Migrate path injection sinks to MaD

Deprecate and stop using PathCreation

Path creation sinks are now summaries

java/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -18,21 +18,7 @@ import semmle.code.java.security.PathCreation
 import semmle.code.java.security.TaintedPathQuery
 import TaintedPathFlow::PathGraph
 
-/**
- * Gets the data-flow node at which to report a path ending at `sink`.
- *
- * Previously this query flagged alerts exclusively at `PathCreation` sites,
- * so to avoid perturbing existing alerts, where a `PathCreation` exists we
- * continue to report there; otherwise we report directly at `sink`.
- */
-DataFlow::Node getReportingNode(DataFlow::Node sink) {
-  TaintedPathFlow::flowTo(sink) and
-  if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
-  then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
-  else result = sink
-}
-
 from TaintedPathFlow::PathNode source, TaintedPathFlow::PathNode sink
 where TaintedPathFlow::flowPath(source, sink)
-select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
-  source.getNode(), "user-provided value"
+select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
+  "user-provided value"

java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql

@@ -18,21 +18,7 @@ import semmle.code.java.security.PathCreation
 import semmle.code.java.security.TaintedPathQuery
 import TaintedPathLocalFlow::PathGraph
 
-/**
- * Gets the data-flow node at which to report a path ending at `sink`.
- *
- * Previously this query flagged alerts exclusively at `PathCreation` sites,
- * so to avoid perturbing existing alerts, where a `PathCreation` exists we
- * continue to report there; otherwise we report directly at `sink`.
- */
-DataFlow::Node getReportingNode(DataFlow::Node sink) {
-  TaintedPathLocalFlow::flowTo(sink) and
-  if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
-  then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
-  else result = sink
-}
-
 from TaintedPathLocalFlow::PathNode source, TaintedPathLocalFlow::PathNode sink
 where TaintedPathLocalFlow::flowPath(source, sink)
-select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
-  source.getNode(), "user-provided value"
+select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
+  "user-provided value"

java/ql/src/change-notes/2023-04-20-path-injection-precision-improved.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The sinks of the queries `java/path-injection` and `java/path-injection-local` have been reworked. Path creation sinks have been converted to summaries instead, while sinks now are actual file read/write operations only. This has reduced the false positive ratio of both queries.

java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql

@@ -16,6 +16,10 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.FlowSources
+<<<<<<< HEAD
+=======
+import semmle.code.java.security.TaintedPathQuery
+>>>>>>> 9e469c9c32 (Migrate path injection sinks to MaD)
 import JFinalController
 import semmle.code.java.security.PathSanitizer
 private import semmle.code.java.security.Sanitizers
@@ -52,7 +56,11 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
+<<<<<<< HEAD
     sinkNode(sink, "path-injection") and
+=======
+    sink instanceof TaintedPathSink and
+>>>>>>> 9e469c9c32 (Migrate path injection sinks to MaD)
     not sink instanceof NormalizedPathNode
   }