Merge pull request #10393 from zbazztian/uri-constructor-flow

Java: Model taint flow for java.net.URI constructors in tainted path queries
2026-04-26 17:25:19 +02:00 · 2022-09-16 15:10:40 +02:00
parent e6d4e87458 8c35803749
commit e140f04881
6 changed files with 83 additions and 1 deletions
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
@@ -9,6 +9,11 @@ edges
 | Test.java:80:31:80:32 | br : BufferedReader | Test.java:80:31:80:43 | readLine(...) : String |
 | Test.java:80:31:80:43 | readLine(...) : String | Test.java:82:67:82:81 | ... + ... |
 | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:33 | new URI(...) |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:12:98:33 | new URI(...) |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) |
 nodes
 | Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:24:20:24:23 | temp | semmle.label | temp |
@@ -23,6 +28,12 @@ nodes
 | Test.java:82:67:82:81 | ... + ... | semmle.label | ... + ... |
 | Test.java:88:17:88:37 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:90:26:90:29 | temp | semmle.label | temp |
+| Test.java:95:14:95:34 | getHostName(...) : String | semmle.label | getHostName(...) : String |
+| Test.java:97:12:97:33 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:98:12:98:33 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:99:12:99:33 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:100:12:100:45 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:101:12:101:54 | new URI(...) | semmle.label | new URI(...) |
 subpaths
 #select
 | Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
@@ -31,3 +42,8 @@ subpaths
 | Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
 | Test.java:82:52:82:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value |
 | Test.java:90:26:90:29 | temp | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp | $@ flows to here and is used in a path. | Test.java:88:17:88:37 | getHostName(...) | User-provided value |
+| Test.java:97:3:97:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
+| Test.java:98:3:98:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:12:98:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
+| Test.java:99:3:99:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
+| Test.java:100:3:100:46 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
+| Test.java:101:3:101:55 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
@@ -6,7 +6,7 @@ import javax.servlet.http.*;
 import javax.servlet.ServletException;

 import java.io.*;
-import java.net.InetAddress;
+import java.net.*;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.FileSystems;
@@ -89,4 +89,15 @@ class Test {
 		// BAD: open a file based on user input, using a MaD-documented API
 		new LockableFileWriter(temp);
 	}
+
+	void doGet5(InetAddress address)
+	throws URISyntaxException {
+		String t = address.getHostName();
+		// BAD: construct a file path with user input
+		new File(new URI(null, t, null));
+		new File(new URI(t, t, null, t));
+		new File(new URI(t, null, t, t));
+		new File(new URI(null, null, t, null, null));
+		new File(new URI(null, null, null, 0, t, null, null));
+	}
 }