Java: sanitize constructor call instead and update test cases

Jami Cogswell · Jami Cogswell · commit e8724ab2207b · 2025-02-05T15:46:10.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -388,7 +388,7 @@ private class FileConstructorSanitizer extends PathInjectionSanitizer {
         arg = ValidationMethod<pathTraversalGuard/3>::getAValidatedNode().asExpr() or
         TaintTracking::localExprTaint(any(PathNormalizeSanitizer p), arg)
       ) and
-      this.asExpr() = arg
+      this.asExpr() = constrCall
     )
   }
 }
diff --git a/java/ql/test/library-tests/pathsanitizer/Test.java b/java/ql/test/library-tests/pathsanitizer/Test.java
@@ -483,7 +483,7 @@ public void fileConstructorSanitizer() throws Exception {
             if (!source.contains("..")) {
                 File f2 = new File(f1, source);
                 sink(f2); // Safe
-                sink(source); // $ MISSING: hasTaintFlow
+                sink(source); // $ hasTaintFlow
             } else {
                 File f3 = new File(f1, source);
                 sink(f3); // $ hasTaintFlow
@@ -497,7 +497,7 @@ public void fileConstructorSanitizer() throws Exception {
                 // `f2` is unsafe if `f1` is tainted
                 File f2 = new File(f1Tainted, source);
                 sink(f2); // $ hasTaintFlow
-                sink(source); // $ MISSING: hasTaintFlow
+                sink(source); // $ hasTaintFlow
             } else {
                 File f3 = new File(f1Tainted, source);
                 sink(f3); // $ hasTaintFlow
@@ -524,7 +524,7 @@ public void fileConstructorSanitizer() throws Exception {
             if (source.indexOf("..") == -1) {
                 File f2 = new File(f1, source);
                 sink(f2); // Safe
-                sink(source); // $ MISSING: hasTaintFlow
+                sink(source); // $ hasTaintFlow
             } else {
                 File f3 = new File(f1, source);
                 sink(f3); // $ hasTaintFlow
@@ -541,7 +541,7 @@ public void fileConstructorSanitizer() throws Exception {
             } else {
                 File f3 = new File(f1, source);
                 sink(f3); // Safe
-                sink(source); // $ MISSING: hasTaintFlow
+                sink(source); // $ hasTaintFlow
             }
         }
         {
@@ -550,7 +550,7 @@ public void fileConstructorSanitizer() throws Exception {
             if (source.lastIndexOf("..") == -1) {
                 File f2 = new File(f1, source);
                 sink(f2); // Safe
-                sink(source); // $ MISSING: hasTaintFlow
+                sink(source); // $ hasTaintFlow
             } else {
                 File f3 = new File(f1, source);
                 sink(f3); // $ hasTaintFlow
@@ -564,7 +564,7 @@ public void fileConstructorSanitizer() throws Exception {
             fileConstructorValidation(source);
             File f2 = new File(f1, source);
             sink(f2); // Safe
-            sink(source); // $ MISSING: hasTaintFlow
+            sink(source); // $ hasTaintFlow
         }
         {
             String source = (String) source();
@@ -575,7 +575,7 @@ public void fileConstructorSanitizer() throws Exception {
             } else {
                 File f2 = new File(f1, source);
                 sink(f2); // Safe
-                sink(source); // $ MISSING: hasTaintFlow
+                sink(source); // $ hasTaintFlow
             }
         }
         // PathNormalizeSanitizer
@@ -586,7 +586,7 @@ public void fileConstructorSanitizer() throws Exception {
             File f2 = new File(f1, normalized);
             sink(f2); // Safe
             sink(source); // $ hasTaintFlow
-            sink(normalized); // $ MISSING: hasTaintFlow
+            sink(normalized); // $ hasTaintFlow
         }
         {
             File source = (File) source();
@@ -595,7 +595,7 @@ public void fileConstructorSanitizer() throws Exception {
             File f2 = new File(f1, normalized);
             sink(f2); // Safe
             sink(source); // $ hasTaintFlow
-            sink(normalized); // $ MISSING: hasTaintFlow
+            sink(normalized); // $ hasTaintFlow
         }
         {
             String source = (String) source();
@@ -604,7 +604,7 @@ public void fileConstructorSanitizer() throws Exception {
             File f2 = new File(f1, normalized);
             sink(f2); // Safe
             sink(source); // $ hasTaintFlow
-            sink(normalized); // $ MISSING: hasTaintFlow
+            sink(normalized); // $ hasTaintFlow
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -388,7 +388,7 @@ private class FileConstructorSanitizer extends PathInjectionSanitizer {`
`388`	`388`	`arg = ValidationMethod<pathTraversalGuard/3>::getAValidatedNode().asExpr() or`
`389`	`389`	`TaintTracking::localExprTaint(any(PathNormalizeSanitizer p), arg)`
`390`	`390`	`) and`
`391`		`- this.asExpr() = arg`
	`391`	`+ this.asExpr() = constrCall`
`392`	`392`	`)`
`393`	`393`	`}`
`394`	`394`	`}`