hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-21 15:05:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

add new s3 and spring IO path injection sinks

Browse Source
This commit is contained in:
am0o0
2024-06-08 01:04:20 +02:00
parent 5fa1b57aaa
commit ceea475c45
7 changed files with 405 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
java/ql/lib/ext/experimental/s3-transfer-manager.model.yml Normal file
View File

@@ -0,0 +1,13 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: experimentalSinkModel
data:
- ["software.amazon.awssdk.transfer.s3.model","ResumableFileUpload",true,"serializeToFile","(Path)","","Argument[0]","path-injection","manual"]
- ["software.amazon.awssdk.transfer.s3.model","DownloadFileRequest$Builder",true,"destination","(Path)","","Argument[0]","path-injection","manual"]
- ["software.amazon.awssdk.transfer.s3.model","UploadFileRequest$Builder",true,"source","(Path)","","Argument[0]","path-injection","manual"]
- ["software.amazon.awssdk.transfer.s3.model","DownloadDirectoryRequest$Builder",true,"destination","(Path)","","Argument[0]","path-injection","manual"]
- ["software.amazon.awssdk.transfer.s3.model","ResumableFileDownload",true,"fromFile","(Path)","","Argument[0]","path-injection","manual"]
- ["software.amazon.awssdk.transfer.s3.model","ResumableFileDownload",true,"serializeToFile","(Path)","","Argument[0]","path-injection","manual"]
- ["software.amazon.awssdk.transfer.s3.model","ResumableFileUpload",true,"fromFile","(Path)","","Argument[0]","path-injection","manual"]
- ["software.amazon.awssdk.transfer.s3.model","UploadDirectoryRequest$Builder",true,"source","(Path)","","Argument[0]","code-injection","manual"]

27
java/ql/lib/ext/experimental/spring-core.model.yml Normal file
View File

@@ -0,0 +1,27 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: experimentalSinkModel
data:
- ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(FileSystem,String)","","Argument[1]","path-injection","manual"]
- ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(File)","","Argument[0]","path-injection","manual"]
- ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(Path)","","Argument[0]","path-injection","manual"]
- ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(String)","","Argument[0]","path-injection","manual"]
- ["org.springframework.core.io","FileUrlResource",true,"FileUrlResource","(String)","","Argument[0]","path-injection","manual"]
- ["org.springframework.core.io","FileUrlResource",true,"FileUrlResource","(URL)","","Argument[0]","path-injection","manual"]
- ["org.springframework.core.io","PathResource",true,"PathResource","(Path)","","Argument[0]","path-injection","manual"]
- ["org.springframework.core.io","PathResource",true,"PathResource","(String)","","Argument[0]","path-injection","manual"]
- ["org.springframework.core.io","PathResource",true,"PathResource","(URI)","","Argument[0]","path-injection","manual"]
- ["org.springframework.core.io","UrlResource",true,"UrlResource","(String,String,String)","","Argument[1]","path-injection","manual"]
- ["org.springframework.core.io","UrlResource",true,"UrlResource","(String,String)","","Argument[1]","path-injection","manual"]
- ["org.springframework.core.io","UrlResource",true,"UrlResource","(String)","","Argument[0]","path-injection","manual"]
- ["org.springframework.core.io","UrlResource",true,"UrlResource","(URI)","","Argument[0]","path-injection","manual"]
- ["org.springframework.core.io","UrlResource",true,"UrlResource","(URL)","","Argument[0]","path-injection","manual"]
- ["org.springframework.util","FileSystemUtils",true,"copyRecursively","(Path,Path)","","Argument[0]","path-injection","manual"]
- ["org.springframework.util","FileSystemUtils",true,"copyRecursively","(Path,Path)","","Argument[1]","path-injection","manual"]
- ["org.springframework.util","FileSystemUtils",true,"deleteRecursively","(File)","","Argument[0]","path-injection","manual"]
- ["org.springframework.util","FileSystemUtils",true,"deleteRecursively","(Path)","","Argument[0]","path-injection","manual"]
- ["org.springframework.util","ResourceUtils",true,"getFile","(String)","","Argument[0]","path-injection","manual"]
- ["org.springframework.util","FileCopyUtils",true,"copyToByteArray","(File)","","Argument[0]","path-injection","manual"]
- ["org.springframework.util","FileCopyUtils",true,"copyToString","(Reader)","","Argument[0]","path-injection","manual"]
- ["org.springframework.util","FileSystemUtils",true,"copyRecursively","(File,File)","","Argument[0]","path-injection","manual"]

110
java/ql/test/query-tests/security/CWE-022/semmle/tests/NewPathInjection/PathInjection/pom.xml Normal file
View File

@@ -0,0 +1,110 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.PathInjection</groupId>
<artifactId>PathInjection</artifactId>
<packaging>war</packaging>
<version>1.0-SNAPSHOT</version>
<name>PathInjection Maven Webapp</name>
<url>https://maven.apache.org</url>
<properties>
<aws.sdk.version>2.19.1</aws.sdk.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>bom</artifactId>
<version>${aws.sdk.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>4.0.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>6.1.4</version>
<scope>import</scope>
<type>pom</type>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework/spring-core -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>6.1.4</version>
</dependency>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>s3-transfer-manager</artifactId>
</dependency>
<dependency>
<groupId>software.amazon.awssdk.crt</groupId>
<artifactId>aws-crt</artifactId>
<version>0.20.3</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.12.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/net.lingala.zip4j/zip4j -->
<dependency>
<groupId>net.lingala.zip4j</groupId>
<artifactId>zip4j</artifactId>
<version>2.11.5</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.github.luben/zstd-jni -->
<dependency>
<groupId>com.github.luben</groupId>
<artifactId>zstd-jni</artifactId>
<version>1.5.5-1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.tukaani/xz -->
<dependency>
<groupId>org.tukaani</groupId>
<artifactId>xz</artifactId>
<version>1.9</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.lz4/lz4-java -->
<dependency>
<groupId>org.lz4</groupId>
<artifactId>lz4-java</artifactId>
<version>1.8.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java -->
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>1.1.10.5</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-compress -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.26.0</version>
</dependency>
</dependencies>
<build>
<finalName>PathInjection</finalName>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>11</source>
<target>11</target>
</configuration>
</plugin>
</plugins>
</build>
</project>

38
java/ql/test/query-tests/security/CWE-022/semmle/tests/NewPathInjection/PathInjection/src/main/java/com/PathInjection/CommonsIOPathInjection.java Normal file
View File

@@ -0,0 +1,38 @@
package com.PathInjection;
import java.io.*;
import java.nio.channels.AsynchronousFileChannel;
import java.nio.file.*;
import java.nio.file.attribute.FileAttribute;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
class fileAttr implements FileAttribute<String> {
public String name() {
return "file";
}
public String value() {
return "value";
}
}
public class CommonsIOPathInjection {
public void PathInjection(Path src, File srcF) throws IOException {
AsynchronousFileChannel.open(src); // $ PathInjection
AsynchronousFileChannel.open(src, LinkOption.NOFOLLOW_LINKS); // $ PathInjection
AsynchronousFileChannel.open(
src, LinkOption.NOFOLLOW_LINKS, LinkOption.NOFOLLOW_LINKS); // $ PathInjection
ExecutorService executor = Executors.newFixedThreadPool(10);
AsynchronousFileChannel.open(
src, Set.of(LinkOption.NOFOLLOW_LINKS), executor); // $ PathInjection
AsynchronousFileChannel.open(
src, // $ PathInjection
Set.of(LinkOption.NOFOLLOW_LINKS),
executor,
new fileAttr());
FileSystems.getFileSystem(srcF.toURI()); // $ PathInjection
}
}

45
java/ql/test/query-tests/security/CWE-022/semmle/tests/NewPathInjection/PathInjection/src/main/java/com/PathInjection/HelloServlet.java Executable file
View File

@@ -0,0 +1,45 @@
package com.PathInjection;
import java.io.*;
import java.io.IOException;
import java.net.URISyntaxException;
import java.nio.file.Path;
import javax.servlet.annotation.MultipartConfig;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.lingala.zip4j.ZipFile;
@WebServlet(
name = "helloServlet",
urlPatterns = {"/hello"})
@MultipartConfig()
public class HelloServlet extends HttpServlet {
public void init() {}
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
String path = request.getParameter("path");
Path src = Path.of(path);
File srcF = new File(path);
new CommonsIOPathInjection().PathInjection(src, srcF);
new SpringIoPathInjection().PathInjection(path);
S3PathInjection s3PathInjection = new S3PathInjection();
s3PathInjection.downloadFileResumable(src.toUri());
s3PathInjection.downloadFile(path);
s3PathInjection.downloadObjectsToDirectory(src.toUri());
s3PathInjection.uploadFileResumable(src.toUri());
s3PathInjection.uploadDirectory(src.toUri());
s3PathInjection.uploadFile(src.toUri());
ZipFile zipfile = new ZipFile(path);
zipfile.extractAll(path);
new java.util.zip.ZipFile(path);
PrintWriter out = response.getWriter();
response.setContentType("text/html");
out.println("<html><body>end</body></html>");
}
}

122
java/ql/test/query-tests/security/CWE-022/semmle/tests/NewPathInjection/PathInjection/src/main/java/com/PathInjection/S3PathInjection.java Normal file
View File

@@ -0,0 +1,122 @@
package com.PathInjection;
import software.amazon.awssdk.transfer.s3.S3TransferManager;
import software.amazon.awssdk.transfer.s3.model.*;
import software.amazon.awssdk.transfer.s3.progress.LoggingTransferListener;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.file.Paths;
public class S3PathInjection {
S3TransferManager transferManager = S3TransferManager.create();
String bucketName = "bucketTest";
String key = "keyTest";
public String uploadFile(URI filePathURI) {
UploadFileRequest uploadFileRequest =
UploadFileRequest.builder()
.putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
.addTransferListener(LoggingTransferListener.create())
.source(Paths.get(filePathURI)) // $ PathInjection
.build();
FileUpload fileUpload = this.transferManager.uploadFile(uploadFileRequest);
CompletedFileUpload uploadResult = fileUpload.completionFuture().join();
return uploadResult.response().eTag();
}
public String uploadFileResumable(URI filePathURI) {
UploadFileRequest uploadFileRequest =
UploadFileRequest.builder()
.putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
.addTransferListener(LoggingTransferListener.create())
.source(Paths.get(filePathURI)) // $ PathInjection
.build();
// Initiate the transfer
FileUpload upload = this.transferManager.uploadFile(uploadFileRequest);
// Pause the upload
ResumableFileUpload resumableFileUpload = upload.pause();
// Optionally, persist the resumableFileUpload
resumableFileUpload.serializeToFile(Paths.get(filePathURI)); // $ PathInjection
// Retrieve the resumableFileUpload from the file
ResumableFileUpload persistedResumableFileUpload =
ResumableFileUpload.fromFile(Paths.get(filePathURI)); // $ PathInjection
// Resume the upload
FileUpload resumedUpload = this.transferManager.resumeUploadFile(persistedResumableFileUpload);
// Wait for the transfer to complete
resumedUpload.completionFuture().join();
FileUpload fileUpload = this.transferManager.uploadFile(uploadFileRequest);
CompletedFileUpload uploadResult = fileUpload.completionFuture().join();
return uploadResult.response().eTag();
}
public String downloadFileResumable(URI downloadedFileWithPath) {
DownloadFileRequest downloadFileRequest =
DownloadFileRequest.builder()
.getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
.addTransferListener(LoggingTransferListener.create())
.destination(Paths.get(downloadedFileWithPath)) // $ PathInjection
.build();
// Initiate the transfer
FileDownload download = this.transferManager.downloadFile(downloadFileRequest);
// Pause the download
ResumableFileDownload resumableFileDownload = download.pause();
// Optionally, persist the resumableFileDownload
resumableFileDownload.serializeToFile(Paths.get(downloadedFileWithPath)); // $ PathInjection
// Retrieve the resumableFileDownload from the file
ResumableFileDownload persistedResumableFileDownload =
ResumableFileDownload.fromFile(Paths.get(downloadedFileWithPath)); // $ PathInjection
// Resume the download
FileDownload resumedDownload =
this.transferManager.resumeDownloadFile(persistedResumableFileDownload);
// Wait for the transfer to complete
resumedDownload.completionFuture().join();
FileDownload filedownload = this.transferManager.downloadFile(downloadFileRequest);
CompletedFileDownload downloadResult = filedownload.completionFuture().join();
return downloadResult.response().eTag();
}
public Integer uploadDirectory(URI sourceDirectory) {
DirectoryUpload directoryUpload =
this.transferManager.uploadDirectory(
UploadDirectoryRequest.builder()
.source(Paths.get(sourceDirectory)) // $ PathInjection
.bucket(this.bucketName)
.build());
CompletedDirectoryUpload completedDirectoryUpload = directoryUpload.completionFuture().join();
return completedDirectoryUpload.failedTransfers().size();
}
public Long downloadFile(String downloadedFileWithPath) {
DownloadFileRequest downloadFileRequest =
DownloadFileRequest.builder()
.getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
.addTransferListener(LoggingTransferListener.create())
.destination(Paths.get(downloadedFileWithPath)) // $ PathInjection
.build();
FileDownload downloadFile = this.transferManager.downloadFile(downloadFileRequest);
CompletedFileDownload downloadResult = downloadFile.completionFuture().join();
return downloadResult.response().contentLength();
}
public Integer downloadObjectsToDirectory(URI destinationPathURI) {
DirectoryDownload directoryDownload =
this.transferManager.downloadDirectory(
DownloadDirectoryRequest.builder()
.destination(Paths.get(destinationPathURI)) // $ PathInjection
.bucket(this.bucketName)
.build());
CompletedDirectoryDownload completedDirectoryDownload =
directoryDownload.completionFuture().join();
return completedDirectoryDownload.failedTransfers().size();
}
}

50
java/ql/test/query-tests/security/CWE-022/semmle/tests/NewPathInjection/PathInjection/src/main/java/com/PathInjection/SpringIoPathInjection.java Executable file
View File

@@ -0,0 +1,50 @@
package com.PathInjection;
import java.io.*;
import java.io.IOException;
import java.net.URI;
import java.nio.file.FileSystems;
import java.nio.file.Path;
import java.nio.file.Paths;
import org.springframework.core.io.*;
import org.springframework.util.FileCopyUtils;
import org.springframework.util.FileSystemUtils;
import org.springframework.util.ResourceUtils;
public class SpringIoPathInjection {
public void PathInjection(String path) throws IOException {
Path fileStorageLocation = Paths.get(path).toAbsolutePath().normalize();
Path filePath = fileStorageLocation.resolve(path).normalize();
File pathFile = new File(path);
new UrlResource(filePath.toUri()); // $ PathInjection
new UrlResource(filePath.toUri().toURL()); // $ PathInjection
new UrlResource("file", path); // $ PathInjection
new UrlResource("file", path, "#"); // $ PathInjection
new UrlResource(path); // $ PathInjection
new PathResource(path); // $ PathInjection
new PathResource(filePath); // $ PathInjection
new PathResource(filePath.toUri()); // $ PathInjection
new FileUrlResource(filePath.toUri().toURL()); // $ PathInjection
new FileUrlResource(path); // $ PathInjection
new FileSystemResource(pathFile); // $ PathInjection
new FileSystemResource(path); // $ PathInjection
new FileSystemResource(filePath); // $ PathInjection
new FileSystemResource(
FileSystems.getFileSystem(URI.create("file:///")), path); // $ PathInjection
ResourceUtils.getFile(path); // summaryModel
ResourceUtils.getFile(path); // summaryModel
FileSystemUtils.copyRecursively(filePath, filePath.resolve("/newPath")); // $ PathInjection
FileSystemUtils.copyRecursively(pathFile, pathFile); // $ PathInjection
FileSystemUtils.deleteRecursively(pathFile); // $ PathInjection
FileSystemUtils.deleteRecursively(filePath); // $ PathInjection
FileCopyUtils.copy(pathFile, pathFile); // $ PathInjection
FileCopyUtils.copyToByteArray(pathFile); // $ PathInjection
FileCopyUtils.copyToString(new FileReader("fa"));
}
}