Merge pull request #13225 from atorralba/atorralba/java/path-injection-mad-sinks-2

Java: Migrate path injection sinks to models-as-data (simplified)

java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll

@@ -5,7 +5,6 @@ import semmle.code.java.frameworks.Networking
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
-import semmle.code.java.security.PathCreation
 import semmle.code.java.security.PathSanitizer
 
 /**
@@ -55,11 +54,7 @@ private class TaintPreservingUriCtorParam extends Parameter {
 module TaintedPathConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(PathCreation p).getAnInput()
-    or
-    sinkNode(sink, "path-injection")
-  }
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
 
   predicate isBarrier(DataFlow::Node sanitizer) {
     sanitizer.getType() instanceof BoxedType or
@@ -82,11 +77,7 @@ module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
 module TaintedPathLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
-  predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(PathCreation p).getAnInput()
-    or
-    sinkNode(sink, "path-injection")
-  }
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
 
   predicate isBarrier(DataFlow::Node sanitizer) {
     sanitizer.getType() instanceof BoxedType or

java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll

@@ -4,6 +4,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.PathSanitizer
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.PathCreation
 
 /**
  * A method that returns the name of an archive entry.
@@ -40,5 +41,28 @@ module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
  * A sink that represents a file creation, such as a file write, copy or move operation.
  */
 private class FileCreationSink extends DataFlow::Node {
-  FileCreationSink() { sinkNode(this, "path-injection") }
+  FileCreationSink() {
+    sinkNode(this, "path-injection") and
+    not isPathCreation(this)
+  }
+}
+
+/**
+ * Holds if `sink` is a path creation node that doesn't imply a read/write filesystem operation.
+ * This is to avoid creating new spurious alerts, since `PathCreation` sinks weren't
+ * previously part of this query.
+ */
+private predicate isPathCreation(DataFlow::Node sink) {
+  exists(PathCreation pc |
+    pc.getAnInput() = sink.asExpr()
+    or
+    pc.getAnInput().(Argument).isVararg() and sink.(DataFlow::ImplicitVarargsArray).getCall() = pc
+  |
+    // exclude actual read/write operations included in `PathCreation`
+    not pc.(Call)
+        .getCallee()
+        .getDeclaringType()
+        .hasQualifiedName("java.io",
+          ["FileInputStream", "FileOutputStream", "FileReader", "FileWriter"])
+  )
 }