update tests and use TaintFlowTestArgString

add stubs
add missed sink models

Author: am0o0

java/ql/lib/ext/experimental/java.nio.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.nio.file","FileSystems",true,"getFileSystem","(URI)","","Argument[0]","path-injection","manual"]
+      - ["java.nio.channels","AsynchronousFileChannel",true,"open","(Path,OpenOption[])","","Argument[0]","path-injection","manual"]
+      - ["java.nio.channels","AsynchronousFileChannel",true,"open","(Path,Set,ExecutorService,FileAttribute[])","","Argument[0]","path-injection","manual"]

java/ql/lib/ext/experimental/java.util.zip.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.util.zip","ZipFile",true,"ZipFile","(String)","","Argument[0]","path-injection","manual"]

java/ql/lib/ext/experimental/s3-transfer-manager.model.yml

@@ -10,4 +10,4 @@ extensions:
       - ["software.amazon.awssdk.transfer.s3.model","ResumableFileDownload",true,"fromFile","(Path)","","Argument[0]","path-injection","manual"]
       - ["software.amazon.awssdk.transfer.s3.model","ResumableFileDownload",true,"serializeToFile","(Path)","","Argument[0]","path-injection","manual"]
       - ["software.amazon.awssdk.transfer.s3.model","ResumableFileUpload",true,"fromFile","(Path)","","Argument[0]","path-injection","manual"]
-      - ["software.amazon.awssdk.transfer.s3.model","UploadDirectoryRequest$Builder",true,"source","(Path)","","Argument[0]","code-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","UploadDirectoryRequest$Builder",true,"source","(Path)","","Argument[0]","path-injection","manual"]

java/ql/src/utils/modeleditor/FrameworkModeEndpointsQuery.qll

@@ -1,14 +1,14 @@
 private import java
+private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.internal.DataFlowPrivate
-private import semmle.code.java.dataflow.internal.FlowSummaryImpl
 private import semmle.code.java.dataflow.internal.ModelExclusions
 private import ModelEditor
 
 /**
  * A class of effectively public callables from source code.
  */
 class PublicEndpointFromSource extends Endpoint, ModelApi {
-  override predicate isSource() { SourceSinkInterpretationInput::sourceElement(this, _, _, _, _) }
+  override predicate isSource() { this instanceof SourceCallable }
 
-  override predicate isSink() { SourceSinkInterpretationInput::sinkElement(this, _, _, _, _) }
+  override predicate isSink() { this instanceof SinkCallable }
 }

java/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -41,18 +41,21 @@ private module Printing implements PrintingSig {
 
 module ModelPrinting = PrintingImpl<Printing>;
 
+/**
+ * Holds if `c` is a relevant content kind, where the underlying type is relevant.
+ */
+private predicate isRelevantTypeInContent(DataFlow::Content c) {
+  isRelevantType(getUnderlyingContentType(c))
+}
+
 /**
  * Holds if data can flow from `node1` to `node2` either via a read or a write of an intermediate field `f`.
  */
 private predicate isRelevantTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
   exists(DataFlow::Content f |
     DataFlowPrivate::readStep(node1, f, node2) and
-    if f instanceof DataFlow::FieldContent
-    then isRelevantType(f.(DataFlow::FieldContent).getField().getType())
-    else
-      if f instanceof DataFlow::SyntheticFieldContent
-      then isRelevantType(f.(DataFlow::SyntheticFieldContent).getField().getType())
-      else any()
+    // Partially restrict the content types used for intermediate steps.
+    (not exists(getUnderlyingContentType(f)) or isRelevantTypeInContent(f))
   )
   or
   exists(DataFlow::Content f | DataFlowPrivate::storeStep(node1, f, node2) |
@@ -61,12 +64,11 @@ private predicate isRelevantTaintStep(DataFlow::Node node1, DataFlow::Node node2
 }
 
 /**
- * Holds if content `c` is either a field or synthetic field of a relevant type
- * or a container like content.
+ * Holds if content `c` is either a field, a synthetic field or language specific
+ * content of a relevant type or a container like content.
  */
 private predicate isRelevantContent(DataFlow::Content c) {
-  isRelevantType(c.(DataFlow::FieldContent).getField().getType()) or
-  isRelevantType(c.(DataFlow::SyntheticFieldContent).getField().getType()) or
+  isRelevantTypeInContent(c) or
   DataFlowPrivate::containerContent(c)
 }
 
@@ -258,6 +260,10 @@ module PropagateToSinkConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { sinkModelSanitizer(node) }
 
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isRelevantTaintStep(node1, node2)
+  }
 }
 
 private module PropagateToSink = TaintTracking::Global<PropagateToSinkConfig>;

java/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll

@@ -186,6 +186,14 @@ predicate isRelevantType(J::Type t) {
   )
 }
 
+/**
+ * Gets the underlying type of the content `c`.
+ */
+J::Type getUnderlyingContentType(DataFlow::Content c) {
+  result = c.(DataFlow::FieldContent).getField().getType() or
+  result = c.(DataFlow::SyntheticFieldContent).getField().getType()
+}
+
 /**
  * Gets the MaD string representation of the qualifier.
  */

java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/S3PathInjection.java renamed to java/ql/test/experimental/query-tests/security/CWE-022/AmazonS3.java

@@ -1,15 +1,24 @@
-package com.PathInjection;
-
 import software.amazon.awssdk.transfer.s3.S3TransferManager;
-import software.amazon.awssdk.transfer.s3.model.*;
+import software.amazon.awssdk.transfer.s3.model.UploadFileRequest;
+import software.amazon.awssdk.transfer.s3.model.FileUpload;
+import software.amazon.awssdk.transfer.s3.model.FileDownload;
+import software.amazon.awssdk.transfer.s3.model.DirectoryUpload;
+import software.amazon.awssdk.transfer.s3.model.CompletedDirectoryUpload;
+import software.amazon.awssdk.transfer.s3.model.DirectoryDownload;
+import software.amazon.awssdk.transfer.s3.model.CompletedDirectoryDownload;
+import software.amazon.awssdk.transfer.s3.model.DownloadDirectoryRequest;
+import software.amazon.awssdk.transfer.s3.model.DownloadFileRequest;
+import software.amazon.awssdk.transfer.s3.model.ResumableFileUpload;
+import software.amazon.awssdk.transfer.s3.model.UploadDirectoryRequest;
+import software.amazon.awssdk.transfer.s3.model.ResumableFileDownload;
+import software.amazon.awssdk.transfer.s3.model.CompletedFileUpload;
+import software.amazon.awssdk.transfer.s3.model.CompletedFileDownload;
 import software.amazon.awssdk.transfer.s3.progress.LoggingTransferListener;
 
-import java.net.MalformedURLException;
 import java.net.URI;
-import java.net.URISyntaxException;
 import java.nio.file.Paths;
 
-public class S3PathInjection {
+public class AmazonS3 {
   S3TransferManager transferManager = S3TransferManager.create();
   String bucketName = "bucketTest";
   String key = "keyTest";
@@ -19,7 +28,7 @@ public String uploadFile(URI filePathURI) {
         UploadFileRequest.builder()
             .putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
             .addTransferListener(LoggingTransferListener.create())
-            .source(Paths.get(filePathURI)) // $ hasTaintFlow
+            .source(Paths.get(filePathURI)) // $ hasTaintFlow="get(...)"
             .build();
 
     FileUpload fileUpload = this.transferManager.uploadFile(uploadFileRequest);
@@ -33,18 +42,18 @@ public String uploadFileResumable(URI filePathURI) {
         UploadFileRequest.builder()
             .putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
             .addTransferListener(LoggingTransferListener.create())
-            .source(Paths.get(filePathURI)) // $ hasTaintFlow
+            .source(Paths.get(filePathURI)) // $ hasTaintFlow="get(...)"
             .build();
 
     // Initiate the transfer
     FileUpload upload = this.transferManager.uploadFile(uploadFileRequest);
     // Pause the upload
     ResumableFileUpload resumableFileUpload = upload.pause();
     // Optionally, persist the resumableFileUpload
-    resumableFileUpload.serializeToFile(Paths.get(filePathURI)); // $ hasTaintFlow
+    resumableFileUpload.serializeToFile(Paths.get(filePathURI)); // $ hasTaintFlow="get(...)"
     // Retrieve the resumableFileUpload from the file
     ResumableFileUpload persistedResumableFileUpload =
-        ResumableFileUpload.fromFile(Paths.get(filePathURI)); // $ hasTaintFlow
+        ResumableFileUpload.fromFile(Paths.get(filePathURI)); // $ hasTaintFlow="get(...)"
     // Resume the upload
     FileUpload resumedUpload = this.transferManager.resumeUploadFile(persistedResumableFileUpload);
     // Wait for the transfer to complete
@@ -59,18 +68,18 @@ public String downloadFileResumable(URI downloadedFileWithPath) {
         DownloadFileRequest.builder()
             .getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
             .addTransferListener(LoggingTransferListener.create())
-            .destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow
+            .destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow="get(...)"
             .build();
 
     // Initiate the transfer
     FileDownload download = this.transferManager.downloadFile(downloadFileRequest);
     // Pause the download
     ResumableFileDownload resumableFileDownload = download.pause();
     // Optionally, persist the resumableFileDownload
-    resumableFileDownload.serializeToFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow
+    resumableFileDownload.serializeToFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow="get(...)"
     // Retrieve the resumableFileDownload from the file
     ResumableFileDownload persistedResumableFileDownload =
-        ResumableFileDownload.fromFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow
+        ResumableFileDownload.fromFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow="get(...)"
     // Resume the download
     FileDownload resumedDownload =
         this.transferManager.resumeDownloadFile(persistedResumableFileDownload);
@@ -85,7 +94,7 @@ public Integer uploadDirectory(URI sourceDirectory) {
     DirectoryUpload directoryUpload =
         this.transferManager.uploadDirectory(
             UploadDirectoryRequest.builder()
-                .source(Paths.get(sourceDirectory)) // $ hasTaintFlow
+                .source(Paths.get(sourceDirectory)) // $ hasTaintFlow="get(...)"
                 .bucket(this.bucketName)
                 .build());
 
@@ -98,7 +107,7 @@ public Long downloadFile(String downloadedFileWithPath) {
         DownloadFileRequest.builder()
             .getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
             .addTransferListener(LoggingTransferListener.create())
-            .destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow
+            .destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow="get(...)"
             .build();
 
     FileDownload downloadFile = this.transferManager.downloadFile(downloadFileRequest);
@@ -111,7 +120,7 @@ public Integer downloadObjectsToDirectory(URI destinationPathURI) {
     DirectoryDownload directoryDownload =
         this.transferManager.downloadDirectory(
             DownloadDirectoryRequest.builder()
-                .destination(Paths.get(destinationPathURI)) // $ hasTaintFlow
+                .destination(Paths.get(destinationPathURI)) // $ hasTaintFlow="get(...)"
                 .bucket(this.bucketName)
                 .build());
     CompletedDirectoryDownload completedDirectoryDownload =

java/ql/test/experimental/query-tests/security/CWE-022/src/main/java/com/PathInjection/CommonsIOPathInjection.java renamed to java/ql/test/experimental/query-tests/security/CWE-022/JavaNio.java

@@ -1,38 +1,39 @@
-package com.PathInjection;
-
-import java.io.*;
+import java.io.IOException;
+import java.io.File;
 import java.nio.channels.AsynchronousFileChannel;
-import java.nio.file.*;
+import java.nio.file.Path;
+import java.nio.file.LinkOption;
+import java.nio.file.FileSystems;
 import java.nio.file.attribute.FileAttribute;
 import java.util.Set;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 
-class fileAttr implements FileAttribute<String> {
-  public String name() {
-    return "file";
-  }
+public class JavaNio {
+  static class FileAttr implements FileAttribute<String> {
+    public String name() {
+      return "file";
+    }
 
-  public String value() {
-    return "value";
+    public String value() {
+      return "value";
+    }
   }
-}
 
-public class CommonsIOPathInjection {
   public void PathInjection(Path src, File srcF) throws IOException {
-    AsynchronousFileChannel.open(src); // $ hasTaintFlow
-    AsynchronousFileChannel.open(src, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow
+    AsynchronousFileChannel.open(src); // $ hasTaintFlow="src"
+    AsynchronousFileChannel.open(src, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow="src"
     AsynchronousFileChannel.open(
-        src, LinkOption.NOFOLLOW_LINKS, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow
+        src, LinkOption.NOFOLLOW_LINKS, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow="src"
     ExecutorService executor = Executors.newFixedThreadPool(10);
     AsynchronousFileChannel.open(
-        src, Set.of(LinkOption.NOFOLLOW_LINKS), executor); // $ hasTaintFlow
+        src, Set.of(LinkOption.NOFOLLOW_LINKS), executor); // $ hasTaintFlow="src"
     AsynchronousFileChannel.open(
-        src, // $ hasTaintFlow
+        src, // $ hasTaintFlow="src"
         Set.of(LinkOption.NOFOLLOW_LINKS),
         executor,
-        new fileAttr());
+        new FileAttr());
 
-    FileSystems.getFileSystem(srcF.toURI()); // $ hasTaintFlow
+    FileSystems.getFileSystem(srcF.toURI()); // $ hasTaintFlow="toURI(...)"
   }
 }

java/ql/test/experimental/query-tests/security/CWE-022/Main.java

@@ -0,0 +1,35 @@
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
+import java.net.Socket;
+
+public class Main {
+  public void sendUserFileGood(Socket sock) throws IOException {
+    BufferedReader filenameReader =
+        new BufferedReader(new InputStreamReader(sock.getInputStream(), StandardCharsets.UTF_8));
+    String path = filenameReader.readLine();
+    Path src = Path.of(path);
+    File srcF = new File(path);
+
+    new JavaNio().PathInjection(src, srcF);
+
+    new SpringIo().PathInjection(path);
+
+    AmazonS3 s3PathInjection = new AmazonS3();
+    s3PathInjection.downloadFileResumable(src.toUri());
+    s3PathInjection.downloadFile(path);
+    s3PathInjection.downloadObjectsToDirectory(src.toUri());
+    s3PathInjection.uploadFileResumable(src.toUri());
+    s3PathInjection.uploadDirectory(src.toUri());
+    s3PathInjection.uploadFile(src.toUri());
+
+    Zip4j zip4jfile = new Zip4j();
+    zip4jfile.PathInjection(path);
+
+    ZipFile zipfile = new ZipFile();
+    zipfile.PathInjection(path);
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-022/PathInjection.iml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module version="4">
+  <component name="AdditionalModuleElements">
+    <content url="file://$MODULE_DIR$" dumb="true">
+      <sourceFolder url="file://$MODULE_DIR$" isTestSource="false" />
+    </content>
+  </component>
+</module>