Java: update create/read-file sink kinds to path-injection

2026-03-06 23:56:48 +01:00 · 2023-05-30 13:06:37 -04:00
parent eb1a8e2189
commit cb10f4976b
32 changed files with 243 additions and 245 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -277,7 +277,7 @@ module ModelValidation {
          "open-url", "jndi-injection", "ldap-injection", "sql-injection", "jdbc-url",
          "log-injection", "mvel-injection", "xpath-injection", "groovy-injection",
          "html-injection", "js-injection", "ognl-injection", "intent-redirection",
-          "pending-intents", "url-redirection", "create-file", "read-file", "file-content-store",
+          "pending-intents", "url-redirection", "path-injection", "file-content-store",
          "hostname-verification", "response-splitting", "information-leak", "xslt-injection",
          "jexl-injection", "bean-validation", "template-injection", "fragment-injection",
          "command-injection"
--- a/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidFilesystemQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidFilesystemQuery.qll
@@ -20,7 +20,7 @@ private class AndroidFilesystemCleartextStorageSink extends CleartextStorageSink
 /** A call to a method or constructor that may write to files to the local filesystem. */
 class LocalFileOpenCall extends Storable {
  LocalFileOpenCall() {
-    this = any(DataFlow::Node sink | sinkNode(sink, "create-file")).asExpr().(Argument).getCall()
+    this = any(DataFlow::Node sink | sinkNode(sink, "path-injection")).asExpr().(Argument).getCall()
  }

  override Expr getAnInput() {
--- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll
@@ -58,7 +58,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) {
    sink.asExpr() = any(PathCreation p).getAnInput()
    or
-    sinkNode(sink, ["create-file", "read-file"])
+    sinkNode(sink, "path-injection")
  }

  predicate isBarrier(DataFlow::Node sanitizer) {
@@ -85,7 +85,7 @@ module TaintedPathLocalConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) {
    sink.asExpr() = any(PathCreation p).getAnInput()
    or
-    sinkNode(sink, "create-file")
+    sinkNode(sink, "path-injection")
  }

  predicate isBarrier(DataFlow::Node sanitizer) {
--- a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll
@@ -40,5 +40,5 @@ module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
 * A sink that represents a file creation, such as a file write, copy or move operation.
 */
 private class FileCreationSink extends DataFlow::Node {
-  FileCreationSink() { sinkNode(this, "create-file") }
+  FileCreationSink() { sinkNode(this, "path-injection") }
 }