hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: fix replacement char check and add tests

Browse Source
This commit is contained in:
Jami Cogswell
2025-03-17 16:02:13 -04:00
parent 3083360032
commit 49d37c517d
2 changed files with 29 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/lib/semmle/code/java/security/PathSanitizer.qll
View File

@@ -419,7 +419,8 @@ private predicate replacesDirectoryCharactersWithSingleReplaceAll(
) { ) {
exists(CompileTimeConstantExpr target, string targetValue | exists(CompileTimeConstantExpr target, string targetValue |
isReplaceAllTarget(replaceAllCall, target) and isReplaceAllTarget(replaceAllCall, target) and
target.getStringValue() = targetValue target.getStringValue() = targetValue and
replaceAllCall.getArgument(1).(CompileTimeConstantExpr).getStringValue() = getAReplacementChar()
| |
not targetValue.matches("%[^%]%") and not targetValue.matches("%[^%]%") and
targetValue.matches("[%.%]") and targetValue.matches("[%.%]") and
@@ -460,6 +461,7 @@ private predicate replacesDirectoryCharactersWithDoubleReplaceOrReplaceAll(
rc2.getQualifier() = rc1 and rc2.getQualifier() = rc1 and
target1.getStringValue() = targetValue1 and target1.getStringValue() = targetValue1 and
target2.getStringValue() = targetValue2 and target2.getStringValue() = targetValue2 and
rc1.getArgument(1).(CompileTimeConstantExpr).getStringValue() = getAReplacementChar() and
rc2.getArgument(1).(CompileTimeConstantExpr).getStringValue() = getAReplacementChar() and rc2.getArgument(1).(CompileTimeConstantExpr).getStringValue() = getAReplacementChar() and
// make sure the calls replace different characters // make sure the calls replace different characters
targetValue2 != targetValue1 and targetValue2 != targetValue1 and

28
java/ql/test/library-tests/pathsanitizer/Test.java
View File

@@ -716,14 +716,20 @@ public class Test {
} }
{ {
String source = (String) source(); String source = (String) source();
source = source.replaceAll("\\.|[/\\\\]", ""); source = source.replaceAll("\\.|[/\\\\]", "-");
sink(source); // Safe sink(source); // Safe
} }
{ {
String source = (String) source(); String source = (String) source();
source = source.replaceAll("[.][.]|[/\\\\]", ""); source = source.replaceAll("[.][.]|[/\\\\]", "_");
sink(source); // Safe sink(source); // Safe
} }
{
String source = (String) source();
// test a not-accepted replacement character
source = source.replaceAll("[.][.]|[/\\\\]", "/");
sink(source); // $ hasTaintFlow
}
{ {
String source = (String) source(); String source = (String) source();
source = source.replaceAll(".|[/\\\\]", ""); source = source.replaceAll(".|[/\\\\]", "");
@@ -761,6 +767,24 @@ public class Test {
source = source.replaceAll("\\.", "").replaceAll("/", ""); source = source.replaceAll("\\.", "").replaceAll("/", "");
sink(source); // Safe sink(source); // Safe
} }
{
String source = (String) source();
// test a not-accepted replacement character in each call
source = source.replaceAll("\\.", "/").replaceAll("/", ".");
sink(source); // $ hasTaintFlow
}
{
String source = (String) source();
// test a not-accepted replacement character in first call
source = source.replaceAll("\\.", "/").replaceAll("/", "-");
sink(source); // $ hasTaintFlow
}
{
String source = (String) source();
// test a not-accepted replacement character in second call
source = source.replaceAll("\\.", "_").replaceAll("/", ".");
sink(source); // $ hasTaintFlow
}
{ {
String source = (String) source(); String source = (String) source();
source = source.replaceAll("\\.", "").replaceAll("/", "").replaceAll("\\\\", ""); source = source.replaceAll("\\.", "").replaceAll("/", "").replaceAll("\\\\", "");