hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18214 from jcogs33/jcogs33/java/file-getname-path-sanitizer

Browse Source 
Java: add File.getName as a path injection sanitizer
This commit is contained in:
Jami
2024-12-11 10:18:02 -05:00
committed by GitHub
parent 066cfa31d2 214da9e9ad
commit 538dee81b6
3 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/lib/change-notes/2024-12-06-file-getname.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added `java.io.File.getName()` as a path injection sanitizer.

15
java/ql/lib/semmle/code/java/security/PathSanitizer.qll
View File

@@ -337,3 +337,18 @@ private Method getSourceMethod(Method m) {
not exists(Method src | m = src.getKotlinParameterDefaultsProxy()) and not exists(Method src | m = src.getKotlinParameterDefaultsProxy()) and
result = m result = m
} }
/**
* A sanitizer that protects against path injection vulnerabilities
* by extracting the final component of the user provided path.
*
* TODO: convert this class to models-as-data if sanitizer support is added
*/
private class FileGetNameSanitizer extends PathInjectionSanitizer {
FileGetNameSanitizer() {
exists(MethodCall mc |
mc.getMethod().hasQualifiedName("java.io", "File", "getName") and
this.asExpr() = mc
)
}
}

15
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
View File

@@ -71,4 +71,19 @@ public class TaintedPath {
fileLine = fileReader.readLine(); fileLine = fileReader.readLine();
} }
} }
public void sendUserFileGood4(Socket sock, String user) throws IOException {
BufferedReader filenameReader =
new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
String filename = filenameReader.readLine();
File file = new File(filename);
String baseName = file.getName();
// GOOD: only use the final component of the user provided path
BufferedReader fileReader = new BufferedReader(new FileReader(baseName));
String fileLine = fileReader.readLine();
while (fileLine != null) {
sock.getOutputStream().write(fileLine.getBytes());
fileLine = fileReader.readLine();
}
}
} }