hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-23 15:55:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Use hasTaintFlow marker

Browse Source
This commit is contained in:
Chris Smowton
2024-07-12 17:57:59 +01:00
committed by am0o0
parent 059a1389c6
commit 1cb9f6370f
3 changed files with 36 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/CommonsIOPathInjection.java
View File

@@ -20,19 +20,19 @@ class fileAttr implements FileAttribute<String> {
public class CommonsIOPathInjection {
public void PathInjection(Path src, File srcF) throws IOException {
AsynchronousFileChannel.open(src); // $ PathInjection
AsynchronousFileChannel.open(src, LinkOption.NOFOLLOW_LINKS); // $ PathInjection
AsynchronousFileChannel.open(src); // $ hasTaintFlow
AsynchronousFileChannel.open(src, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow
AsynchronousFileChannel.open(
src, LinkOption.NOFOLLOW_LINKS, LinkOption.NOFOLLOW_LINKS); // $ PathInjection
src, LinkOption.NOFOLLOW_LINKS, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow
ExecutorService executor = Executors.newFixedThreadPool(10);
AsynchronousFileChannel.open(
src, Set.of(LinkOption.NOFOLLOW_LINKS), executor); // $ PathInjection
src, Set.of(LinkOption.NOFOLLOW_LINKS), executor); // $ hasTaintFlow
AsynchronousFileChannel.open(
src, // $ PathInjection
src, // $ hasTaintFlow
Set.of(LinkOption.NOFOLLOW_LINKS),
executor,
new fileAttr());
FileSystems.getFileSystem(srcF.toURI()); // $ PathInjection
FileSystems.getFileSystem(srcF.toURI()); // $ hasTaintFlow
}
}

20
java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/S3PathInjection.java
View File

@@ -19,7 +19,7 @@ public class S3PathInjection {
UploadFileRequest.builder()
.putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
.addTransferListener(LoggingTransferListener.create())
.source(Paths.get(filePathURI)) // $ PathInjection
.source(Paths.get(filePathURI)) // $ hasTaintFlow
.build();
FileUpload fileUpload = this.transferManager.uploadFile(uploadFileRequest);
@@ -33,7 +33,7 @@ public class S3PathInjection {
UploadFileRequest.builder()
.putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
.addTransferListener(LoggingTransferListener.create())
.source(Paths.get(filePathURI)) // $ PathInjection
.source(Paths.get(filePathURI)) // $ hasTaintFlow
.build();
// Initiate the transfer
@@ -41,10 +41,10 @@ public class S3PathInjection {
// Pause the upload
ResumableFileUpload resumableFileUpload = upload.pause();
// Optionally, persist the resumableFileUpload
resumableFileUpload.serializeToFile(Paths.get(filePathURI)); // $ PathInjection
resumableFileUpload.serializeToFile(Paths.get(filePathURI)); // $ hasTaintFlow
// Retrieve the resumableFileUpload from the file
ResumableFileUpload persistedResumableFileUpload =
ResumableFileUpload.fromFile(Paths.get(filePathURI)); // $ PathInjection
ResumableFileUpload.fromFile(Paths.get(filePathURI)); // $ hasTaintFlow
// Resume the upload
FileUpload resumedUpload = this.transferManager.resumeUploadFile(persistedResumableFileUpload);
// Wait for the transfer to complete
@@ -59,7 +59,7 @@ public class S3PathInjection {
DownloadFileRequest.builder()
.getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
.addTransferListener(LoggingTransferListener.create())
.destination(Paths.get(downloadedFileWithPath)) // $ PathInjection
.destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow
.build();
// Initiate the transfer
@@ -67,10 +67,10 @@ public class S3PathInjection {
// Pause the download
ResumableFileDownload resumableFileDownload = download.pause();
// Optionally, persist the resumableFileDownload
resumableFileDownload.serializeToFile(Paths.get(downloadedFileWithPath)); // $ PathInjection
resumableFileDownload.serializeToFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow
// Retrieve the resumableFileDownload from the file
ResumableFileDownload persistedResumableFileDownload =
ResumableFileDownload.fromFile(Paths.get(downloadedFileWithPath)); // $ PathInjection
ResumableFileDownload.fromFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow
// Resume the download
FileDownload resumedDownload =
this.transferManager.resumeDownloadFile(persistedResumableFileDownload);
@@ -85,7 +85,7 @@ public class S3PathInjection {
DirectoryUpload directoryUpload =
this.transferManager.uploadDirectory(
UploadDirectoryRequest.builder()
.source(Paths.get(sourceDirectory)) // $ PathInjection
.source(Paths.get(sourceDirectory)) // $ hasTaintFlow
.bucket(this.bucketName)
.build());
@@ -98,7 +98,7 @@ public class S3PathInjection {
DownloadFileRequest.builder()
.getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
.addTransferListener(LoggingTransferListener.create())
.destination(Paths.get(downloadedFileWithPath)) // $ PathInjection
.destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow
.build();
FileDownload downloadFile = this.transferManager.downloadFile(downloadFileRequest);
@@ -111,7 +111,7 @@ public class S3PathInjection {
DirectoryDownload directoryDownload =
this.transferManager.downloadDirectory(
DownloadDirectoryRequest.builder()
.destination(Paths.get(destinationPathURI)) // $ PathInjection
.destination(Paths.get(destinationPathURI)) // $ hasTaintFlow
.bucket(this.bucketName)
.build());
CompletedDirectoryDownload completedDirectoryDownload =

40
java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/SpringIoPathInjection.java
View File

@@ -18,30 +18,30 @@ public class SpringIoPathInjection {
Path filePath = fileStorageLocation.resolve(path).normalize();
File pathFile = new File(path);
new UrlResource(filePath.toUri()); // $ PathInjection
new UrlResource(filePath.toUri().toURL()); // $ PathInjection
new UrlResource("file", path); // $ PathInjection
new UrlResource("file", path, "#"); // $ PathInjection
new UrlResource(path); // $ PathInjection
new UrlResource(filePath.toUri()); // $ hasTaintFlow
new UrlResource(filePath.toUri().toURL()); // $ hasTaintFlow
new UrlResource("file", path); // $ hasTaintFlow
new UrlResource("file", path, "#"); // $ hasTaintFlow
new UrlResource(path); // $ hasTaintFlow
new PathResource(path); // $ PathInjection
new PathResource(filePath); // $ PathInjection
new PathResource(filePath.toUri()); // $ PathInjection
new PathResource(path); // $ hasTaintFlow
new PathResource(filePath); // $ hasTaintFlow
new PathResource(filePath.toUri()); // $ hasTaintFlow
new FileUrlResource(filePath.toUri().toURL()); // $ PathInjection
new FileUrlResource(path); // $ PathInjection
new FileUrlResource(filePath.toUri().toURL()); // $ hasTaintFlow
new FileUrlResource(path); // $ hasTaintFlow
new FileSystemResource(pathFile); // $ PathInjection
new FileSystemResource(path); // $ PathInjection
new FileSystemResource(filePath); // $ PathInjection
new FileSystemResource(pathFile); // $ hasTaintFlow
new FileSystemResource(path); // $ hasTaintFlow
new FileSystemResource(filePath); // $ hasTaintFlow
new FileSystemResource(
FileSystems.getFileSystem(URI.create("file:///")), path); // $ PathInjection
FileSystems.getFileSystem(URI.create("file:///")), path); // $ hasTaintFlow
FileSystemUtils.copyRecursively(filePath, filePath.resolve("/newPath")); // $ PathInjection
FileSystemUtils.copyRecursively(pathFile, pathFile); // $ PathInjection
FileSystemUtils.deleteRecursively(pathFile); // $ PathInjection
FileSystemUtils.deleteRecursively(filePath); // $ PathInjection
FileCopyUtils.copy(pathFile, pathFile); // $ PathInjection
FileCopyUtils.copyToByteArray(pathFile); // $ PathInjection
FileSystemUtils.copyRecursively(filePath, filePath.resolve("/newPath")); // $ hasTaintFlow
FileSystemUtils.copyRecursively(pathFile, pathFile); // $ hasTaintFlow
FileSystemUtils.deleteRecursively(pathFile); // $ hasTaintFlow
FileSystemUtils.deleteRecursively(filePath); // $ hasTaintFlow
FileCopyUtils.copy(pathFile, pathFile); // $ hasTaintFlow
FileCopyUtils.copyToByteArray(pathFile); // $ hasTaintFlow
}
}