add the snappy missed sink

2026-04-25 16:55:19 +02:00 · 2024-07-13 11:15:45 +02:00
parent 8c106964ec
commit 025aa77e79
2 changed files with 18 additions and 1 deletions
--- a/java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll
+++ b/java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll
@@ -58,6 +58,23 @@ module XerialSnappy {
    }
  }

+  /**
+   * Gets `n1` and `n2` which `SnappyInputStream n2 = new SnappyInputStream(n1)` or
+   * `n1.read(n2)`,
+   *  second one is added because of sanitizer, we want to compare return value of each `read` or similar method
+   *  that whether there is a flow to a comparison between total read of decompressed stream and a constant value
+   */
+  private class InputStreamAdditionalTaintStep extends DecompressionBomb::AdditionalStep {
+    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(Call call |
+        // Constructors
+        call.getCallee().getDeclaringType() = any(TypeInputStream t) and
+        call.getArgument(0) = n1.asExpr() and
+        call = n2.asExpr()
+      )
+    }
+  }
+
  class Sink extends DecompressionBomb::Sink {
    Sink() {
      this.asExpr() = any(ReadInputStreamCall r).getQualifier()
--- a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/SnappyHandler.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/SnappyHandler.java
@@ -12,7 +12,7 @@ public class SnappyHandler {
        byte[] readBuffer = new byte[4096];
        try (SnappyInputStream zipInputStream = new SnappyInputStream(inputStream)) {  // $ hasTaintFlow="inputStream"
            try (OutputStream outputStream = Files.newOutputStream(Paths.get("extractedFile"))) {
-                while ((readLen = zipInputStream.read(readBuffer)) != -1) {
+                while ((readLen = zipInputStream.read(readBuffer)) != -1) { // $ hasTaintFlow="zipInputStream"
                    outputStream.write(readBuffer, 0, readLen);
                }
            }