[security] Directory Traversal with standard parameter in server mode #1953
Description
In CLI mode, yargs is used to limit choices available for the argument with the name standard.
In server mode, however, there are no file path validations or sanitisations.
When join is used in postgen.applyStandards to construct the file path, there is a directory traversal possibility with JSON payloads such as:
{
"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app.git",
"type": "nodejs",
"standard": ["../../../../../../../etc/passwd"],
"multiProject": "true"
}I couldn't find a payload to convert this to a file inclusion vulnerability readily, although one should be possible with Unicode-based escape characters.
chen queries
Below queries can be used to identify this vulnerability with chen:
Much broader with a lot of hits:
atom.method("readFileSync").callIn.argument.df(atom.tag("framework-input").call.argument).tShow the calls to applyStandards where the called argument came from parseQueryString.
atom.method("applyStandards").callIn.argument.df(atom.method("parseQueryString").call.argument).tSink method: Calls to readFileSync where the caller was applyStandards
Source: argument to the function parseQueryString
atom.method("readFileSync").caller.method.name("applyStandards").callIn.argument.df(atom.method("parseQueryString").call.argument).t┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Location ┃ Method ┃ Parameter ┃ Tracked ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ lib/server/server.js#212 │ anonymous1 │ parseQueryString( │ lib/server/server.js::program:parseQueryString │
│ │ Tags: framework-input, pkg:npm/%40babel/parser@7.27.5 │ q, │ │
│ │ │ req.body, │ │
│ │ │ Object.assign({}, options), │ │
│ │ │ ) │ │
├─────────────────────────────────────────┼───────────────────────────────────────────────────────────────┼────────────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ lib/server/server.js#267 │ anonymous1 │ reqOptions │ createBom(srcDir, reqOptions) │
│ │ │ │ │
│ lib/cli/index.js#8061 │ createBom │ options │ lib/cli/index.js::program:createBom │
│ │ Tags: exported │ │ │
│ lib/server/server.js#268 │ anonymous1 │ reqOptions │ postProcess(bomNSData, reqOptions) │
│ │ │ │ │
│ lib/stages/postgen/postgen.js#50 │ postProcess │ options │ lib/stages/postgen/postgen.js::program:postProcess │
│ │ Tags: exported │ │ │
│ lib/stages/postgen/postgen.js#59 │ postProcess │ options │ filterBom(jsonPayload, options) │
│ │ Tags: pkg:npm/cheerio@1.1.0 │ │ │
│ lib/stages/postgen/postgen.js#300 │ filterBom │ options │ lib/stages/postgen/postgen.js::program:filterBom │
│ │ │ │ │
│ lib/stages/postgen/postgen.js#60 │ postProcess │ options │ applyStandards(bomNSData.bomJson, options) │
│ │ │ │ │
└─────────────────────────────────────────┴───────────────────────────────────────────────────────────────┴────────────────────────────────────────┴───────────────────────────────────────────────────────────┘
Source: req.body
Source Tags: framework-input, pkg:npm/%40babel/parser@7.27.5
Sink: lib/stages/postgen/postgen.js::program:postProcess