add new s3 and spring IO path injection sinks

Author: am0o0

java/ql/lib/ext/experimental/s3-transfer-manager.model.yml

@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: experimentalSinkModel
+    data:
+      - ["software.amazon.awssdk.transfer.s3.model","ResumableFileUpload",true,"serializeToFile","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","DownloadFileRequest$Builder",true,"destination","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","UploadFileRequest$Builder",true,"source","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","DownloadDirectoryRequest$Builder",true,"destination","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","ResumableFileDownload",true,"fromFile","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","ResumableFileDownload",true,"serializeToFile","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","ResumableFileUpload",true,"fromFile","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","UploadDirectoryRequest$Builder",true,"source","(Path)","","Argument[0]","code-injection","manual"]

java/ql/lib/ext/experimental/spring-core.model.yml

@@ -0,0 +1,27 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: experimentalSinkModel
+    data:
+      - ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(FileSystem,String)","","Argument[1]","path-injection","manual"]
+      - ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(File)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(Path)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","FileUrlResource",true,"FileUrlResource","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","FileUrlResource",true,"FileUrlResource","(URL)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","PathResource",true,"PathResource","(Path)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","PathResource",true,"PathResource","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","PathResource",true,"PathResource","(URI)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(String,String,String)","","Argument[1]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(String,String)","","Argument[1]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(URI)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(URL)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"copyRecursively","(Path,Path)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"copyRecursively","(Path,Path)","","Argument[1]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"deleteRecursively","(File)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"deleteRecursively","(Path)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","ResourceUtils",true,"getFile","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileCopyUtils",true,"copyToByteArray","(File)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileCopyUtils",true,"copyToString","(Reader)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"copyRecursively","(File,File)","","Argument[0]","path-injection","manual"]

java/ql/test/query-tests/security/CWE-022/semmle/tests/NewPathInjection/PathInjection/pom.xml

@@ -0,0 +1,110 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.PathInjection</groupId>
+    <artifactId>PathInjection</artifactId>
+    <packaging>war</packaging>
+    <version>1.0-SNAPSHOT</version>
+    <name>PathInjection Maven Webapp</name>
+    <url>https://maven.apache.org</url>
+
+    <properties>
+        <aws.sdk.version>2.19.1</aws.sdk.version>
+    </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>software.amazon.awssdk</groupId>
+                <artifactId>bom</artifactId>
+                <version>${aws.sdk.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+    <dependencies>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <version>4.0.1</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-framework-bom</artifactId>
+            <version>6.1.4</version>
+            <scope>import</scope>
+            <type>pom</type>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.springframework/spring-core -->
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-core</artifactId>
+            <version>6.1.4</version>
+        </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>s3-transfer-manager</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk.crt</groupId>
+            <artifactId>aws-crt</artifactId>
+            <version>0.20.3</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.12.0</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/net.lingala.zip4j/zip4j -->
+        <dependency>
+            <groupId>net.lingala.zip4j</groupId>
+            <artifactId>zip4j</artifactId>
+            <version>2.11.5</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/com.github.luben/zstd-jni -->
+        <dependency>
+            <groupId>com.github.luben</groupId>
+            <artifactId>zstd-jni</artifactId>
+            <version>1.5.5-1</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.tukaani/xz -->
+        <dependency>
+            <groupId>org.tukaani</groupId>
+            <artifactId>xz</artifactId>
+            <version>1.9</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.lz4/lz4-java -->
+        <dependency>
+            <groupId>org.lz4</groupId>
+            <artifactId>lz4-java</artifactId>
+            <version>1.8.0</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java -->
+        <dependency>
+            <groupId>org.xerial.snappy</groupId>
+            <artifactId>snappy-java</artifactId>
+            <version>1.1.10.5</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-compress -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.26.0</version>
+        </dependency>
+    </dependencies>
+    <build>
+        <finalName>PathInjection</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>11</source>
+                    <target>11</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>

java/ql/test/query-tests/security/CWE-022/semmle/tests/NewPathInjection/PathInjection/src/main/java/com/PathInjection/CommonsIOPathInjection.java

@@ -0,0 +1,38 @@
+package com.PathInjection;
+
+import java.io.*;
+import java.nio.channels.AsynchronousFileChannel;
+import java.nio.file.*;
+import java.nio.file.attribute.FileAttribute;
+import java.util.Set;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+
+class fileAttr implements FileAttribute<String> {
+  public String name() {
+    return "file";
+  }
+
+  public String value() {
+    return "value";
+  }
+}
+
+public class CommonsIOPathInjection {
+  public void PathInjection(Path src, File srcF) throws IOException {
+    AsynchronousFileChannel.open(src); // $ PathInjection
+    AsynchronousFileChannel.open(src, LinkOption.NOFOLLOW_LINKS); // $ PathInjection
+    AsynchronousFileChannel.open(
+        src, LinkOption.NOFOLLOW_LINKS, LinkOption.NOFOLLOW_LINKS); // $ PathInjection
+    ExecutorService executor = Executors.newFixedThreadPool(10);
+    AsynchronousFileChannel.open(
+        src, Set.of(LinkOption.NOFOLLOW_LINKS), executor); // $ PathInjection
+    AsynchronousFileChannel.open(
+        src, // $ PathInjection
+        Set.of(LinkOption.NOFOLLOW_LINKS),
+        executor,
+        new fileAttr());
+
+    FileSystems.getFileSystem(srcF.toURI()); // $ PathInjection
+  }
+}

java/ql/test/query-tests/security/CWE-022/semmle/tests/NewPathInjection/PathInjection/src/main/java/com/PathInjection/HelloServlet.java

@@ -0,0 +1,45 @@
+package com.PathInjection;
+
+import java.io.*;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.nio.file.Path;
+import javax.servlet.annotation.MultipartConfig;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import net.lingala.zip4j.ZipFile;
+
+@WebServlet(
+    name = "helloServlet",
+    urlPatterns = {"/hello"})
+@MultipartConfig()
+public class HelloServlet extends HttpServlet {
+
+  public void init() {}
+
+  public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
+    String path = request.getParameter("path");
+    Path src = Path.of(path);
+    File srcF = new File(path);
+    new CommonsIOPathInjection().PathInjection(src, srcF);
+    new SpringIoPathInjection().PathInjection(path);
+    S3PathInjection s3PathInjection = new S3PathInjection();
+    s3PathInjection.downloadFileResumable(src.toUri());
+    s3PathInjection.downloadFile(path);
+    s3PathInjection.downloadObjectsToDirectory(src.toUri());
+    s3PathInjection.uploadFileResumable(src.toUri());
+    s3PathInjection.uploadDirectory(src.toUri());
+    s3PathInjection.uploadFile(src.toUri());
+
+    ZipFile zipfile = new ZipFile(path);
+    zipfile.extractAll(path);
+    new java.util.zip.ZipFile(path);
+
+    PrintWriter out = response.getWriter();
+    response.setContentType("text/html");
+    out.println("<html><body>end</body></html>");
+  }
+}

java/ql/test/query-tests/security/CWE-022/semmle/tests/NewPathInjection/PathInjection/src/main/java/com/PathInjection/S3PathInjection.java

@@ -0,0 +1,122 @@
+package com.PathInjection;
+
+import software.amazon.awssdk.transfer.s3.S3TransferManager;
+import software.amazon.awssdk.transfer.s3.model.*;
+import software.amazon.awssdk.transfer.s3.progress.LoggingTransferListener;
+
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.nio.file.Paths;
+
+public class S3PathInjection {
+  S3TransferManager transferManager = S3TransferManager.create();
+  String bucketName = "bucketTest";
+  String key = "keyTest";
+
+  public String uploadFile(URI filePathURI) {
+    UploadFileRequest uploadFileRequest =
+        UploadFileRequest.builder()
+            .putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
+            .addTransferListener(LoggingTransferListener.create())
+            .source(Paths.get(filePathURI)) // $ PathInjection
+            .build();
+
+    FileUpload fileUpload = this.transferManager.uploadFile(uploadFileRequest);
+
+    CompletedFileUpload uploadResult = fileUpload.completionFuture().join();
+    return uploadResult.response().eTag();
+  }
+
+  public String uploadFileResumable(URI filePathURI) {
+    UploadFileRequest uploadFileRequest =
+        UploadFileRequest.builder()
+            .putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
+            .addTransferListener(LoggingTransferListener.create())
+            .source(Paths.get(filePathURI)) // $ PathInjection
+            .build();
+
+    // Initiate the transfer
+    FileUpload upload = this.transferManager.uploadFile(uploadFileRequest);
+    // Pause the upload
+    ResumableFileUpload resumableFileUpload = upload.pause();
+    // Optionally, persist the resumableFileUpload
+    resumableFileUpload.serializeToFile(Paths.get(filePathURI)); // $ PathInjection
+    // Retrieve the resumableFileUpload from the file
+    ResumableFileUpload persistedResumableFileUpload =
+        ResumableFileUpload.fromFile(Paths.get(filePathURI)); // $ PathInjection
+    // Resume the upload
+    FileUpload resumedUpload = this.transferManager.resumeUploadFile(persistedResumableFileUpload);
+    // Wait for the transfer to complete
+    resumedUpload.completionFuture().join();
+    FileUpload fileUpload = this.transferManager.uploadFile(uploadFileRequest);
+    CompletedFileUpload uploadResult = fileUpload.completionFuture().join();
+    return uploadResult.response().eTag();
+  }
+
+  public String downloadFileResumable(URI downloadedFileWithPath) {
+    DownloadFileRequest downloadFileRequest =
+        DownloadFileRequest.builder()
+            .getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
+            .addTransferListener(LoggingTransferListener.create())
+            .destination(Paths.get(downloadedFileWithPath)) // $ PathInjection
+            .build();
+
+    // Initiate the transfer
+    FileDownload download = this.transferManager.downloadFile(downloadFileRequest);
+    // Pause the download
+    ResumableFileDownload resumableFileDownload = download.pause();
+    // Optionally, persist the resumableFileDownload
+    resumableFileDownload.serializeToFile(Paths.get(downloadedFileWithPath)); // $ PathInjection
+    // Retrieve the resumableFileDownload from the file
+    ResumableFileDownload persistedResumableFileDownload =
+        ResumableFileDownload.fromFile(Paths.get(downloadedFileWithPath)); // $ PathInjection
+    // Resume the download
+    FileDownload resumedDownload =
+        this.transferManager.resumeDownloadFile(persistedResumableFileDownload);
+    // Wait for the transfer to complete
+    resumedDownload.completionFuture().join();
+    FileDownload filedownload = this.transferManager.downloadFile(downloadFileRequest);
+    CompletedFileDownload downloadResult = filedownload.completionFuture().join();
+    return downloadResult.response().eTag();
+  }
+
+  public Integer uploadDirectory(URI sourceDirectory) {
+    DirectoryUpload directoryUpload =
+        this.transferManager.uploadDirectory(
+            UploadDirectoryRequest.builder()
+                .source(Paths.get(sourceDirectory)) // $ PathInjection
+                .bucket(this.bucketName)
+                .build());
+
+    CompletedDirectoryUpload completedDirectoryUpload = directoryUpload.completionFuture().join();
+    return completedDirectoryUpload.failedTransfers().size();
+  }
+
+  public Long downloadFile(String downloadedFileWithPath) {
+    DownloadFileRequest downloadFileRequest =
+        DownloadFileRequest.builder()
+            .getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
+            .addTransferListener(LoggingTransferListener.create())
+            .destination(Paths.get(downloadedFileWithPath)) // $ PathInjection
+            .build();
+
+    FileDownload downloadFile = this.transferManager.downloadFile(downloadFileRequest);
+
+    CompletedFileDownload downloadResult = downloadFile.completionFuture().join();
+    return downloadResult.response().contentLength();
+  }
+
+  public Integer downloadObjectsToDirectory(URI destinationPathURI) {
+    DirectoryDownload directoryDownload =
+        this.transferManager.downloadDirectory(
+            DownloadDirectoryRequest.builder()
+                .destination(Paths.get(destinationPathURI)) // $ PathInjection
+                .bucket(this.bucketName)
+                .build());
+    CompletedDirectoryDownload completedDirectoryDownload =
+        directoryDownload.completionFuture().join();
+
+    return completedDirectoryDownload.failedTransfers().size();
+  }
+}