip.xsjs:11:65:11:73 | entryPath | provenance | Config |
+| XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | XSJSZipSlip.xsjs:11:65:11:73 | entryPath | provenance | Config |
+| XSJSZipSlip.xsjs:11:9:11:74 | targetFilePath | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | provenance |  |
+| XSJSZipSlip.xsjs:11:9:11:74 | targetFilePath | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | provenance |  |
+| XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | XSJSZipSlip.xsjs:11:9:11:74 | targetFilePath | provenance |  |
+| XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | XSJSZipSlip.xsjs:11:9:11:74 | targetFilePath | provenance |  |
+| XSJSZipSlip.xsjs:11:65:11:73 | entryPath | XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | provenance | Config |
+| XSJSZipSlip.xsjs:11:65:11:73 | entryPath | XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | provenance | Config |
+| XSJSZipSlip.xsjs:19:16:19:26 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config |
+| XSJSZipSlip.xsjs:19:16:19:26 | requestBody | XSJSZipSlip.xsjs:20:35:20:45 | requestBody | provenance |  |
+| XSJSZipSlip.xsjs:20:35:20:45 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config |
+| XSJSZipSlip.xsjs:20:35:20:45 | requestBody | XSJSZipSlip.xsjs:20:35:20:59 | request ... yBuffer | provenance | Config |
+| XSJSZipSlip.xsjs:20:35:20:59 | request ... yBuffer | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config |
+| XSJSZipSlip.xsjs:31:7:31:17 | requestBody | XSJSZipSlip.xsjs:6:16:6:26 | requestBody | provenance |  |
+| XSJSZipSlip.xsjs:31:7:31:17 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config |
+| XSJSZipSlip.xsjs:32:7:32:17 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config |
+| XSJSZipSlip.xsjs:32:7:32:17 | requestBody | XSJSZipSlip.xsjs:19:16:19:26 | requestBody | provenance |  |
+nodes
+| XSJSZipSlip.xsjs:1:19:1:32 | $.request.body | semmle.label | $.request.body |
+| XSJSZipSlip.xsjs:6:16:6:26 | requestBody | semmle.label | requestBody |
+| XSJSZipSlip.xsjs:7:7:7:62 | zipArchive | semmle.label | zipArchive |
+| XSJSZipSlip.xsjs:7:7:7:62 | zipArchive | semmle.label | zipArchive |
+| XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | semmle.label | new $.u ... ffer()) |
+| XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | semmle.label | new $.u ... ffer()) |
+| XSJSZipSlip.xsjs:7:35:7:45 | requestBody | semmle.label | requestBody |
+| XSJSZipSlip.xsjs:7:35:7:59 | request ... yBuffer | semmle.label | request ... yBuffer |
+| XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | semmle.label | zipArchive |
+| XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | semmle.label | zipArchive |
+| XSJSZipSlip.xsjs:11:9:11:74 | targetFilePath | semmle.label | targetFilePath |
+| XSJSZipSlip.xsjs:11:9:11:74 | targetFilePath | semmle.label | targetFilePath |
+| XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | semmle.label | require ... ryPath) |
+| XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | semmle.label | require ... ryPath) |
+| XSJSZipSlip.xsjs:11:65:11:73 | entryPath | semmle.label | entryPath |
+| XSJSZipSlip.xsjs:11:65:11:73 | entryPath | semmle.label | entryPath |
+| XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | semmle.label | targetFilePath |
+| XSJSZipSlip.xsjs:19:16:19:26 | requestBody | semmle.label | requestBody |
+| XSJSZipSlip.xsjs:20:35:20:45 | requestBody | semmle.label | requestBody |
+| XSJSZipSlip.xsjs:20:35:20:59 | request ... yBuffer | semmle.label | request ... yBuffer |
+| XSJSZipSlip.xsjs:31:7:31:17 | requestBody | semmle.label | requestBody |
+| XSJSZipSlip.xsjs:32:7:32:17 | requestBody | semmle.label | requestBody |
+subpaths
 #select
-| XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | XSJSZipSlip.xsjs:7:35:7:61 | request ... uffer() | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | The path of $@ being saved depends on a $@. | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | this zip file | XSJSZipSlip.xsjs:7:35:7:61 | request ... uffer() | user-provided value |
+| XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | XSJSZipSlip.xsjs:1:19:1:32 | $.request.body | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | The path of $@ being saved depends on a $@. | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | this zip file | XSJSZipSlip.xsjs:1:19:1:32 | $.request.body | user-provided value |
