hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-27 17:58:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
657e1e62ca07932f7ae50d06ee3350af9ed0d5f4
codeql/java/ql/lib/semmle/code/java/security/PartialPathTraversal.qll
Chris Smowton e9df675f88 Autoformat ql
2022-08-11 09:55:46 +01:00

61 lines
2.0 KiB
Plaintext
Raw Blame History

/** Provides classes to reason about partial path traversal vulnerabilities. */
import java
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.environment.SystemProperty
private class MethodStringStartsWith extends Method {
MethodStringStartsWith() {
this.getDeclaringType() instanceof TypeString and
this.hasName("startsWith")
}
}
private class MethodFileGetCanonicalPath extends Method {
MethodFileGetCanonicalPath() {
this.getDeclaringType() instanceof TypeFile and
this.hasName("getCanonicalPath")
}
}
private class MethodAccessFileGetCanonicalPath extends MethodAccess {
MethodAccessFileGetCanonicalPath() { this.getMethod() instanceof MethodFileGetCanonicalPath }
}
abstract private class FileSeparatorExpr extends Expr { }
private class SystemPropFileSeparatorExpr extends FileSeparatorExpr {
SystemPropFileSeparatorExpr() { this = getSystemProperty("file.separator") }
}
private class StringLiteralFileSeparatorExpr extends FileSeparatorExpr, StringLiteral {
StringLiteralFileSeparatorExpr() {
this.getValue().matches("%/") or this.getValue().matches("%\\")
}
}
private class CharacterLiteralFileSeparatorExpr extends FileSeparatorExpr, CharacterLiteral {
CharacterLiteralFileSeparatorExpr() { this.getValue() = "/" or this.getValue() = "\\" }
}
private class FileSeparatorAppend extends AddExpr {
FileSeparatorAppend() { this.getRightOperand() instanceof FileSeparatorExpr }
}
private predicate isSafe(Expr expr) {
DataFlow::localExprFlow(any(Expr e |
e instanceof FileSeparatorAppend or e instanceof FileSeparatorExpr
), expr)
}
/**
* A method access that returns a boolean that incorrectly guards against Partial Path Traversal.
*/
class PartialPathTraversalMethodAccess extends MethodAccess {
PartialPathTraversalMethodAccess() {
this.getMethod() instanceof MethodStringStartsWith and
DataFlow::localExprFlow(any(MethodAccessFileGetCanonicalPath gcpma), this.getQualifier()) and
not isSafe(this.getArgument(0))
}
}
Reference in New Issue View Git Blame Copy Permalink