Merge pull request #18214 from jcogs33/jcogs33/java/file-getname-path-sanitizer

Java: add File.getName as a path injection sanitizer
2025-12-16 16:53:25 +01:00 · 2024-12-11 10:18:02 -05:00
parent 066cfa31d2 214da9e9ad
commit 538dee81b6
3 changed files with 34 additions and 0 deletions
--- a/java/ql/lib/change-notes/2024-12-06-file-getname.md
+++ b/java/ql/lib/change-notes/2024-12-06-file-getname.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `java.io.File.getName()` as a path injection sanitizer.
--- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
+++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -337,3 +337,18 @@ private Method getSourceMethod(Method m) {
  not exists(Method src | m = src.getKotlinParameterDefaultsProxy()) and
  result = m
 }
+
+/**
+ * A sanitizer that protects against path injection vulnerabilities
+ * by extracting the final component of the user provided path.
+ *
+ * TODO: convert this class to models-as-data if sanitizer support is added
+ */
+private class FileGetNameSanitizer extends PathInjectionSanitizer {
+  FileGetNameSanitizer() {
+    exists(MethodCall mc |
+      mc.getMethod().hasQualifiedName("java.io", "File", "getName") and
+      this.asExpr() = mc
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
@@ -71,4 +71,19 @@ public class TaintedPath {
            fileLine = fileReader.readLine();
        }
    }
+
+    public void sendUserFileGood4(Socket sock, String user) throws IOException {
+        BufferedReader filenameReader =
+                new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
+        String filename = filenameReader.readLine();
+        File file = new File(filename);
+        String baseName = file.getName();
+        // GOOD: only use the final component of the user provided path
+        BufferedReader fileReader = new BufferedReader(new FileReader(baseName));
+        String fileLine = fileReader.readLine();
+        while (fileLine != null) {
+            sock.getOutputStream().write(fileLine.getBytes());
+            fileLine = fileReader.readLine();
+        }
+    }
 }