hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.7.5
codeql/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
Anders Schack-Mulligen c5193cf03f Apply suggestions from code review
2021-04-19 13:14:56 +02:00

86 lines
2.2 KiB
Java
Raw Permalink Blame History

// Semmle test case for CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
// http://cwe.mitre.org/data/definitions/22.html
package test.cwe22.semmle.tests;
import javax.servlet.http.*;
import javax.servlet.ServletException;
import java.io.*;
import java.net.InetAddress;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.FileSystems;
class Test {
void doGet1(InetAddress address)
throws IOException {
String temp = address.getHostName();
File file;
Path path;
// BAD: construct a file path with user input
file = new File(temp);
// BAD: construct a path with user input
path = Paths.get(temp);
// BAD: construct a path with user input
path = FileSystems.getDefault().getPath(temp);
// BAD: insufficient check
if (temp.startsWith("/some_safe_dir/")) {
file = new File(temp);
}
}
void doGet2(InetAddress address)
throws IOException {
String temp = address.getHostName();
File file;
// GOOD: check string is safe
if(isSafe(temp))
file = new File(temp);
}
void doGet3(InetAddress address)
throws IOException {
String temp = address.getHostName();
File file;
// FALSE NEGATIVE: inadequate check - fails to account
// for '.'s
if(isSortOfSafe(temp))
file = new File(temp);
}
boolean isSafe(String pathSpec) {
// no file separators
if (pathSpec.contains(File.separator))
return false;
// at most one dot
int indexOfDot = pathSpec.indexOf('.');
if (indexOfDot != -1 && pathSpec.indexOf('.', indexOfDot + 1) != -1)
return false;
return true;
}
boolean isSortOfSafe(String pathSpec) {
// no file separators
if (pathSpec.contains(File.separator))
return false;
return true;
}
public class MyServlet extends HttpServlet {
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
String filename = br.readLine();
// BAD: construct a file path with user input
BufferedWriter bw = new BufferedWriter(new FileWriter("dir/"+filename, true));
}
}
}
Reference in New Issue View Git Blame Copy Permalink