Java/C++/C#: Add support for BarrierGuards.

2026-01-05 18:50:23 +01:00 · 2019-08-09 11:12:00 +02:00
parent 5e910a4808
commit 4550175b16
24 changed files with 221 additions and 0 deletions
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -17,6 +17,17 @@ import semmle.code.java.dataflow.FlowSources
 import PathsCommon
 import DataFlow::PathGraph

+class ContainsDotDotSanitizer extends DataFlow::BarrierGuard {
+  ContainsDotDotSanitizer() {
+    this.(MethodAccess).getMethod().hasName("contains") and
+    this.(MethodAccess).getAnArgument().(StringLiteral).getValue() = ".."
+  }
+
+  override predicate checks(Expr e, boolean branch) {
+    e = this.(MethodAccess).getQualifier() and branch = false
+  }
+}
+
 class TaintedPathConfig extends TaintTracking::Configuration {
  TaintedPathConfig() { this = "TaintedPathConfig" }

@@ -29,6 +40,10 @@ class TaintedPathConfig extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node node) {
    exists(Type t | t = node.getType() | t instanceof BoxedType or t instanceof PrimitiveType)
  }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof ContainsDotDotSanitizer
+  }
 }

 from DataFlow::PathNode source, DataFlow::PathNode sink, PathCreation p, TaintedPathConfig conf