Java: Add more File-related sinks for path-injection

Author: atorralba

java/ql/lib/ext/java.io.model.yml

@@ -3,11 +3,22 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["java.io", "File", True, "canRead", "()", "", "Argument[this]", "path-injection", "manual"]
+      - ["java.io", "File", True, "canWrite", "()", "", "Argument[this]", "path-injection", "manual"]
       - ["java.io", "File", True, "createNewFile", "()", "", "Argument[this]", "path-injection", "ai-manual"]
       - ["java.io", "File", True, "createTempFile", "(String,String,File)", "", "Argument[2]", "path-injection", "ai-manual"]
+      - ["java.io", "File", True, "delete", "()", "", "Argument[this]", "path-injection", "manual"]
+      - ["java.io", "File", True, "deleteOnExit", "()", "", "Argument[this]", "path-injection", "manual"]
       - ["java.io", "File", True, "exists", "()", "", "Argument[this]", "path-injection", "manual"]
+      - ["java.io", "File", True, "mkdir", "()", "", "Argument[this]", "path-injection", "manual"]
+      - ["java.io", "File", True, "mkdirs", "()", "", "Argument[this]", "path-injection", "manual"]
       - ["java.io", "File", True, "renameTo", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.io", "File", True, "renameTo", "(File)", "", "Argument[this]", "path-injection", "ai-manual"]
+      - ["java.io", "File", True, "setExecutable", "", "", "Argument[this]", "path-injection", "manual"]
+      - ["java.io", "File", True, "setLastModified", "", "", "Argument[this]", "path-injection", "manual"]
+      - ["java.io", "File", True, "setReadable", "", "", "Argument[this]", "path-injection", "manual"]
+      - ["java.io", "File", True, "setReadOnly", "", "", "Argument[this]", "path-injection", "manual"]
+      - ["java.io", "File", True, "setWritable", "", "", "Argument[this]", "path-injection", "manual"]
       - ["java.io", "FileInputStream", True, "FileInputStream", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.io", "FileInputStream", True, "FileInputStream", "(FileDescriptor)", "", "Argument[0]", "path-injection", "manual"]
       - ["java.io", "FileInputStream", True, "FileInputStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]

java/ql/src/change-notes/2024-05-27-path-injection-file-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added more `File`-related sinks to the path injection query.

java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java

@@ -37,8 +37,38 @@ void test() throws IOException {
         getClass().getResource((String) source()); // $ hasTaintFlow
         // "java.lang;ClassLoader;true;getSystemResourceAsStream;(String);;Argument[0];read-file;ai-generated"
         ClassLoader.getSystemResourceAsStream((String) source()); // $ hasTaintFlow
+        // "java.io;File;True;canRead;();;Argument[this];path-injection;manual"
+        ((File) source()).canRead(); // $ hasTaintFlow
+        // "java.io;File;True;canWrite;();;Argument[this];path-injection;manual"
+        ((File) source()).canWrite(); // $ hasTaintFlow
+        // "java.io;File;True;createNewFile;();;Argument[this];path-injection;ai-manual"
+        ((File) source()).createNewFile(); // $ hasTaintFlow
         // "java.io;File;true;createTempFile;(String,String,File);;Argument[2];create-file;ai-generated"
         File.createTempFile(";", ";", (File) source()); // $ hasTaintFlow
+        // "java.io;File;True;delete;();;Argument[this];path-injection;manual"
+        ((File) source()).delete(); // $ hasTaintFlow
+        // "java.io;File;True;deleteOnExit;();;Argument[this];path-injection;manual"
+        ((File) source()).deleteOnExit(); // $ hasTaintFlow
+        // "java.io;File;True;exists;();;Argument[this];path-injection;manual"
+        ((File) source()).exists(); // $ hasTaintFlow
+        // "java.io;File;True;mkdir;();;Argument[this];path-injection;manual"
+        ((File) source()).mkdir(); // $ hasTaintFlow
+        // "java.io;File;True;mkdirs;();;Argument[this];path-injection;manual"
+        ((File) source()).mkdirs(); // $ hasTaintFlow
+        // "java.io;File;True;renameTo;(File);;Argument[0];path-injection;ai-manual"
+        new File("").renameTo((File) source()); // $ hasTaintFlow
+        // "java.io;File;True;renameTo;(File);;Argument[this];path-injection;ai-manual"
+        ((File) source()).renameTo(null); // $ hasTaintFlow
+        // "java.io;File;True;setExecutable;;;Argument[this];path-injection;manual"
+        ((File) source()).setExecutable(true); // $ hasTaintFlow
+        // "java.io;File;True;setLastModified;;;Argument[this];path-injection;manual"
+        ((File) source()).setLastModified(0); // $ hasTaintFlow
+        // "java.io;File;True;setReadable;;;Argument[this];path-injection;manual"
+        ((File) source()).setReadable(true); // $ hasTaintFlow
+        // "java.io;File;True;setReadOnly;;;Argument[this];path-injection;manual"
+        ((File) source()).setReadOnly(); // $ hasTaintFlow
+        // "java.io;File;True;setWritable;;;Argument[this];path-injection;manual"
+        ((File) source()).setWritable(true); // $ hasTaintFlow
         // "java.io;File;true;renameTo;(File);;Argument[0];create-file;ai-generated"
         new File("").renameTo((File) source()); // $ hasTaintFlow
         // "java.io;FileInputStream;true;FileInputStream;(File);;Argument[0];read-file;ai-generated"