Merge pull request #18214 from jcogs33/jcogs33/java/file-getname-path-sanitizer

Java: add File.getName as a path injection sanitizer
2026-04-26 01:05:15 +02:00 · 2024-12-11 10:18:02 -05:00
parent 066cfa31d2 214da9e9ad
commit 538dee81b6
3 changed files with 34 additions and 0 deletions
--- a/java/ql/lib/change-notes/2024-12-06-file-getname.md
+++ b/java/ql/lib/change-notes/2024-12-06-file-getname.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `java.io.File.getName()` as a path injection sanitizer.
--- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
+++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -337,3 +337,18 @@ private Method getSourceMethod(Method m) {
  not exists(Method src | m = src.getKotlinParameterDefaultsProxy()) and
  result = m
 }
+
+/**
+ * A sanitizer that protects against path injection vulnerabilities
+ * by extracting the final component of the user provided path.
+ *
+ * TODO: convert this class to models-as-data if sanitizer support is added
+ */
+private class FileGetNameSanitizer extends PathInjectionSanitizer {
+  FileGetNameSanitizer() {
+    exists(MethodCall mc |
+      mc.getMethod().hasQualifiedName("java.io", "File", "getName") and
+      this.asExpr() = mc
+    )
+  }
+}