Skip to content

Add CDS Utils path injection query #224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jeongsoolee09 merged 10 commits into from
Aug 27, 2025
Merged

Add CDS Utils path injection query #224

jeongsoolee09 merged 10 commits into from
Aug 27, 2025

Conversation

@knewbury01
Copy link
Contributor

@knewbury01 knewbury01 commented Aug 21, 2025

What This PR Contributes

  • A path injection/traversal query PathInjection.ql
  • Unit tests for the query
  • A patch to the prior model of CDS utils taint steps for a mistake in the modelling of args/calls as in/out nodes

Future Works

Add additional unit tests if the extra API cases described here in the future works are covered in the future.

@knewbury01 knewbury01 changed the title Add path injection query and patch path injection taint model Add CDS Utils path injection query Aug 21, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 21, 2025
View reviewed changes
jeongsoolee09
jeongsoolee09 reviewed Aug 25, 2025
View reviewed changes
jeongsoolee09
jeongsoolee09 requested changes Aug 25, 2025
View reviewed changes
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work. I'd like to suggest two things:

Lack of barriers

A barrier is lacking in this example. Research some well-known ways to neutralize path traversal and ones that are specific to CAP, and add both to the Recommendations section of the help file and to the isBarrier predicate of the configuration.

CDSAdditionalFlowStep hard to understand at first glance

It's a bit hard to follow the logic of CDSAdditionalFlowStep, and much of it is coming from the fact that conceptually a flow step is a pair of two dataflow nodes but the implementation at the moment is a DataFlow::Node.

But admittedly encoding a tuple can be a bit verbose to model in QL. So I think it's better to remove the hierarchy only for additional flow steps and directly inline the class definition into the isAdditionalStep predicate. It seems like the default queries are following this practice.

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 27, 2025
View reviewed changes
jeongsoolee09
jeongsoolee09 approved these changes Aug 27, 2025
View reviewed changes
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work! LGTM!

@jeongsoolee09 jeongsoolee09 merged commit 78e9d85 into main Aug 27, 2025
4 of 5 checks passed
@jeongsoolee09 jeongsoolee09 deleted the knewbury01/cds-util-path-traversal-query branch August 27, 2025 19:02
@data-douser data-douser mentioned this pull request Nov 26, 2025
Closed
36 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeongsoolee09 jeongsoolee09 jeongsoolee09 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@knewbury01 @jeongsoolee09