recognize more startswith sanitizers for path-injection queries

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -513,13 +513,24 @@ module TaintedPath {
 
     override predicate blocks(boolean outcome, Expr e) {
       member = "relative" and
-      e = pathCall.getArgument(1).asExpr() and
+      e = maybeGetJoinArg(pathCall.getArgument(1)).asExpr() and
       outcome = startsWith.getPolarity().booleanNot()
       or
       not member = "relative" and
-      e = pathCall.getArgument(0).asExpr() and
+      e = maybeGetJoinArg(pathCall.getArgument(0)).asExpr() and
       outcome = startsWith.getPolarity()
     }
+
+    bindingset[e]
+    private DataFlow::Node maybeGetJoinArg(DataFlow::Node e) {
+      exists(DataFlow::CallNode call |
+        call = NodeJSLib::Path::moduleMember("join").getACall() and e = call
+      |
+        result = call.getLastArgument()
+      )
+      or
+      result = e
+    }
   }
 
   /**

javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js

@@ -25,6 +25,7 @@ fs.createReadStream('archive.zip')
 
 const JSZip = require('jszip');
 const zip = new JSZip();
+const path = require('path');
 function doZipSlip() {
   for (const name in zip.files) {
     fs.createWriteStream(name);
@@ -33,4 +34,22 @@ function doZipSlip() {
   zip.forEach((name, file) => {
     fs.createWriteStream(name);
   });
-}
+
+  const extractTo = path.resolve("/some/path/to/extract/to");
+  var files = [];
+
+  for (var name in zip.files) {
+    var entry = zip.files[name];
+
+    var targetPath = path.resolve(
+      path.join(extractTo, name)
+    );
+    if (!targetPath.startsWith(extractTo)) {
+      throw new Error("Entry is outside the extraction path");
+    }
+    files.push(name);
+  }
+  for (const file of files) {
+    fs.createWriteStream(path.join(extractTo, file)); // OK
+  }
+}