Skip to content

Address deprecation of PathExpr and port ZipSlipQuery #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Sep 20, 2025
Merged

Address deprecation of PathExpr and port ZipSlipQuery #230

merged 10 commits into from
Sep 20, 2025

Conversation

@jeongsoolee09
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 commented Sep 16, 2025
edited
Loading

What This PR Contributes

Rewrite XSJSZipSlip with new data flow APIs

XSJSZipSlip was the only query that wasn't ported to the newer data flow API in PR #220. This PR not only ports the query to using the newer API, it rewrites the entire query to be visually and conceptually cleaner.

WebRequestBody as unified RemoteFlowSource

Previously, methods asArrayBuffer, asString, and asWebRequest on these types were RemoteFlowSources on their own:

  • WebRequestBody (having access paths $.request and $.request.entities.* in source code)
  • InboundResponse.body (having acess paths $.net.http.Client::getResponse().body() in source code)

This made alert reporting a bit perplexing both conceptually and practically, as (1) these method calls could be mistaken as a side-effecting entrypoint that pulls data in, and (2) the data flow as reported starts from the call to these methods and not the actual request body or a response.

Therefore, we place the WebRequestBody on the sourceModel and leave only the InboundResponse on the sourceModel, and calls to the above three methods on the summaryModel.

Clean up, port, and streamline XSJSZipSlipQuery

  • XSJSZipInstanceDependingOnRemoteFlowSource is unnecessary when we have a combination of (1) unified RemoteFlowSource discussed above, (2) the data flow that starts from it, and (3) a stateful data flow config (enforcing the taint tracking to filter out flows that does not have an XSJSZipInstance along the way).
  • XSJSRemoteFlowSourceToZipInstanceStep is a special case of a kind of step already covered by the data flow library.
  • Port ZipEntryPathIndexOfCallEqualsZeroGuard to use DataFlow::MakeBarrierGuard.
  • Demote the ForInLoopDomainToVariableStep to a query-dependent step, from being a SharedFlowStep.

Replace deprecated PathString with FileSystem::Folder::Resolve

  • PathString is deprecated, so use FileSystem::Folder::Resolve<shouldResolve/2>::resolve where shouldResolve restricts the possible set of (container, path) pairs using the predefined isAnUnResolvedResourceRoot.

Miscellaneous

  • Remove rows that are commented out in xsjs.model.yml.
  • Remove obsolete module webBody.qll.

Future Works

  • Remove the deprecated DbLocation in ListXssPartialPaths.

@jeongsoolee09 jeongsoolee09 changed the title Address deprecation on PathExpr and port ZipSlipQuery Address deprecation of PathExpr and port ZipSlipQuery Sep 16, 2025
@jeongsoolee09 jeongsoolee09 marked this pull request as ready for review September 18, 2025 19:04
knewbury01
knewbury01 approved these changes Sep 20, 2025
View reviewed changes
Copy link
Contributor

@knewbury01 knewbury01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm! thanks!

@jeongsoolee09 jeongsoolee09 merged commit 785b6d2 into main Sep 20, 2025
5 checks passed
@jeongsoolee09 jeongsoolee09 deleted the jeongsoolee09/address-pathexpr-zipslip-deprecation branch September 20, 2025 22:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knewbury01 knewbury01 knewbury01 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jeongsoolee09 @knewbury01