Add sink model for mkdirp and update tests for path injection alerts.

Napalys · Napalys · commit 3fa24d60261f · 2025-04-03T10:45:14.000+02:00
diff --git a/javascript/ql/lib/ext/mkdirp.model.yml b/javascript/ql/lib/ext/mkdirp.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["mkdirp", "Member[nativeSync,native,manual,manualSync,mkdirpNative,mkdirpManual,mkdirpManualSync,mkdirpNativeSync,mkdirpSync].Argument[0]", "path-injection"]
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -54,6 +54,15 @@
 | hapi.js:15:44:15:51 | filepath | hapi.js:14:30:14:51 | request ... ilepath | hapi.js:15:44:15:51 | filepath | This path depends on a $@. | hapi.js:14:30:14:51 | request ... ilepath | user-provided value |
 | mkdirp.js:11:12:11:18 | dirPath | mkdirp.js:9:42:9:59 | req.query.filename | mkdirp.js:11:12:11:18 | dirPath | This path depends on a $@. | mkdirp.js:9:42:9:59 | req.query.filename | user-provided value |
 | mkdirp.js:12:17:12:23 | dirPath | mkdirp.js:9:42:9:59 | req.query.filename | mkdirp.js:12:17:12:23 | dirPath | This path depends on a $@. | mkdirp.js:9:42:9:59 | req.query.filename | user-provided value |
+| mkdirp.js:13:23:13:29 | dirPath | mkdirp.js:9:42:9:59 | req.query.filename | mkdirp.js:13:23:13:29 | dirPath | This path depends on a $@. | mkdirp.js:9:42:9:59 | req.query.filename | user-provided value |
+| mkdirp.js:14:19:14:25 | dirPath | mkdirp.js:9:42:9:59 | req.query.filename | mkdirp.js:14:19:14:25 | dirPath | This path depends on a $@. | mkdirp.js:9:42:9:59 | req.query.filename | user-provided value |
+| mkdirp.js:15:19:15:25 | dirPath | mkdirp.js:9:42:9:59 | req.query.filename | mkdirp.js:15:19:15:25 | dirPath | This path depends on a $@. | mkdirp.js:9:42:9:59 | req.query.filename | user-provided value |
+| mkdirp.js:16:23:16:29 | dirPath | mkdirp.js:9:42:9:59 | req.query.filename | mkdirp.js:16:23:16:29 | dirPath | This path depends on a $@. | mkdirp.js:9:42:9:59 | req.query.filename | user-provided value |
+| mkdirp.js:17:25:17:31 | dirPath | mkdirp.js:9:42:9:59 | req.query.filename | mkdirp.js:17:25:17:31 | dirPath | This path depends on a $@. | mkdirp.js:9:42:9:59 | req.query.filename | user-provided value |
+| mkdirp.js:18:25:18:31 | dirPath | mkdirp.js:9:42:9:59 | req.query.filename | mkdirp.js:18:25:18:31 | dirPath | This path depends on a $@. | mkdirp.js:9:42:9:59 | req.query.filename | user-provided value |
+| mkdirp.js:19:29:19:35 | dirPath | mkdirp.js:9:42:9:59 | req.query.filename | mkdirp.js:19:29:19:35 | dirPath | This path depends on a $@. | mkdirp.js:9:42:9:59 | req.query.filename | user-provided value |
+| mkdirp.js:20:29:20:35 | dirPath | mkdirp.js:9:42:9:59 | req.query.filename | mkdirp.js:20:29:20:35 | dirPath | This path depends on a $@. | mkdirp.js:9:42:9:59 | req.query.filename | user-provided value |
+| mkdirp.js:21:23:21:29 | dirPath | mkdirp.js:9:42:9:59 | req.query.filename | mkdirp.js:21:23:21:29 | dirPath | This path depends on a $@. | mkdirp.js:9:42:9:59 | req.query.filename | user-provided value |
 | more-fs-extra.js:10:15:10:22 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:10:15:10:22 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
 | more-fs-extra.js:11:11:11:18 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:11:11:11:18 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
 | more-fs-extra.js:12:14:12:21 | filename | more-fs-extra.js:8:26:8:33 | req.body | more-fs-extra.js:12:14:12:21 | filename | This path depends on a $@. | more-fs-extra.js:8:26:8:33 | req.body | user-provided value |
@@ -394,6 +403,15 @@ edges
 | hapi.js:14:30:14:51 | request ... ilepath | hapi.js:14:19:14:51 | filepath | provenance |  |
 | mkdirp.js:9:11:9:76 | dirPath | mkdirp.js:11:12:11:18 | dirPath | provenance |  |
 | mkdirp.js:9:11:9:76 | dirPath | mkdirp.js:12:17:12:23 | dirPath | provenance |  |
+| mkdirp.js:9:11:9:76 | dirPath | mkdirp.js:13:23:13:29 | dirPath | provenance |  |
+| mkdirp.js:9:11:9:76 | dirPath | mkdirp.js:14:19:14:25 | dirPath | provenance |  |
+| mkdirp.js:9:11:9:76 | dirPath | mkdirp.js:15:19:15:25 | dirPath | provenance |  |
+| mkdirp.js:9:11:9:76 | dirPath | mkdirp.js:16:23:16:29 | dirPath | provenance |  |
+| mkdirp.js:9:11:9:76 | dirPath | mkdirp.js:17:25:17:31 | dirPath | provenance |  |
+| mkdirp.js:9:11:9:76 | dirPath | mkdirp.js:18:25:18:31 | dirPath | provenance |  |
+| mkdirp.js:9:11:9:76 | dirPath | mkdirp.js:19:29:19:35 | dirPath | provenance |  |
+| mkdirp.js:9:11:9:76 | dirPath | mkdirp.js:20:29:20:35 | dirPath | provenance |  |
+| mkdirp.js:9:11:9:76 | dirPath | mkdirp.js:21:23:21:29 | dirPath | provenance |  |
 | mkdirp.js:9:21:9:76 | path.jo ... ltDir') | mkdirp.js:9:11:9:76 | dirPath | provenance |  |
 | mkdirp.js:9:42:9:59 | req.query.filename | mkdirp.js:9:42:9:75 | req.que ... ultDir' | provenance |  |
 | mkdirp.js:9:42:9:75 | req.que ... ultDir' | mkdirp.js:9:21:9:76 | path.jo ... ltDir') | provenance | Config |
@@ -932,6 +950,15 @@ nodes
 | mkdirp.js:9:42:9:75 | req.que ... ultDir' | semmle.label | req.que ... ultDir' |
 | mkdirp.js:11:12:11:18 | dirPath | semmle.label | dirPath |
 | mkdirp.js:12:17:12:23 | dirPath | semmle.label | dirPath |
+| mkdirp.js:13:23:13:29 | dirPath | semmle.label | dirPath |
+| mkdirp.js:14:19:14:25 | dirPath | semmle.label | dirPath |
+| mkdirp.js:15:19:15:25 | dirPath | semmle.label | dirPath |
+| mkdirp.js:16:23:16:29 | dirPath | semmle.label | dirPath |
+| mkdirp.js:17:25:17:31 | dirPath | semmle.label | dirPath |
+| mkdirp.js:18:25:18:31 | dirPath | semmle.label | dirPath |
+| mkdirp.js:19:29:19:35 | dirPath | semmle.label | dirPath |
+| mkdirp.js:20:29:20:35 | dirPath | semmle.label | dirPath |
+| mkdirp.js:21:23:21:29 | dirPath | semmle.label | dirPath |
 | more-fs-extra.js:8:11:8:22 | { filename } | semmle.label | { filename } |
 | more-fs-extra.js:8:11:8:33 | filename | semmle.label | filename |
 | more-fs-extra.js:8:13:8:20 | filename | semmle.label | filename |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/mkdirp.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/mkdirp.js
@@ -10,13 +10,13 @@ app.post('/foo', async (req, res) => {
 
     mkdirp(dirPath); // $ Alert
     mkdirp.sync(dirPath); // $ Alert
-    mkdirp.nativeSync(dirPath); // $ MISSING: Alert
-    mkdirp.native(dirPath); // $ MISSING: Alert
-    mkdirp.manual(dirPath); // $ MISSING: Alert
-    mkdirp.manualSync(dirPath); // $ MISSING: Alert
-    mkdirp.mkdirpNative(dirPath); // $ MISSING: Alert
-    mkdirp.mkdirpManual(dirPath); // $ MISSING: Alert
-    mkdirp.mkdirpManualSync(dirPath); // $ MISSING: Alert
-    mkdirp.mkdirpNativeSync(dirPath); // $ MISSING: Alert
-    mkdirp.mkdirpSync(dirPath); // $ MISSING: Alert
+    mkdirp.nativeSync(dirPath); // $ Alert
+    mkdirp.native(dirPath); // $ Alert
+    mkdirp.manual(dirPath); // $ Alert
+    mkdirp.manualSync(dirPath); // $ Alert
+    mkdirp.mkdirpNative(dirPath); // $ Alert
+    mkdirp.mkdirpManual(dirPath); // $ Alert
+    mkdirp.mkdirpManualSync(dirPath); // $ Alert
+    mkdirp.mkdirpNativeSync(dirPath); // $ Alert
+    mkdirp.mkdirpSync(dirPath); // $ Alert
 });
