Track taint through java.io.File constructor and #toURI; URI#toURL

2026-02-28 21:03:50 +01:00 · 2020-10-10 20:29:01 +02:00
parent c8cacb9fee
commit 0c70be145f
3 changed files with 15 additions and 0 deletions
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -234,6 +234,11 @@ private predicate constructorStep(Expr tracked, ConstructorCall sink) {
      or
      //a URI constructed from a tainted string is tainted.
      s = "java.net.URI" and argi = 0 and sink.getNumArgument() = 1
+      or
+      //a File constructed from a tainted string is tainted.
+      s = "java.io.File" and argi = 0
+      or
+      s = "java.io.File" and argi = 1
    )
    or
    exists(RefType t | t.getQualifiedName() = "java.lang.Number" |
@@ -372,6 +377,12 @@ private predicate taintPreservingQualifierToMethod(Method m) {
  m.getDeclaringType().hasQualifiedName("java.nio", "ByteBuffer") and
  m.hasName("get")
  or
+  m.getDeclaringType().hasQualifiedName("java.io", "File") and
+  m.hasName("toURI")
+  or
+  m.getDeclaringType().hasQualifiedName("java.net", "URI") and
+  m.hasName("toURL")
+  or
  m = any(GuiceProvider gp).getAnOverridingGetMethod()
  or
  m = any(ProtobufMessageLite p).getAGetterMethod()