Merge pull request #16550 from aschackmull/java/zipslip-number-sanitizer

aschackmull · web-flow · commit a078dcf1f22c · 2024-05-22T12:43:44.000+02:00
Java: Improve sanitizer for java/zipslip
diff --git a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll
@@ -6,6 +6,7 @@ import semmle.code.java.security.PathSanitizer
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.PathCreation
+private import semmle.code.java.security.Sanitizers
 
 /**
  * A method that returns the name of an archive entry.
@@ -39,7 +40,10 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof FileCreationSink }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer }
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof SimpleTypeSanitizer or
+    node instanceof PathInjectionSanitizer
+  }
 }
 
 /** Tracks flow from archive entries to file creation. */
diff --git a/java/ql/src/change-notes/2024-05-22-zipslip-number-sanitizer.md b/java/ql/src/change-notes/2024-05-22-zipslip-number-sanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The sanitizer of the query `java/zipslip` has been improved to include nodes that are safe due to having certain safe types. This reduces false positives. 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The sanitizer of the query `java/zipslip` has been improved to include nodes that are safe due to having certain safe types. This reduces false positives.