mirror of
https://github.com/github/codeql.git
synced 2026-02-28 12:53:49 +01:00
105 lines
2.8 KiB
Java
105 lines
2.8 KiB
Java
// Semmle test case for CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|
|
// http://cwe.mitre.org/data/definitions/22.html
|
|
package test.cwe22.semmle.tests;
|
|
|
|
import javax.servlet.http.*;
|
|
import javax.servlet.ServletException;
|
|
|
|
import java.io.*;
|
|
import java.net.*;
|
|
import java.nio.file.Path;
|
|
import java.nio.file.Paths;
|
|
import java.nio.file.FileSystems;
|
|
|
|
import org.apache.commons.io.output.LockableFileWriter;
|
|
|
|
class Test {
|
|
void doGet1(InetAddress address)
|
|
throws IOException {
|
|
String temp = address.getHostName();
|
|
File file;
|
|
Path path;
|
|
|
|
// BAD: construct a file path with user input
|
|
file = new File(temp);
|
|
|
|
// BAD: construct a path with user input
|
|
path = Paths.get(temp);
|
|
|
|
// BAD: construct a path with user input
|
|
path = FileSystems.getDefault().getPath(temp);
|
|
|
|
// BAD: insufficient check
|
|
if (temp.startsWith("/some_safe_dir/")) {
|
|
file = new File(temp);
|
|
}
|
|
}
|
|
|
|
void doGet2(InetAddress address)
|
|
throws IOException {
|
|
String temp = address.getHostName();
|
|
File file;
|
|
|
|
// GOOD: check string is safe
|
|
if(isSafe(temp))
|
|
file = new File(temp);
|
|
}
|
|
|
|
void doGet3(InetAddress address)
|
|
throws IOException {
|
|
String temp = address.getHostName();
|
|
File file;
|
|
|
|
// FALSE NEGATIVE: inadequate check - fails to account
|
|
// for '.'s
|
|
if(isSortOfSafe(temp))
|
|
file = new File(temp);
|
|
}
|
|
|
|
boolean isSafe(String pathSpec) {
|
|
// no file separators
|
|
if (pathSpec.contains(File.separator))
|
|
return false;
|
|
// at most one dot
|
|
int indexOfDot = pathSpec.indexOf('.');
|
|
if (indexOfDot != -1 && pathSpec.indexOf('.', indexOfDot + 1) != -1)
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
boolean isSortOfSafe(String pathSpec) {
|
|
// no file separators
|
|
if (pathSpec.contains(File.separator))
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
public class MyServlet extends HttpServlet {
|
|
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
|
BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
|
|
String filename = br.readLine();
|
|
// BAD: construct a file path with user input
|
|
BufferedWriter bw = new BufferedWriter(new FileWriter("dir/"+filename, true));
|
|
}
|
|
}
|
|
|
|
void doGet4(InetAddress address)
|
|
throws IOException {
|
|
String temp = address.getHostName();
|
|
// BAD: open a file based on user input, using a MaD-documented API
|
|
new LockableFileWriter(temp);
|
|
}
|
|
|
|
void doGet5(InetAddress address)
|
|
throws URISyntaxException {
|
|
String t = address.getHostName();
|
|
// BAD: construct a file path with user input
|
|
new File(new URI(null, t, null));
|
|
new File(new URI(t, t, null, t));
|
|
new File(new URI(t, null, t, t));
|
|
new File(new URI(null, null, t, null, null));
|
|
new File(new URI(null, null, null, 0, t, null, null));
|
|
}
|
|
|
|
}
|