Finish Partial Path Traversal Query

java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.ql

@@ -10,15 +10,47 @@
  *       external/cwe/cwe-023
  */
 
-import java 
-
+import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.environment.SystemProperty
 
 class MethodStringStartsWith extends Method {
-    MethodStringStartsWith() {
-        this.hasName("startsWith")
-    }
+  MethodStringStartsWith() {
+    this.getDeclaringType() instanceof TypeString and
+    this.hasName("startsWith")
+  }
 }
 
-from MethodAccess ma 
-where ma.getMethod() instanceof MethodStringStartsWith
-select ma, "Partial Path Traversal Vulnerability due to insufficient guard against path traversal"
+class MethodFileGetCanonicalPath extends Method {
+  MethodFileGetCanonicalPath() {
+    this.getDeclaringType() instanceof TypeFile and
+    this.hasName("getCanonicalPath")
+  }
+}
+
+class MethodAccessFileGetCanonicalPath extends MethodAccess {
+  MethodAccessFileGetCanonicalPath() { this.getMethod() instanceof MethodFileGetCanonicalPath }
+}
+
+abstract class FileSeparatorExpr extends Expr { }
+
+class SystemPropFileSeparatorExpr extends FileSeparatorExpr {
+  SystemPropFileSeparatorExpr() { this = getSystemProperty("file.separator") }
+}
+
+class StringLiteralFileSeparatorExpr extends FileSeparatorExpr, StringLiteral {
+  StringLiteralFileSeparatorExpr() { this.getValue() = "/" }
+}
+
+class FileSeparatorAppend extends AddExpr {
+  FileSeparatorAppend() { this.getRightOperand() instanceof FileSeparatorExpr }
+}
+
+predicate isSafe(Expr expr) { DataFlow::localExprFlow(any(FileSeparatorAppend fsa), expr) }
+
+from MethodAccess ma
+where
+  ma.getMethod() instanceof MethodStringStartsWith and
+  DataFlow::localExprFlow(any(MethodAccessFileGetCanonicalPath gcpma), ma.getQualifier()) and
+  not isSafe(ma.getArgument(0))
+select ma, "Partial Path Traversal Vulnerability due to insufficient guard against path traversal"