forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 21
Expand file tree
/
Copy pathZipSlip.expected
More file actions
112 lines (112 loc) · 17.6 KB
/
ZipSlip.expected
File metadata and controls
112 lines (112 loc) · 17.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#select
| ZipSlip.cs:15:61:15:74 | access to property FullName | ZipSlip.cs:15:61:15:74 | access to property FullName : String | ZipSlip.cs:31:41:31:52 | access to local variable destFilePath | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.cs:31:41:31:52 | access to local variable destFilePath | file system operation |
| ZipSlip.cs:15:61:15:74 | access to property FullName | ZipSlip.cs:15:61:15:74 | access to property FullName : String | ZipSlip.cs:39:45:39:73 | access to local variable destFilePath_notCanonicalized | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.cs:39:45:39:73 | access to local variable destFilePath_notCanonicalized | file system operation |
| ZipSlip.cs:18:53:18:66 | access to property FullName | ZipSlip.cs:18:53:18:66 | access to property FullName : String | ZipSlip.cs:23:41:23:52 | access to local variable destFileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.cs:23:41:23:52 | access to local variable destFileName | file system operation |
| ZipSlip.cs:58:61:58:74 | access to property FullName | ZipSlip.cs:58:61:58:74 | access to property FullName : String | ZipSlip.cs:62:33:62:40 | access to local variable fullpath | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.cs:62:33:62:40 | access to local variable fullpath | file system operation |
| ZipSlip.cs:58:61:58:74 | access to property FullName | ZipSlip.cs:58:61:58:74 | access to property FullName : String | ZipSlip.cs:71:37:71:44 | access to local variable fullpath | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.cs:71:37:71:44 | access to local variable fullpath | file system operation |
| ZipSlip.cs:105:72:105:85 | access to property FullName | ZipSlip.cs:105:72:105:85 | access to property FullName : String | ZipSlip.cs:112:74:112:85 | access to local variable destFilePath | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.cs:112:74:112:85 | access to local variable destFilePath | file system operation |
| ZipSlip.cs:105:72:105:85 | access to property FullName | ZipSlip.cs:105:72:105:85 | access to property FullName : String | ZipSlip.cs:119:71:119:82 | access to local variable destFilePath | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.cs:119:71:119:82 | access to local variable destFilePath | file system operation |
| ZipSlip.cs:105:72:105:85 | access to property FullName | ZipSlip.cs:105:72:105:85 | access to property FullName : String | ZipSlip.cs:126:57:126:68 | access to local variable destFilePath | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.cs:126:57:126:68 | access to local variable destFilePath | file system operation |
| ZipSlip.cs:105:72:105:85 | access to property FullName | ZipSlip.cs:105:72:105:85 | access to property FullName : String | ZipSlip.cs:134:58:134:69 | access to local variable destFilePath | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.cs:134:58:134:69 | access to local variable destFilePath | file system operation |
| ZipSlip.cs:305:80:305:93 | access to property FullName | ZipSlip.cs:305:80:305:93 | access to property FullName : String | ZipSlip.cs:308:37:308:53 | access to local variable destinationOnDisk | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.cs:308:37:308:53 | access to local variable destinationOnDisk | file system operation |
| ZipSlipBad.cs:9:59:9:72 | access to property FullName | ZipSlipBad.cs:9:59:9:72 | access to property FullName : String | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | file system operation |
edges
| ZipSlip.cs:15:24:15:40 | access to local variable fullPath_relative : String | ZipSlip.cs:30:71:30:87 | access to local variable fullPath_relative : String | provenance | |
| ZipSlip.cs:15:44:15:75 | call to method GetFullPath : String | ZipSlip.cs:15:24:15:40 | access to local variable fullPath_relative : String | provenance | |
| ZipSlip.cs:15:61:15:74 | access to property FullName : String | ZipSlip.cs:15:44:15:75 | call to method GetFullPath : String | provenance | Config |
| ZipSlip.cs:15:61:15:74 | access to property FullName : String | ZipSlip.cs:15:44:15:75 | call to method GetFullPath : String | provenance | MaD:2 |
| ZipSlip.cs:18:24:18:49 | access to local variable file_badDirectoryTraversal : String | ZipSlip.cs:19:43:19:68 | access to local variable file_badDirectoryTraversal : String | provenance | |
| ZipSlip.cs:18:53:18:66 | access to property FullName : String | ZipSlip.cs:18:24:18:49 | access to local variable file_badDirectoryTraversal : String | provenance | |
| ZipSlip.cs:19:43:19:68 | access to local variable file_badDirectoryTraversal : String | ZipSlip.cs:22:71:22:96 | access to local variable file_badDirectoryTraversal : String | provenance | |
| ZipSlip.cs:22:28:22:39 | access to local variable destFileName : String | ZipSlip.cs:23:41:23:52 | access to local variable destFileName | provenance | |
| ZipSlip.cs:22:43:22:97 | call to method Combine : String | ZipSlip.cs:22:28:22:39 | access to local variable destFileName : String | provenance | |
| ZipSlip.cs:22:71:22:96 | access to local variable file_badDirectoryTraversal : String | ZipSlip.cs:22:43:22:97 | call to method Combine : String | provenance | Config |
| ZipSlip.cs:22:71:22:96 | access to local variable file_badDirectoryTraversal : String | ZipSlip.cs:22:43:22:97 | call to method Combine : String | provenance | MaD:1 |
| ZipSlip.cs:30:28:30:39 | access to local variable destFilePath : String | ZipSlip.cs:31:41:31:52 | access to local variable destFilePath | provenance | |
| ZipSlip.cs:30:43:30:88 | call to method Combine : String | ZipSlip.cs:30:28:30:39 | access to local variable destFilePath : String | provenance | |
| ZipSlip.cs:30:71:30:87 | access to local variable fullPath_relative : String | ZipSlip.cs:30:43:30:88 | call to method Combine : String | provenance | Config |
| ZipSlip.cs:30:71:30:87 | access to local variable fullPath_relative : String | ZipSlip.cs:30:43:30:88 | call to method Combine : String | provenance | MaD:1 |
| ZipSlip.cs:30:71:30:87 | access to local variable fullPath_relative : String | ZipSlip.cs:35:28:35:56 | access to local variable destFilePath_notCanonicalized : String | provenance | |
| ZipSlip.cs:35:28:35:56 | access to local variable destFilePath_notCanonicalized : String | ZipSlip.cs:39:45:39:73 | access to local variable destFilePath_notCanonicalized | provenance | |
| ZipSlip.cs:58:20:58:27 | access to local variable fullpath : String | ZipSlip.cs:62:33:62:40 | access to local variable fullpath | provenance | |
| ZipSlip.cs:58:20:58:27 | access to local variable fullpath : String | ZipSlip.cs:62:33:62:40 | access to local variable fullpath : String | provenance | |
| ZipSlip.cs:58:31:58:75 | call to method Combine : String | ZipSlip.cs:58:20:58:27 | access to local variable fullpath : String | provenance | |
| ZipSlip.cs:58:61:58:74 | access to property FullName : String | ZipSlip.cs:58:31:58:75 | call to method Combine : String | provenance | Config |
| ZipSlip.cs:58:61:58:74 | access to property FullName : String | ZipSlip.cs:58:31:58:75 | call to method Combine : String | provenance | MaD:1 |
| ZipSlip.cs:62:33:62:40 | access to local variable fullpath : String | ZipSlip.cs:64:29:64:36 | access to local variable fullpath : String | provenance | |
| ZipSlip.cs:64:29:64:36 | access to local variable fullpath : String | ZipSlip.cs:69:30:69:37 | access to local variable fullpath : String | provenance | |
| ZipSlip.cs:69:30:69:37 | access to local variable fullpath : String | ZipSlip.cs:71:37:71:44 | access to local variable fullpath | provenance | |
| ZipSlip.cs:105:32:105:43 | access to local variable destFilePath : String | ZipSlip.cs:107:73:107:84 | access to local variable destFilePath : String | provenance | |
| ZipSlip.cs:105:47:105:86 | call to method Combine : String | ZipSlip.cs:105:32:105:43 | access to local variable destFilePath : String | provenance | |
| ZipSlip.cs:105:72:105:85 | access to property FullName : String | ZipSlip.cs:105:47:105:86 | call to method Combine : String | provenance | Config |
| ZipSlip.cs:105:72:105:85 | access to property FullName : String | ZipSlip.cs:105:47:105:86 | call to method Combine : String | provenance | MaD:1 |
| ZipSlip.cs:107:73:107:84 | access to local variable destFilePath : String | ZipSlip.cs:112:74:112:85 | access to local variable destFilePath | provenance | |
| ZipSlip.cs:107:73:107:84 | access to local variable destFilePath : String | ZipSlip.cs:114:71:114:82 | access to local variable destFilePath : String | provenance | |
| ZipSlip.cs:114:71:114:82 | access to local variable destFilePath : String | ZipSlip.cs:119:71:119:82 | access to local variable destFilePath | provenance | |
| ZipSlip.cs:114:71:114:82 | access to local variable destFilePath : String | ZipSlip.cs:119:71:119:82 | access to local variable destFilePath : String | provenance | |
| ZipSlip.cs:119:71:119:82 | access to local variable destFilePath : String | ZipSlip.cs:121:71:121:82 | access to local variable destFilePath : String | provenance | |
| ZipSlip.cs:121:71:121:82 | access to local variable destFilePath : String | ZipSlip.cs:126:57:126:68 | access to local variable destFilePath | provenance | |
| ZipSlip.cs:121:71:121:82 | access to local variable destFilePath : String | ZipSlip.cs:129:71:129:82 | access to local variable destFilePath : String | provenance | |
| ZipSlip.cs:129:71:129:82 | access to local variable destFilePath : String | ZipSlip.cs:134:58:134:69 | access to local variable destFilePath | provenance | |
| ZipSlip.cs:305:24:305:40 | access to local variable destinationOnDisk : String | ZipSlip.cs:307:44:307:60 | access to local variable destinationOnDisk : String | provenance | |
| ZipSlip.cs:305:44:305:95 | call to method GetFullPath : String | ZipSlip.cs:305:24:305:40 | access to local variable destinationOnDisk : String | provenance | |
| ZipSlip.cs:305:61:305:94 | call to method Combine : String | ZipSlip.cs:305:44:305:95 | call to method GetFullPath : String | provenance | Config |
| ZipSlip.cs:305:61:305:94 | call to method Combine : String | ZipSlip.cs:305:44:305:95 | call to method GetFullPath : String | provenance | MaD:2 |
| ZipSlip.cs:305:80:305:93 | access to property FullName : String | ZipSlip.cs:305:61:305:94 | call to method Combine : String | provenance | Config |
| ZipSlip.cs:305:80:305:93 | access to property FullName : String | ZipSlip.cs:305:61:305:94 | call to method Combine : String | provenance | MaD:1 |
| ZipSlip.cs:307:44:307:60 | access to local variable destinationOnDisk : String | ZipSlip.cs:308:37:308:53 | access to local variable destinationOnDisk | provenance | |
| ZipSlipBad.cs:9:16:9:27 | access to local variable destFileName : String | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | provenance | |
| ZipSlipBad.cs:9:31:9:73 | call to method Combine : String | ZipSlipBad.cs:9:16:9:27 | access to local variable destFileName : String | provenance | |
| ZipSlipBad.cs:9:59:9:72 | access to property FullName : String | ZipSlipBad.cs:9:31:9:73 | call to method Combine : String | provenance | Config |
| ZipSlipBad.cs:9:59:9:72 | access to property FullName : String | ZipSlipBad.cs:9:31:9:73 | call to method Combine : String | provenance | MaD:1 |
models
| 1 | Summary: System.IO; Path; false; Combine; (System.String,System.String); ; Argument[1]; ReturnValue; taint; manual |
| 2 | Summary: System.IO; Path; false; GetFullPath; (System.String); ; Argument[0]; ReturnValue; taint; manual |
nodes
| ZipSlip.cs:15:24:15:40 | access to local variable fullPath_relative : String | semmle.label | access to local variable fullPath_relative : String |
| ZipSlip.cs:15:44:15:75 | call to method GetFullPath : String | semmle.label | call to method GetFullPath : String |
| ZipSlip.cs:15:61:15:74 | access to property FullName : String | semmle.label | access to property FullName : String |
| ZipSlip.cs:18:24:18:49 | access to local variable file_badDirectoryTraversal : String | semmle.label | access to local variable file_badDirectoryTraversal : String |
| ZipSlip.cs:18:53:18:66 | access to property FullName : String | semmle.label | access to property FullName : String |
| ZipSlip.cs:19:43:19:68 | access to local variable file_badDirectoryTraversal : String | semmle.label | access to local variable file_badDirectoryTraversal : String |
| ZipSlip.cs:22:28:22:39 | access to local variable destFileName : String | semmle.label | access to local variable destFileName : String |
| ZipSlip.cs:22:43:22:97 | call to method Combine : String | semmle.label | call to method Combine : String |
| ZipSlip.cs:22:71:22:96 | access to local variable file_badDirectoryTraversal : String | semmle.label | access to local variable file_badDirectoryTraversal : String |
| ZipSlip.cs:23:41:23:52 | access to local variable destFileName | semmle.label | access to local variable destFileName |
| ZipSlip.cs:30:28:30:39 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
| ZipSlip.cs:30:43:30:88 | call to method Combine : String | semmle.label | call to method Combine : String |
| ZipSlip.cs:30:71:30:87 | access to local variable fullPath_relative : String | semmle.label | access to local variable fullPath_relative : String |
| ZipSlip.cs:31:41:31:52 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
| ZipSlip.cs:35:28:35:56 | access to local variable destFilePath_notCanonicalized : String | semmle.label | access to local variable destFilePath_notCanonicalized : String |
| ZipSlip.cs:39:45:39:73 | access to local variable destFilePath_notCanonicalized | semmle.label | access to local variable destFilePath_notCanonicalized |
| ZipSlip.cs:58:20:58:27 | access to local variable fullpath : String | semmle.label | access to local variable fullpath : String |
| ZipSlip.cs:58:31:58:75 | call to method Combine : String | semmle.label | call to method Combine : String |
| ZipSlip.cs:58:61:58:74 | access to property FullName : String | semmle.label | access to property FullName : String |
| ZipSlip.cs:62:33:62:40 | access to local variable fullpath | semmle.label | access to local variable fullpath |
| ZipSlip.cs:62:33:62:40 | access to local variable fullpath : String | semmle.label | access to local variable fullpath : String |
| ZipSlip.cs:64:29:64:36 | access to local variable fullpath : String | semmle.label | access to local variable fullpath : String |
| ZipSlip.cs:69:30:69:37 | access to local variable fullpath : String | semmle.label | access to local variable fullpath : String |
| ZipSlip.cs:71:37:71:44 | access to local variable fullpath | semmle.label | access to local variable fullpath |
| ZipSlip.cs:105:32:105:43 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
| ZipSlip.cs:105:47:105:86 | call to method Combine : String | semmle.label | call to method Combine : String |
| ZipSlip.cs:105:72:105:85 | access to property FullName : String | semmle.label | access to property FullName : String |
| ZipSlip.cs:107:73:107:84 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
| ZipSlip.cs:112:74:112:85 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
| ZipSlip.cs:114:71:114:82 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
| ZipSlip.cs:119:71:119:82 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
| ZipSlip.cs:119:71:119:82 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
| ZipSlip.cs:121:71:121:82 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
| ZipSlip.cs:126:57:126:68 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
| ZipSlip.cs:129:71:129:82 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
| ZipSlip.cs:134:58:134:69 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
| ZipSlip.cs:305:24:305:40 | access to local variable destinationOnDisk : String | semmle.label | access to local variable destinationOnDisk : String |
| ZipSlip.cs:305:44:305:95 | call to method GetFullPath : String | semmle.label | call to method GetFullPath : String |
| ZipSlip.cs:305:61:305:94 | call to method Combine : String | semmle.label | call to method Combine : String |
| ZipSlip.cs:305:80:305:93 | access to property FullName : String | semmle.label | access to property FullName : String |
| ZipSlip.cs:307:44:307:60 | access to local variable destinationOnDisk : String | semmle.label | access to local variable destinationOnDisk : String |
| ZipSlip.cs:308:37:308:53 | access to local variable destinationOnDisk | semmle.label | access to local variable destinationOnDisk |
| ZipSlipBad.cs:9:16:9:27 | access to local variable destFileName : String | semmle.label | access to local variable destFileName : String |
| ZipSlipBad.cs:9:31:9:73 | call to method Combine : String | semmle.label | call to method Combine : String |
| ZipSlipBad.cs:9:59:9:72 | access to property FullName : String | semmle.label | access to property FullName : String |
| ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | semmle.label | access to local variable destFileName |
subpaths