diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll index df6a93682..be274c2e7 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll @@ -4,6 +4,7 @@ import advanced_security.javascript.frameworks.ui5.JsonParser import semmle.javascript.security.dataflow.DomBasedXssCustomizations import advanced_security.javascript.frameworks.ui5.UI5View import advanced_security.javascript.frameworks.ui5.UI5HTML +import codeql.util.FileSystem private module WebAppResourceRootJsonReader implements JsonParser::MakeJsonReaderSig { class JsonReader extends WebApp { @@ -33,12 +34,13 @@ private predicate isAnUnResolvedResourceRoot(WebApp webApp, string name, string ) } -class ResourceRootPathString extends PathString { - WebApp webApp; - - ResourceRootPathString() { isAnUnResolvedResourceRoot(webApp, _, this) } - - override Folder getARootFolder() { result = webApp.getWebAppFolder() } +private module UI5WebAppResolverConfig implements Folder::ResolveSig { + predicate shouldResolve(Container f, string relativePath) { + exists(WebApp webApp | + f = webApp.getWebAppFolder() and + isAnUnResolvedResourceRoot(webApp, _, relativePath) + ) + } } class ResourceRoot extends Container { @@ -48,7 +50,7 @@ class ResourceRoot extends Container { ResourceRoot() { isAnUnResolvedResourceRoot(webApp, name, path) and - path.(PathString).resolve(webApp.getWebAppFolder()).getContainer() = this + Folder::Resolve::resolve(webApp.getWebAppFolder(), path) = this } string getName() { result = name } @@ -168,7 +170,9 @@ class SapDefineModule extends AmdModuleDefinition::Range, MethodCallExpr, UserMo ) } - string getDependency(int i) { result = this.(AmdModuleDefinition).getDependencyExpr(i).getStringValue() } + string getDependency(int i) { + result = this.(AmdModuleDefinition).getDependencyExpr(i).getStringValue() + } override string getADependency() { result = this.getDependency(_) } diff --git a/javascript/frameworks/xsjs/ext/xsjs.model.yml b/javascript/frameworks/xsjs/ext/xsjs.model.yml index 8fc74518e..3df97796f 100644 --- a/javascript/frameworks/xsjs/ext/xsjs.model.yml +++ b/javascript/frameworks/xsjs/ext/xsjs.model.yml @@ -35,9 +35,7 @@ extensions: extensible: sourceModel data: # ========== 1. Retrieving Web Request Body ========== - - [WebRequestBody, "Member[asArrayBuffer].ReturnValue", remote] - - [WebRequestBody, "Member[asString].ReturnValue", remote] - - [WebRequestBody, "Member[asWebRequest].ReturnValue", remote] + - [WebRequestBody, "", remote] # ========== 2. Retrieving Web Request Parameter Value ========== - [WebRequestParameters, "Member[get].ReturnValue", remote] @@ -45,9 +43,6 @@ extensions: # ========== 3. Receiving Response through HTTPClient ========== - [HTTPClient, "InboundResponse.Member[body]", remote] - - [HTTPClient, "InboundResponse.Member[body].Member[asArrayBuffer].ReturnValue", remote] - - [HTTPClient, "InboundResponse.Member[body].Member[asString].ReturnValue", remote] - - [HTTPClient, "InboundResponse.Member[body].Member[asWebRequest].ReturnValue", remote] - [HTTPClient, "InboundResponse.Member[cacheControl]", remote] - [HTTPClient, "InboundResponse.Member[contentType]", remote] - [HTTPClient, "InboundResponse.Member[cookies]", remote] @@ -60,12 +55,15 @@ extensions: extensible: sinkModel data: - [WebResponse, "Member[setBody].Argument[0]", html-injection] - # - [Mail, "Member[send].Argument[this]", "???"] - # - [SMTPConnection, "Member[send].Argument[0]", "???"] - # - ["HTTPClient", "Member[request].Argument[0]", "???"] - addsTo: pack: codeql/javascript-all extensible: summaryModel data: - - [global, "Member[JSON].Member[parse]", "Argument[0]", "ReturnValue", taint] \ No newline at end of file + - [global, "Member[JSON].Member[parse]", "Argument[0]", "ReturnValue", taint] + - [WebRequestBody, "Member[asArrayBuffer]", "Argument[this]", "ReturnValue", taint] + - [WebRequestBody, "Member[asString]", "Argument[this]", "ReturnValue", taint] + - [WebRequestBody, "Member[asWebRequest]", "Argument[this]", "ReturnValue", taint] + - [InboundResponse, "Member[body].Member[asArrayBuffer]", "Argument[this]", "ReturnValue", taint] + - [InboundResponse, "Member[body].Member[asString]", "Argument[this]", "ReturnValue", taint] + - [InboundResponse, "Member[body].Member[asWebRequest]", "Argument[this]", "ReturnValue", taint] \ No newline at end of file diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll index a065a964b..c31defb41 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll @@ -4,45 +4,15 @@ import semmle.javascript.security.dataflow.ZipSlipQuery as ZipSlip import semmle.javascript.security.dataflow.TaintedPathCustomizations::TaintedPath as TaintedPath /** - * An instance of `$.util.Zip`, but the argument to the constructor call is reachable from a remote flow source. - */ -class XSJSZipInstanceDependingOnRemoteFlowSource extends XSJSZipInstance { - RemoteFlowSource remoteArgument; - - XSJSZipInstanceDependingOnRemoteFlowSource() { - this.getAnArgument().getALocalSource() = remoteArgument - } - - RemoteFlowSource getRemoteArgument() { result = remoteArgument } -} - -class XSJSRemoteFlowSourceToZipInstanceStep extends DataFlow::SharedFlowStep { - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { - exists(XSJSZipInstanceDependingOnRemoteFlowSource dollarUtilZip | - pred = dollarUtilZip.getRemoteArgument() and - succ = dollarUtilZip - ) - } -} - -class ForInLoopDomainToVariableStep extends DataFlow::SharedFlowStep { - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { - exists(ForInStmt forLoop | - pred = forLoop.getIterationDomain().flow() and - succ = forLoop.getAnIterationVariable().getAnAccess().flow() - ) - } -} - -/** - * A node that checks if the path that is being extracted is indeed the prefix of the entry, e.g. + * A node that checks if the path that is being extracted is indeed the prefix of the entry. + * e.g. * ``` javascript * if (entryPath.indexOf("SomePrefix") === 0) { * // extract the file with the path. * } * ``` */ -class ZipEntryPathIndexOfCallEqualsZeroGuard extends TaintTracking::SanitizerGuardNode { +class ZipEntryPathIndexOfCallEqualsZeroGuard extends DataFlow::Node { EqualityTest equalityTest; MethodCallNode indexOfCall; ForInStmt forLoop; @@ -55,53 +25,68 @@ class ZipEntryPathIndexOfCallEqualsZeroGuard extends TaintTracking::SanitizerGua equalityTest.getRightOperand().getIntValue() = 0 } - override predicate sanitizes(boolean outcome, Expr receiver) { + predicate blocksExpr(boolean outcome, Expr receiver) { exists(DataFlow::Node targetFilePath, DataFlow::Node forLoopVariable | receiver = targetFilePath.asExpr() and targetFilePath = indexOfCall.getReceiver() and forLoopVariable = forLoop.getAnIterationVariable().getAnAccess().flow() and - TaintedPath::isAdditionalTaintedPathFlowStep(forLoopVariable, - targetFilePath.getALocalSource(), _, _) and + TaintedPath::isAdditionalFlowStep(forLoopVariable, _, targetFilePath.getALocalSource(), _) and outcome = equalityTest.getPolarity() ) } } -/** - * A class wraps `TaintedPath::BarrierGuardNode` by delegating its `sanitizes/0` to the `blocks/0` predicate. - * The characteristic predicate of this class is deliberately left out. - */ -class TaintedPathSanitizerGuard extends TaintTracking::SanitizerGuardNode { - TaintedPathSanitizerGuard() { this = this } - - override predicate sanitizes(boolean outcome, Expr receiver) { - exists(TaintedPath::BarrierGuard node | node.blocksExpr(outcome, receiver)) +module XSJSZipSlip implements DataFlow::StateConfigSig { + class FlowState extends string { + FlowState() { this in ["$.util.Zip uninitialized", "$.util.Zip initialized"] } } -} -class Configuration extends TaintTracking::Configuration { - Configuration() { this = "XSJS Zip Slip Query" } + predicate isSource(DataFlow::Node node, FlowState state) { + node instanceof RemoteFlowSource and + state = "$.util.Zip uninitialized" + } - override predicate isSource(DataFlow::Node start) { - super.isSource(start) - or - exists(XSJSZipInstanceDependingOnRemoteFlowSource dollarUtilZip | - start = dollarUtilZip.getRemoteArgument() - ) + predicate isSink(DataFlow::Node node, FlowState state) { + node instanceof ZipSlip::Sink and + state = "$.util.Zip initialized" } - override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) { - TaintedPath::isAdditionalTaintedPathFlowStep(src, dst, _, _) + predicate isBarrier(DataFlow::Node node, FlowState state) { + ( + node = DataFlow::MakeBarrierGuard::getABarrierNode() + or + node = DataFlow::MakeBarrierGuard::getABarrierNode() + ) and + state = state } - override predicate isSink(DataFlow::Node end) { - super.isSink(end) + predicate isAdditionalFlowStep( + DataFlow::Node start, FlowState preState, DataFlow::Node end, FlowState postState + ) { + /* 1. `$.util.Zip` initialized */ + start = start and + preState = "$.util.Zip uninitialized" and + end instanceof XSJSZipInstance and + postState = "$.util.Zip initialized" or - end instanceof ZipSlip::Sink - } + /* + * 2. Jump from a domain of a for-in statement to an access of the iteration variable. + * e.g. + * ``` javascript + * for (var x in y) { + * var z = x; + * } + * ``` + * This step jumps from `y` to `x` in the body of the for-in loop. + */ - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) { - node instanceof ZipEntryPathIndexOfCallEqualsZeroGuard or - node instanceof TaintedPathSanitizerGuard + exists(ForInStmt forLoop | + start = forLoop.getIterationDomain().flow() and + end = forLoop.getAnIterationVariable().getAnAccess().flow() and + preState = postState + ) + or + TaintedPath::isAdditionalFlowStep(start, _, end, _) and + preState = postState } } diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/webBody.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/webBody.qll deleted file mode 100644 index 17471fd1b..000000000 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/webBody.qll +++ /dev/null @@ -1,44 +0,0 @@ -/** - * Classes to find uses of new $.net.http.Client() .getResponse() calls. - * A net.http.Client is the object; its .getResponse() method is a data source. - * - * @ kind problem - * @id xsjs-source - */ - -import javascript -import DataFlow as DF - -// Identify 'new $.net.http.Client' -class NewHTTPClient extends NewExpr { - NewHTTPClient() { - exists(DotExpr de1 | - this.getAChild() = de1 and - de1.toString() = "$.net.http.Client" - ) - } -} - -// Connect -// new $.net.http.Client(); -// -// to its use: -// _.getResponse() -DF::SourceNode myType(DF::TypeTracker t) { - t.start() and - exists(NewHTTPClient nc | nc.flow().getALocalSource() = result) - or - exists(DF::TypeTracker t2 | result = myType(t2).track(t2, t)) -} - -DF::SourceNode myType() { result = myType(DF::TypeTracker::end()) } - -class NetHTTPSource extends MethodCallExpr { - NetHTTPSource() { - exists(DF::SourceNode sn, Expr db | - sn = myType() and - this.getMethodName() = "getResponse" and - db = this.getReceiver() - ) - } -} diff --git a/javascript/frameworks/xsjs/src/XSJSZipSlip/XSJSZipSlip.ql b/javascript/frameworks/xsjs/src/XSJSZipSlip/XSJSZipSlip.ql index c9ca57d3b..03801cd47 100644 --- a/javascript/frameworks/xsjs/src/XSJSZipSlip/XSJSZipSlip.ql +++ b/javascript/frameworks/xsjs/src/XSJSZipSlip/XSJSZipSlip.ql @@ -12,8 +12,13 @@ import javascript import advanced_security.javascript.frameworks.xsjs.XSJSZipSlipQuery -import DataFlow::PathGraph +import semmle.javascript.frameworks.data.ModelsAsData -from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink -where config.hasFlowPath(source, sink) -select sink, source, sink, "The path of $@ being saved depends on a $@.", sink, "this zip file", source, "user-provided value" +module XSJSZipSlipFlow = DataFlow::GlobalWithState; + +import XSJSZipSlipFlow::PathGraph + +from XSJSZipSlipFlow::PathNode source, XSJSZipSlipFlow::PathNode sink +where XSJSZipSlipFlow::flowPath(source, sink) +select sink, source, sink, "The path of $@ being saved depends on a $@.", sink, "this zip file", + source, "user-provided value" diff --git a/javascript/frameworks/xsjs/test/models/source/source.expected b/javascript/frameworks/xsjs/test/models/source/source.expected index c9e916951..c1988e4b4 100644 --- a/javascript/frameworks/xsjs/test/models/source/source.expected +++ b/javascript/frameworks/xsjs/test/models/source/source.expected @@ -1,15 +1,7 @@ -| source.xsjs:42:24:42:54 | webRequ ... uffer() | Remote flow source of type: Remote flow | -| source.xsjs:42:24:42:54 | webRequ ... uffer() | Remote flow source of type: Source node (remote) [from data-extension] | -| source.xsjs:43:24:43:49 | webRequ ... tring() | Remote flow source of type: Remote flow | -| source.xsjs:43:24:43:49 | webRequ ... tring() | Remote flow source of type: Source node (remote) [from data-extension] | -| source.xsjs:44:24:44:53 | webRequ ... quest() | Remote flow source of type: Remote flow | -| source.xsjs:44:24:44:53 | webRequ ... quest() | Remote flow source of type: Source node (remote) [from data-extension] | -| source.xsjs:46:24:46:54 | webRequ ... uffer() | Remote flow source of type: Remote flow | -| source.xsjs:46:24:46:54 | webRequ ... uffer() | Remote flow source of type: Source node (remote) [from data-extension] | -| source.xsjs:47:24:47:49 | webRequ ... tring() | Remote flow source of type: Remote flow | -| source.xsjs:47:24:47:49 | webRequ ... tring() | Remote flow source of type: Source node (remote) [from data-extension] | -| source.xsjs:48:24:48:53 | webRequ ... quest() | Remote flow source of type: Remote flow | -| source.xsjs:48:24:48:53 | webRequ ... quest() | Remote flow source of type: Source node (remote) [from data-extension] | +| source.xsjs:8:23:8:38 | webRequest1.body | Remote flow source of type: Remote flow | +| source.xsjs:8:23:8:38 | webRequest1.body | Remote flow source of type: Source node (remote) [from data-extension] | +| source.xsjs:9:23:9:38 | webRequest2.body | Remote flow source of type: Remote flow | +| source.xsjs:9:23:9:38 | webRequest2.body | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:52:25:52:44 | webRequestParam1.get | Remote flow source of type: Remote flow | | source.xsjs:52:25:52:44 | webRequestParam1.get | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:52:25:52:51 | webRequ ... ("key") | Remote flow source of type: Remote flow | diff --git a/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected b/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected index 6f73acfbe..26afedc4f 100644 --- a/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected +++ b/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected @@ -1,26 +1,57 @@ -WARNING: module 'PathGraph' has been deprecated and may be removed in future (XSJSZipSlip.ql:15,8-27) -WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSZipSlip.ql:17,28-46) -WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSZipSlip.ql:17,55-73) -nodes -| XSJSZipSlip.xsjs:7:7:7:16 | zipArchive | -| XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | -| XSJSZipSlip.xsjs:7:35:7:61 | request ... uffer() | -| XSJSZipSlip.xsjs:7:35:7:61 | request ... uffer() | -| XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | -| XSJSZipSlip.xsjs:11:9:11:22 | targetFilePath | -| XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | -| XSJSZipSlip.xsjs:11:65:11:73 | entryPath | -| XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | -| XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | edges -| XSJSZipSlip.xsjs:7:7:7:16 | zipArchive | XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | -| XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | XSJSZipSlip.xsjs:7:7:7:16 | zipArchive | -| XSJSZipSlip.xsjs:7:35:7:61 | request ... uffer() | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | -| XSJSZipSlip.xsjs:7:35:7:61 | request ... uffer() | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | -| XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | XSJSZipSlip.xsjs:11:65:11:73 | entryPath | -| XSJSZipSlip.xsjs:11:9:11:22 | targetFilePath | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | -| XSJSZipSlip.xsjs:11:9:11:22 | targetFilePath | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | -| XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | XSJSZipSlip.xsjs:11:9:11:22 | targetFilePath | -| XSJSZipSlip.xsjs:11:65:11:73 | entryPath | XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | +| XSJSZipSlip.xsjs:1:19:1:32 | $.request.body | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config | +| XSJSZipSlip.xsjs:1:19:1:32 | $.request.body | XSJSZipSlip.xsjs:31:7:31:17 | requestBody | provenance | | +| XSJSZipSlip.xsjs:1:19:1:32 | $.request.body | XSJSZipSlip.xsjs:32:7:32:17 | requestBody | provenance | | +| XSJSZipSlip.xsjs:6:16:6:26 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config | +| XSJSZipSlip.xsjs:6:16:6:26 | requestBody | XSJSZipSlip.xsjs:7:35:7:45 | requestBody | provenance | | +| XSJSZipSlip.xsjs:7:7:7:16 | zipArchive | XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | provenance | | +| XSJSZipSlip.xsjs:7:7:7:16 | zipArchive | XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | provenance | | +| XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | XSJSZipSlip.xsjs:7:7:7:16 | zipArchive | provenance | | +| XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | XSJSZipSlip.xsjs:7:7:7:16 | zipArchive | provenance | | +| XSJSZipSlip.xsjs:7:35:7:45 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config | +| XSJSZipSlip.xsjs:7:35:7:45 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config | +| XSJSZipSlip.xsjs:7:35:7:45 | requestBody | XSJSZipSlip.xsjs:7:35:7:59 | request ... yBuffer | provenance | Config | +| XSJSZipSlip.xsjs:7:35:7:59 | request ... yBuffer | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config | +| XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | XSJSZipSlip.xsjs:11:65:11:73 | entryPath | provenance | Config | +| XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | XSJSZipSlip.xsjs:11:65:11:73 | entryPath | provenance | Config | +| XSJSZipSlip.xsjs:11:9:11:22 | targetFilePath | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | provenance | | +| XSJSZipSlip.xsjs:11:9:11:22 | targetFilePath | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | provenance | | +| XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | XSJSZipSlip.xsjs:11:9:11:22 | targetFilePath | provenance | | +| XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | XSJSZipSlip.xsjs:11:9:11:22 | targetFilePath | provenance | | +| XSJSZipSlip.xsjs:11:65:11:73 | entryPath | XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | provenance | Config | +| XSJSZipSlip.xsjs:11:65:11:73 | entryPath | XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | provenance | Config | +| XSJSZipSlip.xsjs:19:16:19:26 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config | +| XSJSZipSlip.xsjs:19:16:19:26 | requestBody | XSJSZipSlip.xsjs:20:35:20:45 | requestBody | provenance | | +| XSJSZipSlip.xsjs:20:35:20:45 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config | +| XSJSZipSlip.xsjs:20:35:20:45 | requestBody | XSJSZipSlip.xsjs:20:35:20:59 | request ... yBuffer | provenance | Config | +| XSJSZipSlip.xsjs:20:35:20:59 | request ... yBuffer | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config | +| XSJSZipSlip.xsjs:31:7:31:17 | requestBody | XSJSZipSlip.xsjs:6:16:6:26 | requestBody | provenance | | +| XSJSZipSlip.xsjs:31:7:31:17 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config | +| XSJSZipSlip.xsjs:32:7:32:17 | requestBody | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | provenance | Config | +| XSJSZipSlip.xsjs:32:7:32:17 | requestBody | XSJSZipSlip.xsjs:19:16:19:26 | requestBody | provenance | | +nodes +| XSJSZipSlip.xsjs:1:19:1:32 | $.request.body | semmle.label | $.request.body | +| XSJSZipSlip.xsjs:6:16:6:26 | requestBody | semmle.label | requestBody | +| XSJSZipSlip.xsjs:7:7:7:16 | zipArchive | semmle.label | zipArchive | +| XSJSZipSlip.xsjs:7:7:7:16 | zipArchive | semmle.label | zipArchive | +| XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | semmle.label | new $.u ... ffer()) | +| XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | semmle.label | new $.u ... ffer()) | +| XSJSZipSlip.xsjs:7:35:7:45 | requestBody | semmle.label | requestBody | +| XSJSZipSlip.xsjs:7:35:7:59 | request ... yBuffer | semmle.label | request ... yBuffer | +| XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | semmle.label | zipArchive | +| XSJSZipSlip.xsjs:10:25:10:34 | zipArchive | semmle.label | zipArchive | +| XSJSZipSlip.xsjs:11:9:11:22 | targetFilePath | semmle.label | targetFilePath | +| XSJSZipSlip.xsjs:11:9:11:22 | targetFilePath | semmle.label | targetFilePath | +| XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | semmle.label | require ... ryPath) | +| XSJSZipSlip.xsjs:11:26:11:74 | require ... ryPath) | semmle.label | require ... ryPath) | +| XSJSZipSlip.xsjs:11:65:11:73 | entryPath | semmle.label | entryPath | +| XSJSZipSlip.xsjs:11:65:11:73 | entryPath | semmle.label | entryPath | +| XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | semmle.label | targetFilePath | +| XSJSZipSlip.xsjs:19:16:19:26 | requestBody | semmle.label | requestBody | +| XSJSZipSlip.xsjs:20:35:20:45 | requestBody | semmle.label | requestBody | +| XSJSZipSlip.xsjs:20:35:20:59 | request ... yBuffer | semmle.label | request ... yBuffer | +| XSJSZipSlip.xsjs:31:7:31:17 | requestBody | semmle.label | requestBody | +| XSJSZipSlip.xsjs:32:7:32:17 | requestBody | semmle.label | requestBody | +subpaths #select -| XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | XSJSZipSlip.xsjs:7:35:7:61 | request ... uffer() | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | The path of $@ being saved depends on a $@. | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | this zip file | XSJSZipSlip.xsjs:7:35:7:61 | request ... uffer() | user-provided value | +| XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | XSJSZipSlip.xsjs:1:19:1:32 | $.request.body | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | The path of $@ being saved depends on a $@. | XSJSZipSlip.xsjs:12:37:12:50 | targetFilePath | this zip file | XSJSZipSlip.xsjs:1:19:1:32 | $.request.body | user-provided value |