mirror of
https://github.com/github/codeql.git
synced 2026-04-25 16:55:19 +02:00
add the snappy missed sink
This commit is contained in:
@@ -58,6 +58,23 @@ module XerialSnappy {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets `n1` and `n2` which `SnappyInputStream n2 = new SnappyInputStream(n1)` or
|
||||
* `n1.read(n2)`,
|
||||
* second one is added because of sanitizer, we want to compare return value of each `read` or similar method
|
||||
* that whether there is a flow to a comparison between total read of decompressed stream and a constant value
|
||||
*/
|
||||
private class InputStreamAdditionalTaintStep extends DecompressionBomb::AdditionalStep {
|
||||
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
exists(Call call |
|
||||
// Constructors
|
||||
call.getCallee().getDeclaringType() = any(TypeInputStream t) and
|
||||
call.getArgument(0) = n1.asExpr() and
|
||||
call = n2.asExpr()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
class Sink extends DecompressionBomb::Sink {
|
||||
Sink() {
|
||||
this.asExpr() = any(ReadInputStreamCall r).getQualifier()
|
||||
|
||||
@@ -12,7 +12,7 @@ public class SnappyHandler {
|
||||
byte[] readBuffer = new byte[4096];
|
||||
try (SnappyInputStream zipInputStream = new SnappyInputStream(inputStream)) { // $ hasTaintFlow="inputStream"
|
||||
try (OutputStream outputStream = Files.newOutputStream(Paths.get("extractedFile"))) {
|
||||
while ((readLen = zipInputStream.read(readBuffer)) != -1) {
|
||||
while ((readLen = zipInputStream.read(readBuffer)) != -1) { // $ hasTaintFlow="zipInputStream"
|
||||
outputStream.write(readBuffer, 0, readLen);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user