Partial Path Traversal split into 2 queries

2025-12-20 10:46:30 +01:00 · 2022-07-20 17:39:57 -04:00
parent b7e522749f
commit 09ec37943c
7 changed files with 125 additions and 69 deletions
--- a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.ql
+++ b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.ql
@@ -10,57 +10,7 @@
 *       external/cwe/cwe-023
 */

-import java
-private import semmle.code.java.dataflow.DataFlow
-private import semmle.code.java.environment.SystemProperty
+import semmle.code.java.security.PartialPathTraversal

-class MethodStringStartsWith extends Method {
-  MethodStringStartsWith() {
-    this.getDeclaringType() instanceof TypeString and
-    this.hasName("startsWith")
-  }
-}
-
-class MethodFileGetCanonicalPath extends Method {
-  MethodFileGetCanonicalPath() {
-    this.getDeclaringType() instanceof TypeFile and
-    this.hasName("getCanonicalPath")
-  }
-}
-
-class MethodAccessFileGetCanonicalPath extends MethodAccess {
-  MethodAccessFileGetCanonicalPath() { this.getMethod() instanceof MethodFileGetCanonicalPath }
-}
-
-abstract class FileSeparatorExpr extends Expr { }
-
-class SystemPropFileSeparatorExpr extends FileSeparatorExpr {
-  SystemPropFileSeparatorExpr() { this = getSystemProperty("file.separator") }
-}
-
-class StringLiteralFileSeparatorExpr extends FileSeparatorExpr, StringLiteral {
-  StringLiteralFileSeparatorExpr() {
-    this.getValue().matches("%/") or this.getValue().matches("%\\")
-  }
-}
-
-class CharacterLiteralFileSeparatorExpr extends FileSeparatorExpr, CharacterLiteral {
-  CharacterLiteralFileSeparatorExpr() { this.getValue() = "/" or this.getValue() = "\\" }
-}
-
-class FileSeparatorAppend extends AddExpr {
-  FileSeparatorAppend() { this.getRightOperand() instanceof FileSeparatorExpr }
-}
-
-predicate isSafe(Expr expr) {
-  DataFlow::localExprFlow(any(Expr e |
-      e instanceof FileSeparatorAppend or e instanceof FileSeparatorExpr
-    ), expr)
-}
-
-from MethodAccess ma
-where
-  ma.getMethod() instanceof MethodStringStartsWith and
-  DataFlow::localExprFlow(any(MethodAccessFileGetCanonicalPath gcpma), ma.getQualifier()) and
-  not isSafe(ma.getArgument(0))
+from PartialPathTraversalMethodAccess ma
 select ma, "Partial Path Traversal Vulnerability due to insufficient guard against path traversal"
--- a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
+++ b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Partial Path Traversal Vulnerability From Remote
+ * @description A prefix used to check that a canonicalised path falls within another must be slash-terminated.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.3
+ * @precision high
+ * @id java/partial-path-traversal-from-remote
+ * @tags security
+ *       external/cwe/cwe-023
+ */
+
+import semmle.code.java.security.PartialPathTraversalQuery
+
+from DataFlow::PathNode source, DataFlow::PathNode sink
+where any(PartialPathTraversalFromRemoteConfig config).hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Partial Path Traversal Vulnerability due to insufficient guard against path traversal from user-supplied data"