update tests and use TaintFlowTestArgString

add stubs
add missed sink models

java/ql/test/experimental/query-tests/security/CWE-022/AmazonS3.java

@@ -1,15 +1,24 @@
-package com.PathInjection;
-
 import software.amazon.awssdk.transfer.s3.S3TransferManager;
-import software.amazon.awssdk.transfer.s3.model.*;
+import software.amazon.awssdk.transfer.s3.model.UploadFileRequest;
+import software.amazon.awssdk.transfer.s3.model.FileUpload;
+import software.amazon.awssdk.transfer.s3.model.FileDownload;
+import software.amazon.awssdk.transfer.s3.model.DirectoryUpload;
+import software.amazon.awssdk.transfer.s3.model.CompletedDirectoryUpload;
+import software.amazon.awssdk.transfer.s3.model.DirectoryDownload;
+import software.amazon.awssdk.transfer.s3.model.CompletedDirectoryDownload;
+import software.amazon.awssdk.transfer.s3.model.DownloadDirectoryRequest;
+import software.amazon.awssdk.transfer.s3.model.DownloadFileRequest;
+import software.amazon.awssdk.transfer.s3.model.ResumableFileUpload;
+import software.amazon.awssdk.transfer.s3.model.UploadDirectoryRequest;
+import software.amazon.awssdk.transfer.s3.model.ResumableFileDownload;
+import software.amazon.awssdk.transfer.s3.model.CompletedFileUpload;
+import software.amazon.awssdk.transfer.s3.model.CompletedFileDownload;
 import software.amazon.awssdk.transfer.s3.progress.LoggingTransferListener;
 
-import java.net.MalformedURLException;
 import java.net.URI;
-import java.net.URISyntaxException;
 import java.nio.file.Paths;
 
-public class S3PathInjection {
+public class AmazonS3 {
   S3TransferManager transferManager = S3TransferManager.create();
   String bucketName = "bucketTest";
   String key = "keyTest";
@@ -19,7 +28,7 @@ public class S3PathInjection {
         UploadFileRequest.builder()
             .putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
             .addTransferListener(LoggingTransferListener.create())
-            .source(Paths.get(filePathURI)) // $ hasTaintFlow
+            .source(Paths.get(filePathURI)) // $ hasTaintFlow="get(...)"
             .build();
 
     FileUpload fileUpload = this.transferManager.uploadFile(uploadFileRequest);
@@ -33,7 +42,7 @@ public class S3PathInjection {
         UploadFileRequest.builder()
             .putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
             .addTransferListener(LoggingTransferListener.create())
-            .source(Paths.get(filePathURI)) // $ hasTaintFlow
+            .source(Paths.get(filePathURI)) // $ hasTaintFlow="get(...)"
             .build();
 
     // Initiate the transfer
@@ -41,10 +50,10 @@ public class S3PathInjection {
     // Pause the upload
     ResumableFileUpload resumableFileUpload = upload.pause();
     // Optionally, persist the resumableFileUpload
-    resumableFileUpload.serializeToFile(Paths.get(filePathURI)); // $ hasTaintFlow
+    resumableFileUpload.serializeToFile(Paths.get(filePathURI)); // $ hasTaintFlow="get(...)"
     // Retrieve the resumableFileUpload from the file
     ResumableFileUpload persistedResumableFileUpload =
-        ResumableFileUpload.fromFile(Paths.get(filePathURI)); // $ hasTaintFlow
+        ResumableFileUpload.fromFile(Paths.get(filePathURI)); // $ hasTaintFlow="get(...)"
     // Resume the upload
     FileUpload resumedUpload = this.transferManager.resumeUploadFile(persistedResumableFileUpload);
     // Wait for the transfer to complete
@@ -59,7 +68,7 @@ public class S3PathInjection {
         DownloadFileRequest.builder()
             .getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
             .addTransferListener(LoggingTransferListener.create())
-            .destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow
+            .destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow="get(...)"
             .build();
 
     // Initiate the transfer
@@ -67,10 +76,10 @@ public class S3PathInjection {
     // Pause the download
     ResumableFileDownload resumableFileDownload = download.pause();
     // Optionally, persist the resumableFileDownload
-    resumableFileDownload.serializeToFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow
+    resumableFileDownload.serializeToFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow="get(...)"
     // Retrieve the resumableFileDownload from the file
     ResumableFileDownload persistedResumableFileDownload =
-        ResumableFileDownload.fromFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow
+        ResumableFileDownload.fromFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow="get(...)"
     // Resume the download
     FileDownload resumedDownload =
         this.transferManager.resumeDownloadFile(persistedResumableFileDownload);
@@ -85,7 +94,7 @@ public class S3PathInjection {
     DirectoryUpload directoryUpload =
         this.transferManager.uploadDirectory(
             UploadDirectoryRequest.builder()
-                .source(Paths.get(sourceDirectory)) // $ hasTaintFlow
+                .source(Paths.get(sourceDirectory)) // $ hasTaintFlow="get(...)"
                 .bucket(this.bucketName)
                 .build());
 
@@ -98,7 +107,7 @@ public class S3PathInjection {
         DownloadFileRequest.builder()
             .getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
             .addTransferListener(LoggingTransferListener.create())
-            .destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow
+            .destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow="get(...)"
             .build();
 
     FileDownload downloadFile = this.transferManager.downloadFile(downloadFileRequest);
@@ -111,7 +120,7 @@ public class S3PathInjection {
     DirectoryDownload directoryDownload =
         this.transferManager.downloadDirectory(
             DownloadDirectoryRequest.builder()
-                .destination(Paths.get(destinationPathURI)) // $ hasTaintFlow
+                .destination(Paths.get(destinationPathURI)) // $ hasTaintFlow="get(...)"
                 .bucket(this.bucketName)
                 .build());
     CompletedDirectoryDownload completedDirectoryDownload =

java/ql/test/experimental/query-tests/security/CWE-022/JavaNio.java

@@ -1,38 +1,39 @@
-package com.PathInjection;
-
-import java.io.*;
+import java.io.IOException;
+import java.io.File;
 import java.nio.channels.AsynchronousFileChannel;
-import java.nio.file.*;
+import java.nio.file.Path;
+import java.nio.file.LinkOption;
+import java.nio.file.FileSystems;
 import java.nio.file.attribute.FileAttribute;
 import java.util.Set;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 
-class fileAttr implements FileAttribute<String> {
-  public String name() {
-    return "file";
+public class JavaNio {
+  static class FileAttr implements FileAttribute<String> {
+    public String name() {
+      return "file";
+    }
+
+    public String value() {
+      return "value";
+    }
   }
 
-  public String value() {
-    return "value";
-  }
-}
-
-public class CommonsIOPathInjection {
   public void PathInjection(Path src, File srcF) throws IOException {
-    AsynchronousFileChannel.open(src); // $ hasTaintFlow
-    AsynchronousFileChannel.open(src, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow
+    AsynchronousFileChannel.open(src); // $ hasTaintFlow="src"
+    AsynchronousFileChannel.open(src, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow="src"
     AsynchronousFileChannel.open(
-        src, LinkOption.NOFOLLOW_LINKS, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow
+        src, LinkOption.NOFOLLOW_LINKS, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow="src"
     ExecutorService executor = Executors.newFixedThreadPool(10);
     AsynchronousFileChannel.open(
-        src, Set.of(LinkOption.NOFOLLOW_LINKS), executor); // $ hasTaintFlow
+        src, Set.of(LinkOption.NOFOLLOW_LINKS), executor); // $ hasTaintFlow="src"
     AsynchronousFileChannel.open(
-        src, // $ hasTaintFlow
+        src, // $ hasTaintFlow="src"
         Set.of(LinkOption.NOFOLLOW_LINKS),
         executor,
-        new fileAttr());
+        new FileAttr());
 
-    FileSystems.getFileSystem(srcF.toURI()); // $ hasTaintFlow
+    FileSystems.getFileSystem(srcF.toURI()); // $ hasTaintFlow="toURI(...)"
   }
 }

java/ql/test/experimental/query-tests/security/CWE-022/Main.java

@@ -0,0 +1,35 @@
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
+import java.net.Socket;
+
+public class Main {
+  public void sendUserFileGood(Socket sock) throws IOException {
+    BufferedReader filenameReader =
+        new BufferedReader(new InputStreamReader(sock.getInputStream(), StandardCharsets.UTF_8));
+    String path = filenameReader.readLine();
+    Path src = Path.of(path);
+    File srcF = new File(path);
+
+    new JavaNio().PathInjection(src, srcF);
+
+    new SpringIo().PathInjection(path);
+
+    AmazonS3 s3PathInjection = new AmazonS3();
+    s3PathInjection.downloadFileResumable(src.toUri());
+    s3PathInjection.downloadFile(path);
+    s3PathInjection.downloadObjectsToDirectory(src.toUri());
+    s3PathInjection.uploadFileResumable(src.toUri());
+    s3PathInjection.uploadDirectory(src.toUri());
+    s3PathInjection.uploadFile(src.toUri());
+
+    Zip4j zip4jfile = new Zip4j();
+    zip4jfile.PathInjection(path);
+
+    ZipFile zipfile = new ZipFile();
+    zipfile.PathInjection(path);
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-022/PathInjection.iml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module version="4">
+  <component name="AdditionalModuleElements">
+    <content url="file://$MODULE_DIR$" dumb="true">
+      <sourceFolder url="file://$MODULE_DIR$" isTestSource="false" />
+    </content>
+  </component>
+</module>

java/ql/test/experimental/query-tests/security/CWE-022/SpringIo.java

@@ -0,0 +1,46 @@
+import java.io.File;
+import java.io.IOException;
+import java.net.URI;
+import java.nio.file.FileSystems;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import org.springframework.core.io.FileUrlResource;
+import org.springframework.core.io.FileSystemResource;
+import org.springframework.core.io.PathResource;
+import org.springframework.core.io.UrlResource;
+import org.springframework.util.FileCopyUtils;
+import org.springframework.util.FileSystemUtils;
+
+public class SpringIo {
+  public void PathInjection(String path) throws IOException {
+    Path fileStorageLocation = Paths.get(path).toAbsolutePath().normalize();
+    Path filePath = fileStorageLocation.resolve(path).normalize();
+    File pathFile = new File(path);
+
+    new UrlResource(filePath.toUri()); // $ hasTaintFlow="toUri(...)"
+    new UrlResource(filePath.toUri().toURL()); // $ hasTaintFlow="toURL(...)"
+    new UrlResource("file", path); // $ hasTaintFlow="path"
+    new UrlResource("file", path, "#"); // $ hasTaintFlow="path"
+    new UrlResource(path); // $ hasTaintFlow="path"
+
+    new PathResource(path); // $ hasTaintFlow="path"
+    new PathResource(filePath); // $ hasTaintFlow="filePath"
+    new PathResource(filePath.toUri()); // $ hasTaintFlow="toUri(...)"
+
+    new FileUrlResource(filePath.toUri().toURL()); // $ hasTaintFlow="toURL(...)"
+    new FileUrlResource(path); // $ hasTaintFlow="path"
+
+    new FileSystemResource(pathFile); // $ hasTaintFlow="pathFile"
+    new FileSystemResource(path); // $ hasTaintFlow="path"
+    new FileSystemResource(filePath); // $ hasTaintFlow="filePath"
+    new FileSystemResource(
+        FileSystems.getFileSystem(URI.create("file:///")), path); // $ hasTaintFlow="path"
+
+    FileSystemUtils.copyRecursively(filePath, filePath.resolve("/newPath")); // $ hasTaintFlow="filePath" hasTaintFlow="resolve(...)"
+    FileSystemUtils.copyRecursively(pathFile, pathFile); // $ hasTaintFlow="pathFile"
+    FileSystemUtils.deleteRecursively(pathFile); // $ hasTaintFlow="pathFile"
+    FileSystemUtils.deleteRecursively(filePath); // $ hasTaintFlow="filePath"
+    FileCopyUtils.copy(pathFile, pathFile); // $ hasTaintFlow="pathFile"
+    FileCopyUtils.copyToByteArray(pathFile); // $ hasTaintFlow="pathFile"
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-022/TaintedPath.ql

@@ -1,4 +1,9 @@
 import java
 import TestUtilities.InlineFlowTest
 import semmle.code.java.security.TaintedPathQuery
-import TaintFlowTest<TaintedPathConfig>
+import TaintFlowTestArgString<TaintedPathConfig, getArgString/2>
+
+string getArgString(DataFlow::Node src, DataFlow::Node sink) {
+  exists(src) and
+  result = "\"" + sink.toString() + "\""
+}

java/ql/test/experimental/query-tests/security/CWE-022/Zip4j.java

@@ -0,0 +1,9 @@
+import java.io.IOException;
+import net.lingala.zip4j.ZipFile;
+
+public class Zip4j {
+  public void PathInjection(String path) throws IOException {
+    ZipFile zipfile = new ZipFile(path); // $ hasTaintFlow="path"
+    zipfile.extractAll(path); // $ hasTaintFlow="path"
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-022/ZipFile.java

@@ -0,0 +1,7 @@
+import java.io.IOException;
+
+public class ZipFile {
+  public void PathInjection(String path) throws IOException {
+    new java.util.zip.ZipFile(path); // $ hasTaintFlow="path"
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-022/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/lingala-zip4j-2.11.5:${testdir}/../../../stubs/software-amazon-awssdk-crt-0.20.3:${testdir}/../../../stubs/org-springframework-6.1.4

java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/HelloServlet.java

@@ -1,45 +0,0 @@
-package com.PathInjection;
-
-import java.io.*;
-import java.io.IOException;
-import java.net.URISyntaxException;
-import java.nio.file.Path;
-import javax.servlet.annotation.MultipartConfig;
-import javax.servlet.annotation.WebServlet;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import net.lingala.zip4j.ZipFile;
-
-@WebServlet(
-    name = "helloServlet",
-    urlPatterns = {"/hello"})
-@MultipartConfig()
-public class HelloServlet extends HttpServlet {
-
-  public void init() {}
-
-  public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
-    String path = request.getParameter("path");
-    Path src = Path.of(path);
-    File srcF = new File(path);
-    new CommonsIOPathInjection().PathInjection(src, srcF);
-    new SpringIoPathInjection().PathInjection(path);
-    S3PathInjection s3PathInjection = new S3PathInjection();
-    s3PathInjection.downloadFileResumable(src.toUri());
-    s3PathInjection.downloadFile(path);
-    s3PathInjection.downloadObjectsToDirectory(src.toUri());
-    s3PathInjection.uploadFileResumable(src.toUri());
-    s3PathInjection.uploadDirectory(src.toUri());
-    s3PathInjection.uploadFile(src.toUri());
-
-    ZipFile zipfile = new ZipFile(path);
-    zipfile.extractAll(path);
-    new java.util.zip.ZipFile(path);
-
-    PrintWriter out = response.getWriter();
-    response.setContentType("text/html");
-    out.println("<html><body>end</body></html>");
-  }
-}

java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/SpringIoPathInjection.java

@@ -1,47 +0,0 @@
-package com.PathInjection;
-
-import java.io.*;
-import java.io.IOException;
-import java.net.URI;
-import java.nio.file.FileSystems;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-
-import org.springframework.core.io.*;
-import org.springframework.util.FileCopyUtils;
-import org.springframework.util.FileSystemUtils;
-import org.springframework.util.ResourceUtils;
-
-public class SpringIoPathInjection {
-  public void PathInjection(String path) throws IOException {
-    Path fileStorageLocation = Paths.get(path).toAbsolutePath().normalize();
-    Path filePath = fileStorageLocation.resolve(path).normalize();
-    File pathFile = new File(path);
-
-    new UrlResource(filePath.toUri()); // $ hasTaintFlow
-    new UrlResource(filePath.toUri().toURL()); // $ hasTaintFlow
-    new UrlResource("file", path); // $ hasTaintFlow
-    new UrlResource("file", path, "#"); // $ hasTaintFlow
-    new UrlResource(path); // $ hasTaintFlow
-
-    new PathResource(path); // $ hasTaintFlow
-    new PathResource(filePath); // $ hasTaintFlow
-    new PathResource(filePath.toUri()); // $ hasTaintFlow
-
-    new FileUrlResource(filePath.toUri().toURL()); // $ hasTaintFlow
-    new FileUrlResource(path); // $ hasTaintFlow
-
-    new FileSystemResource(pathFile); // $ hasTaintFlow
-    new FileSystemResource(path); // $ hasTaintFlow
-    new FileSystemResource(filePath); // $ hasTaintFlow
-    new FileSystemResource(
-        FileSystems.getFileSystem(URI.create("file:///")), path); // $ hasTaintFlow
-
-    FileSystemUtils.copyRecursively(filePath, filePath.resolve("/newPath")); // $ hasTaintFlow
-    FileSystemUtils.copyRecursively(pathFile, pathFile); // $ hasTaintFlow
-    FileSystemUtils.deleteRecursively(pathFile); // $ hasTaintFlow
-    FileSystemUtils.deleteRecursively(filePath); // $ hasTaintFlow
-    FileCopyUtils.copy(pathFile, pathFile); // $ hasTaintFlow
-    FileCopyUtils.copyToByteArray(pathFile); // $ hasTaintFlow
-  }
-}