Improve ZipSlip exclusion to take varargs into account

2026-04-25 00:35:20 +02:00 · 2023-06-07 09:25:42 +02:00
parent 8001ae9669
commit 27763d6bbe
1 changed files with 4 additions and 1 deletions
--- a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll
@@ -54,7 +54,10 @@ private class FileCreationSink extends DataFlow::Node {
 */
 private predicate isPathCreation(DataFlow::Node sink) {
  exists(PathCreation pc |
-    pc.getAnInput() = sink.asExpr() and
+    pc.getAnInput() = sink.asExpr()
+    or
+    pc.getAnInput().(Argument).isVararg() and sink.(DataFlow::ImplicitVarargsArray).getCall() = pc
+  |
    // exclude actual read/write operations included in `PathCreation`
    not pc.(Call)
        .getCallee()