add new s3 and spring IO path injection sinks

2026-04-28 02:05:14 +02:00 · 2024-06-08 01:04:20 +02:00
parent 5fa1b57aaa
commit ceea475c45
7 changed files with 405 additions and 0 deletions
--- a/java/ql/lib/ext/experimental/s3-transfer-manager.model.yml
+++ b/java/ql/lib/ext/experimental/s3-transfer-manager.model.yml
@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: experimentalSinkModel
+    data:
+      - ["software.amazon.awssdk.transfer.s3.model","ResumableFileUpload",true,"serializeToFile","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","DownloadFileRequest$Builder",true,"destination","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","UploadFileRequest$Builder",true,"source","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","DownloadDirectoryRequest$Builder",true,"destination","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","ResumableFileDownload",true,"fromFile","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","ResumableFileDownload",true,"serializeToFile","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","ResumableFileUpload",true,"fromFile","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","UploadDirectoryRequest$Builder",true,"source","(Path)","","Argument[0]","code-injection","manual"]
--- a/java/ql/lib/ext/experimental/spring-core.model.yml
+++ b/java/ql/lib/ext/experimental/spring-core.model.yml
@@ -0,0 +1,27 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: experimentalSinkModel
+    data:
+      - ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(FileSystem,String)","","Argument[1]","path-injection","manual"]
+      - ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(File)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(Path)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","FileUrlResource",true,"FileUrlResource","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","FileUrlResource",true,"FileUrlResource","(URL)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","PathResource",true,"PathResource","(Path)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","PathResource",true,"PathResource","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","PathResource",true,"PathResource","(URI)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(String,String,String)","","Argument[1]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(String,String)","","Argument[1]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(URI)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(URL)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"copyRecursively","(Path,Path)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"copyRecursively","(Path,Path)","","Argument[1]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"deleteRecursively","(File)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"deleteRecursively","(Path)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","ResourceUtils",true,"getFile","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileCopyUtils",true,"copyToByteArray","(File)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileCopyUtils",true,"copyToString","(Reader)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"copyRecursively","(File,File)","","Argument[0]","path-injection","manual"]