Convert path injection barrier to MaD

2025-12-16 00:33:11 +01:00 · 2025-12-09 12:55:04 +00:00
parent f6e40bd49d
commit f6e3c77145
2 changed files with 8 additions and 13 deletions
--- a/java/ql/lib/ext/java.io.model.yml
+++ b/java/ql/lib/ext/java.io.model.yml
@@ -162,3 +162,8 @@ extensions:
      extensible: sourceModel
    data:
      - ["java.io", "FileInputStream", True, "FileInputStream", "", "", "Argument[this]", "file", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: barrierModel
+    data:
+      - ["java.io", "File", True, "getName", "()", "", "ReturnValue", "path-injection", "manual"]
--- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
+++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -4,6 +4,7 @@ module;

 import java
 private import semmle.code.java.controlflow.Guards
+private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.SSA
 private import semmle.code.java.frameworks.kotlin.IO
@@ -288,19 +289,8 @@ private Method getSourceMethod(Method m) {
  result = m
 }

-/**
- * A sanitizer that protects against path injection vulnerabilities
- * by extracting the final component of the user provided path.
- *
- * TODO: convert this class to models-as-data if sanitizer support is added
- */
-private class FileGetNameSanitizer extends PathInjectionSanitizer {
-  FileGetNameSanitizer() {
-    exists(MethodCall mc |
-      mc.getMethod().hasQualifiedName("java.io", "File", "getName") and
-      this.asExpr() = mc
-    )
-  }
+private class DefaultPathInjectionSanitizer extends PathInjectionSanitizer {
+  DefaultPathInjectionSanitizer() { barrierNode(this, "path-injection") }
 }

 /** Holds if `g` is a guard that checks for `..` components. */