Add additional File taint value flow models

Adds - File::getAbsoluteFile - File::getCanonicalFile - File::getAbsolutePath - File::getCanonicalPath
2026-06-19 03:41:07 +02:00 · 2022-04-26 10:34:24 -04:00
parent 2a4d65f917
commit 2565cdb964
7 changed files with 27 additions and 39 deletions
--- a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
@@ -134,16 +134,6 @@ private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Conf
    source.asExpr() instanceof ExprSystemGetPropertyTempDirTainted
  }

-  /**
-   * Find dataflow from the temp directory system property to the `File` constructor.
-   * Examples:
-   *  - `new File(System.getProperty("java.io.tmpdir"))`
-   *  - `new File(new File(System.getProperty("java.io.tmpdir")), "/child")`
-   */
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    isAdditionalFileTaintStep(node1, node2)
-  }
-
  override predicate isSink(DataFlow::Node sink) {
    sink instanceof FileCreationSink and
    not any(TempDirSystemGetPropertyDirectlyToMkdirConfig config).hasFlowTo(sink)
--- a/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
@@ -35,32 +35,6 @@ predicate isFileConstructorArgument(Expr expSource, Expr exprDest, int paramCoun
  )
 }

-/**
- * A `File` method where the temporary directory is still part of the root path.
- */
-private class TaintFollowingFileMethod extends Method {
-  TaintFollowingFileMethod() {
-    this.getDeclaringType() instanceof TypeFile and
-    this.hasName(["getAbsoluteFile", "getCanonicalFile"])
-  }
-}
-
-private predicate isTaintPropagatingFileTransformation(Expr expSource, Expr exprDest) {
-  exists(MethodAccess fileMethodAccess |
-    fileMethodAccess.getMethod() instanceof TaintFollowingFileMethod and
-    fileMethodAccess.getQualifier() = expSource and
-    fileMethodAccess = exprDest
-  )
-}
-
-/**
- * Holds if taint should propagate from `node1` to `node2` across some file creation or transformation operation.
- * For example, `taintedFile.getCanonicalFile()` is itself tainted.
- */
-predicate isAdditionalFileTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-  isTaintPropagatingFileTransformation(node1.asExpr(), node2.asExpr())
-}
-
 /**
 * A method call to `java.io.File::setReadable`.
 */