Java: Improve QHelp for java/path-injection to mention less disruptive fixes.

2025-12-18 01:33:15 +01:00 · 2023-11-13 14:49:54 +00:00
parent 104700f6d3
commit a46a7fadb2
6 changed files with 93 additions and 27 deletions
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPath.java
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPath.java
@@ -2,23 +2,11 @@ public void sendUserFile(Socket sock, String user) {
 	BufferedReader filenameReader = new BufferedReader(
 			new InputStreamReader(sock.getInputStream(), "UTF-8"));
 	String filename = filenameReader.readLine();
-	// BAD: read from a file using a path controlled by the user
-	BufferedReader fileReader = new BufferedReader(
-			new FileReader("/home/" + user + "/" + filename));
+	// BAD: read from a file without checking its path
+	BufferedReader fileReader = new BufferedReader(new FileReader(filename));
 	String fileLine = fileReader.readLine();
 	while(fileLine != null) {
 		sock.getOutputStream().write(fileLine.getBytes());
 		fileLine = fileReader.readLine();
 	}
 }
-
-public void sendUserFileFixed(Socket sock, String user) {
-	// ...
-	
-	// GOOD: remove all dots and directory delimiters from the filename before using
-	String filename = filenameReader.readLine().replaceAll("\\.", "").replaceAll("/", "");
-	BufferedReader fileReader = new BufferedReader(
-			new FileReader("/home/" + user + "/" + filename));
-
-	// ...
-}
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPath.qhelp
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPath.qhelp
@@ -13,27 +13,36 @@ such as "..". Such a path may potentially point to any directory on the file sys
 </overview>
 <recommendation>

-<p>Validate user input before using it to construct a file path. Ideally, follow these rules:</p>
+<p>Validate user input before using it to construct a file path.</p>

-<ul>
-<li>Do not allow more than a single "." character.</li>
-<li>Do not allow directory separators such as "/" or "\" (depending on the file system).</li>
-<li>Do not rely on simply replacing problematic sequences such as "../". For example, after applying this filter to
-".../...//" the resulting string would still be "../".</li>
-<li>Ideally use a whitelist of known good patterns.</li>
-</ul>
+<p>The choice of validation depends on the use case.</p>
+
+<p>If you want to allow paths spanning multiple folders, a common strategy is to make sure that the constructed
+file path is contained within a safe root folder, for example by checking that the path starts with the root folder.
+Additionally, you need to ensure that the path does not contain any ".." components, since these would allow
+the path to escape the root folder.</p>
+
+<p>A safer (but more restrictive) option is to use an allow list of safe paths and make sure that
+the user input is one of those paths.</p>

 </recommendation>
 <example>

-<p>In this example, a file name is read from a <code>java.net.Socket</code> and then used to access a file in the
-user's home directory and send it back over the socket. However, a malicious user could enter a file name which contains special 
-characters. For example, the string "../../etc/passwd" will result in the code reading the file located at 
-"/home/[user]/../../etc/passwd", which is the system's password file. This file would then be sent back to the user, 
-giving them access to all the system's passwords.</p>
+<p>In this example, a file name is read from a <code>java.net.Socket</code> and then used to access a file
+and send it back over the socket. However, a malicious user could enter a file name anywhere on the file system,
+such as "/etc/passwd".</p>

 <sample src="TaintedPath.java" />

+<p>Simply checking that the path is under a trusted location (such as the user's home directory) is not enough,
+however, since the path could contain relative components such as "..". For example, the string
+"/home/[user]/../../etc/passwd" starts with the user's home directory, but would still result in the code reading
+the file located at "/etc/passwd".</p>
+
+<p>To fix this, we check that the user-provided path does not contain ".." and starts with the user's home directory.</p>
+
+<sample src="TaintedPathGood.java" />
+
 </example>
 <references>

--- a/java/ql/src/Security/CWE/CWE-022/TaintedPathGood.java
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPathGood.java
@@ -0,0 +1,14 @@
+public void sendUserFileGood(Socket sock, String user) {
+	BufferedReader filenameReader = new BufferedReader(
+			new InputStreamReader(sock.getInputStream(), "UTF-8"));
+	String filename = filenameReader.readLine();
+	// GOOD: ensure that the file is in a designated folder in the user's home directory
+	if (!filePath.contains("..") && filePath.startsWith("/home/" + user + "/public/")) {
+		BufferedReader fileReader = new BufferedReader(new FileReader(filePath));
+		String fileLine = fileReader.readLine();
+		while(fileLine != null) {
+			sock.getOutputStream().write(fileLine.getBytes());
+			fileLine = fileReader.readLine();
+		}
+	}	
+}