Use hasTaintFlow marker

smowton · am0o0 · commit 1cb9f6370fb7 · 2024-07-13T13:09:43.000+02:00
diff --git a/java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/CommonsIOPathInjection.java b/java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/CommonsIOPathInjection.java
@@ -20,19 +20,19 @@ public String value() {
 
 public class CommonsIOPathInjection {
   public void PathInjection(Path src, File srcF) throws IOException {
-    AsynchronousFileChannel.open(src); // $ PathInjection
-    AsynchronousFileChannel.open(src, LinkOption.NOFOLLOW_LINKS); // $ PathInjection
+    AsynchronousFileChannel.open(src); // $ hasTaintFlow
+    AsynchronousFileChannel.open(src, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow
     AsynchronousFileChannel.open(
-        src, LinkOption.NOFOLLOW_LINKS, LinkOption.NOFOLLOW_LINKS); // $ PathInjection
+        src, LinkOption.NOFOLLOW_LINKS, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow
     ExecutorService executor = Executors.newFixedThreadPool(10);
     AsynchronousFileChannel.open(
-        src, Set.of(LinkOption.NOFOLLOW_LINKS), executor); // $ PathInjection
+        src, Set.of(LinkOption.NOFOLLOW_LINKS), executor); // $ hasTaintFlow
     AsynchronousFileChannel.open(
-        src, // $ PathInjection
+        src, // $ hasTaintFlow
         Set.of(LinkOption.NOFOLLOW_LINKS),
         executor,
         new fileAttr());
 
-    FileSystems.getFileSystem(srcF.toURI()); // $ PathInjection
+    FileSystems.getFileSystem(srcF.toURI()); // $ hasTaintFlow
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/S3PathInjection.java b/java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/S3PathInjection.java
@@ -19,7 +19,7 @@ public String uploadFile(URI filePathURI) {
         UploadFileRequest.builder()
             .putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
             .addTransferListener(LoggingTransferListener.create())
-            .source(Paths.get(filePathURI)) // $ PathInjection
+            .source(Paths.get(filePathURI)) // $ hasTaintFlow
             .build();
 
     FileUpload fileUpload = this.transferManager.uploadFile(uploadFileRequest);
@@ -33,18 +33,18 @@ public String uploadFileResumable(URI filePathURI) {
         UploadFileRequest.builder()
             .putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
             .addTransferListener(LoggingTransferListener.create())
-            .source(Paths.get(filePathURI)) // $ PathInjection
+            .source(Paths.get(filePathURI)) // $ hasTaintFlow
             .build();
 
     // Initiate the transfer
     FileUpload upload = this.transferManager.uploadFile(uploadFileRequest);
     // Pause the upload
     ResumableFileUpload resumableFileUpload = upload.pause();
     // Optionally, persist the resumableFileUpload
-    resumableFileUpload.serializeToFile(Paths.get(filePathURI)); // $ PathInjection
+    resumableFileUpload.serializeToFile(Paths.get(filePathURI)); // $ hasTaintFlow
     // Retrieve the resumableFileUpload from the file
     ResumableFileUpload persistedResumableFileUpload =
-        ResumableFileUpload.fromFile(Paths.get(filePathURI)); // $ PathInjection
+        ResumableFileUpload.fromFile(Paths.get(filePathURI)); // $ hasTaintFlow
     // Resume the upload
     FileUpload resumedUpload = this.transferManager.resumeUploadFile(persistedResumableFileUpload);
     // Wait for the transfer to complete
@@ -59,18 +59,18 @@ public String downloadFileResumable(URI downloadedFileWithPath) {
         DownloadFileRequest.builder()
             .getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
             .addTransferListener(LoggingTransferListener.create())
-            .destination(Paths.get(downloadedFileWithPath)) // $ PathInjection
+            .destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow
             .build();
 
     // Initiate the transfer
     FileDownload download = this.transferManager.downloadFile(downloadFileRequest);
     // Pause the download
     ResumableFileDownload resumableFileDownload = download.pause();
     // Optionally, persist the resumableFileDownload
-    resumableFileDownload.serializeToFile(Paths.get(downloadedFileWithPath)); // $ PathInjection
+    resumableFileDownload.serializeToFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow
     // Retrieve the resumableFileDownload from the file
     ResumableFileDownload persistedResumableFileDownload =
-        ResumableFileDownload.fromFile(Paths.get(downloadedFileWithPath)); // $ PathInjection
+        ResumableFileDownload.fromFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow
     // Resume the download
     FileDownload resumedDownload =
         this.transferManager.resumeDownloadFile(persistedResumableFileDownload);
@@ -85,7 +85,7 @@ public Integer uploadDirectory(URI sourceDirectory) {
     DirectoryUpload directoryUpload =
         this.transferManager.uploadDirectory(
             UploadDirectoryRequest.builder()
-                .source(Paths.get(sourceDirectory)) // $ PathInjection
+                .source(Paths.get(sourceDirectory)) // $ hasTaintFlow
                 .bucket(this.bucketName)
                 .build());
 
@@ -98,7 +98,7 @@ public Long downloadFile(String downloadedFileWithPath) {
         DownloadFileRequest.builder()
             .getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
             .addTransferListener(LoggingTransferListener.create())
-            .destination(Paths.get(downloadedFileWithPath)) // $ PathInjection
+            .destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow
             .build();
 
     FileDownload downloadFile = this.transferManager.downloadFile(downloadFileRequest);
@@ -111,7 +111,7 @@ public Integer downloadObjectsToDirectory(URI destinationPathURI) {
     DirectoryDownload directoryDownload =
         this.transferManager.downloadDirectory(
             DownloadDirectoryRequest.builder()
-                .destination(Paths.get(destinationPathURI)) // $ PathInjection
+                .destination(Paths.get(destinationPathURI)) // $ hasTaintFlow
                 .bucket(this.bucketName)
                 .build());
     CompletedDirectoryDownload completedDirectoryDownload =
diff --git a/java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/SpringIoPathInjection.java b/java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/SpringIoPathInjection.java
@@ -18,30 +18,30 @@ public void PathInjection(String path) throws IOException {
     Path filePath = fileStorageLocation.resolve(path).normalize();
     File pathFile = new File(path);
 
-    new UrlResource(filePath.toUri()); // $ PathInjection
-    new UrlResource(filePath.toUri().toURL()); // $ PathInjection
-    new UrlResource("file", path); // $ PathInjection
-    new UrlResource("file", path, "#"); // $ PathInjection
-    new UrlResource(path); // $ PathInjection
-
-    new PathResource(path); // $ PathInjection
-    new PathResource(filePath); // $ PathInjection
-    new PathResource(filePath.toUri()); // $ PathInjection
-
-    new FileUrlResource(filePath.toUri().toURL()); // $ PathInjection
-    new FileUrlResource(path); // $ PathInjection
-
-    new FileSystemResource(pathFile); // $ PathInjection
-    new FileSystemResource(path); // $ PathInjection
-    new FileSystemResource(filePath); // $ PathInjection
+    new UrlResource(filePath.toUri()); // $ hasTaintFlow
+    new UrlResource(filePath.toUri().toURL()); // $ hasTaintFlow
+    new UrlResource("file", path); // $ hasTaintFlow
+    new UrlResource("file", path, "#"); // $ hasTaintFlow
+    new UrlResource(path); // $ hasTaintFlow
+
+    new PathResource(path); // $ hasTaintFlow
+    new PathResource(filePath); // $ hasTaintFlow
+    new PathResource(filePath.toUri()); // $ hasTaintFlow
+
+    new FileUrlResource(filePath.toUri().toURL()); // $ hasTaintFlow
+    new FileUrlResource(path); // $ hasTaintFlow
+
+    new FileSystemResource(pathFile); // $ hasTaintFlow
+    new FileSystemResource(path); // $ hasTaintFlow
+    new FileSystemResource(filePath); // $ hasTaintFlow
     new FileSystemResource(
-        FileSystems.getFileSystem(URI.create("file:///")), path); // $ PathInjection
-
-    FileSystemUtils.copyRecursively(filePath, filePath.resolve("/newPath")); // $ PathInjection
-    FileSystemUtils.copyRecursively(pathFile, pathFile); // $ PathInjection
-    FileSystemUtils.deleteRecursively(pathFile); // $ PathInjection
-    FileSystemUtils.deleteRecursively(filePath); // $ PathInjection
-    FileCopyUtils.copy(pathFile, pathFile); // $ PathInjection
-    FileCopyUtils.copyToByteArray(pathFile); // $ PathInjection
+        FileSystems.getFileSystem(URI.create("file:///")), path); // $ hasTaintFlow
+
+    FileSystemUtils.copyRecursively(filePath, filePath.resolve("/newPath")); // $ hasTaintFlow
+    FileSystemUtils.copyRecursively(pathFile, pathFile); // $ hasTaintFlow
+    FileSystemUtils.deleteRecursively(pathFile); // $ hasTaintFlow
+    FileSystemUtils.deleteRecursively(filePath); // $ hasTaintFlow
+    FileCopyUtils.copy(pathFile, pathFile); // $ hasTaintFlow
+    FileCopyUtils.copyToByteArray(pathFile); // $ hasTaintFlow
   }
 }
