Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JS: Add result.download to Express as Path Traversal Sink #18749

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

JS: Add result.download to Express as Path Traversal Sink #18749

wants to merge 3 commits into from

Conversation

Kwstubbs
Copy link
Contributor

Add result.download to Express as Path Traversal Sink

@Copilot Copilot bot review requested due to automatic review settings February 12, 2025 08:11
@Kwstubbs Kwstubbs requested a review from a team as a code owner February 12, 2025 08:11
Copilot
Copilot AI reviewed Feb 12, 2025
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Overview

This pull request adds new test cases to ensure that Express’s res.download method is correctly analyzed as a path traversal sink. It enhances security tests by covering various file download invocations that combine un-sanitized input with path concatenation.

  • Added test cases in tainted-sendFile.js to simulate unsafe usage scenarios of res.download.
  • Updated change notes to document the new result.download() support for security analysis.

Changes

File Description
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js Added several test cases for res.download to highlight path traversal vulnerabilities.
javascript/ql/lib/change-notes/2025-02-12-express-download.md Added a change note entry describing the new addition of result.download support.

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (2)

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js:30

  • [nitpick] The code uses 'req.param' to access a parameter, whereas other cases use 'req.params'. For clarity and consistency, consider standardizing on one approach (e.g., 'req.params' or 'req.query') depending on your intended parameter source.
res.download(req.param("gimme"));

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js:38

  • [nitpick] The use of 'req.param' in this invocation differs from the use of 'req.params' elsewhere in the file. Standardizing the parameter access method will improve code readability and reduce potential confusion about where the parameters originate from.
res.download(req.param("file"), { root: req.param("dir") });

Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more
asgerf
asgerf reviewed Feb 12, 2025
View reviewed changes
Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looks great! I'd just like to formulate the change note in a way that makes more sense to end users.

javascript/ql/lib/change-notes/2025-02-12-express-download.md Outdated Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgerf asgerf asgerf left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Kwstubbs @asgerf