hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed an issue related to normalized path

Browse Source
This commit is contained in:
luchua-bc
2022-02-09 23:19:40 +00:00
parent 4609227e76
commit ce03aeb4d9
4 changed files with 30 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
View File

@@ -24,7 +24,8 @@ class InjectFilePathConfig extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(PathCreation p).getAnInput()
sink.asExpr() = any(PathCreation p).getAnInput() and
not sink instanceof SanitizedNode
}
override predicate isSanitizer(DataFlow::Node node) {

22
java/ql/src/experimental/Security/CWE/CWE-073/PathSanitizer.qll
View File

@@ -173,3 +173,25 @@ private class UrlDecodeSanitizer extends MethodAccess {
this.getMethod().hasName("decode")
}
}
/** A sanitized node that is protected against path traversal vulnerabilities. */
abstract class SanitizedNode extends DataFlow::Node { }
class NodeWithPathNormalizer extends SanitizedNode {
NodeWithPathNormalizer() {
exists(MethodAccess ma |
DataFlow::localExprFlow(this.asExpr(), ma) and ma instanceof PathNormalizeSanitizer
)
}
}
/** Data model related to `java.nio.file.Path`. */
private class PathDataModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;value",
"java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;value"
]
}
}

12
java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.expected
View File

@@ -1,6 +1,5 @@
edges
| FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath |
| FilePathInjection.java:41:21:41:34 | getPara(...) : String | FilePathInjection.java:44:25:44:37 | finalFilePath |
| FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:65:31:65:38 | savePath : String |
| FilePathInjection.java:65:3:65:39 | this <.method> [post update] [com.jfinal.core.Controller.session, <map.value>] : String | FilePathInjection.java:66:29:66:55 | this <.method> [com.jfinal.core.Controller.session, <map.value>] : String |
| FilePathInjection.java:65:31:65:38 | savePath : String | FilePathInjection.java:65:3:65:39 | this <.method> [post update] [com.jfinal.core.Controller.session, <map.value>] : String |
@@ -11,12 +10,10 @@ edges
| FilePathInjection.java:88:24:88:31 | savePath : String | FilePathInjection.java:88:3:88:32 | this <.method> [post update] [com.jfinal.core.Controller.request, <map.value>] : String |
| FilePathInjection.java:89:29:89:48 | getAttr(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath |
| FilePathInjection.java:89:29:89:48 | this <.method> [com.jfinal.core.Controller.request, <map.value>] : String | FilePathInjection.java:89:29:89:48 | getAttr(...) : String |
| FilePathInjection.java:158:17:158:44 | getParameter(...) : String | FilePathInjection.java:162:24:162:31 | filePath |
| FilePathInjection.java:159:17:159:44 | getParameter(...) : String | FilePathInjection.java:163:24:163:31 | filePath |
nodes
| FilePathInjection.java:21:21:21:34 | getPara(...) : String | semmle.label | getPara(...) : String |
| FilePathInjection.java:26:47:26:59 | finalFilePath | semmle.label | finalFilePath |
| FilePathInjection.java:41:21:41:34 | getPara(...) : String | semmle.label | getPara(...) : String |
| FilePathInjection.java:44:25:44:37 | finalFilePath | semmle.label | finalFilePath |
| FilePathInjection.java:64:21:64:34 | getPara(...) : String | semmle.label | getPara(...) : String |
| FilePathInjection.java:65:3:65:39 | this <.method> [post update] [com.jfinal.core.Controller.session, <map.value>] : String | semmle.label | this <.method> [post update] [com.jfinal.core.Controller.session, <map.value>] : String |
| FilePathInjection.java:65:31:65:38 | savePath : String | semmle.label | savePath : String |
@@ -29,12 +26,11 @@ nodes
| FilePathInjection.java:89:29:89:48 | getAttr(...) : String | semmle.label | getAttr(...) : String |
| FilePathInjection.java:89:29:89:48 | this <.method> [com.jfinal.core.Controller.request, <map.value>] : String | semmle.label | this <.method> [com.jfinal.core.Controller.request, <map.value>] : String |
| FilePathInjection.java:95:47:95:59 | finalFilePath | semmle.label | finalFilePath |
| FilePathInjection.java:158:17:158:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FilePathInjection.java:162:24:162:31 | filePath | semmle.label | filePath |
| FilePathInjection.java:159:17:159:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FilePathInjection.java:163:24:163:31 | filePath | semmle.label | filePath |
subpaths
#select
| FilePathInjection.java:26:47:26:59 | finalFilePath | FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:21:21:21:34 | getPara(...) | user-provided value |
| FilePathInjection.java:44:25:44:37 | finalFilePath | FilePathInjection.java:41:21:41:34 | getPara(...) : String | FilePathInjection.java:44:25:44:37 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:41:21:41:34 | getPara(...) | user-provided value |
| FilePathInjection.java:72:47:72:59 | finalFilePath | FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:64:21:64:34 | getPara(...) | user-provided value |
| FilePathInjection.java:95:47:95:59 | finalFilePath | FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:87:21:87:34 | getPara(...) | user-provided value |
| FilePathInjection.java:162:24:162:31 | filePath | FilePathInjection.java:158:17:158:44 | getParameter(...) : String | FilePathInjection.java:162:24:162:31 | filePath | External control of file name or path due to $@. | FilePathInjection.java:158:17:158:44 | getParameter(...) | user-provided value |
| FilePathInjection.java:163:24:163:31 | filePath | FilePathInjection.java:159:17:159:44 | getParameter(...) : String | FilePathInjection.java:163:24:163:31 | filePath | External control of file name or path due to $@. | FilePathInjection.java:159:17:159:44 | getParameter(...) | user-provided value |

2
java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.java
View File

@@ -153,6 +153,7 @@ public class FilePathInjection extends Controller {
}
}
// BAD: Download file to user specified path without validation
public void downloadFile() throws FileNotFoundException, IOException {
HttpServletRequest request = getRequest();
String path = request.getParameter("path");
@@ -173,6 +174,7 @@ public class FilePathInjection extends Controller {
}
}
// GOOD: Download file with path validation
public void downloadFile2() throws FileNotFoundException, IOException {
HttpServletRequest request = getRequest();
String path = request.getParameter("path");