Java: Add simple type sanitization to java/zipslip.

aschackmull · aschackmull · commit d82acf58664a · 2024-05-22T10:23:30.000+02:00
diff --git a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll
@@ -6,6 +6,7 @@ import semmle.code.java.security.PathSanitizer
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.PathCreation
+private import semmle.code.java.security.Sanitizers
 
 /**
  * A method that returns the name of an archive entry.
@@ -39,7 +40,10 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof FileCreationSink }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer }
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof SimpleTypeSanitizer or
+    node instanceof PathInjectionSanitizer
+  }
 }
 
 /** Tracks flow from archive entries to file creation. */
