Merge pull request #15622 from atorralba/atorralba/java/path-sanitizer-equals

Java: Expand ExactPathSanitizer to work on the argument of 'equals' too

Author: atorralba

java/ql/lib/semmle/code/java/security/PathSanitizer.qll

@@ -56,7 +56,7 @@ private predicate exactPathMatchGuard(Guard g, Expr e, boolean branch) {
     t instanceof StringsKt or
     t instanceof FilesKt
   |
-    e = getVisualQualifier(ma).getUnderlyingExpr() and
+    e = [getVisualQualifier(ma).getUnderlyingExpr(), getVisualArgument(ma, 0)] and
     ma.getMethod().getDeclaringType() = t and
     ma = g and
     getSourceMethod(ma.getMethod()).hasName(["equals", "equalsIgnoreCase"]) and

java/ql/src/change-notes/2024-02-15-path-sanitizer-equals.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The sanitizer for the path injection queries has been improved to handle more cases where `equals` is used to check an exact path match.

java/ql/test/library-tests/pathsanitizer/Test.java

@@ -25,6 +25,13 @@ public void exactPathMatchGuard() throws Exception {
             else
                 sink(source); // $ hasTaintFlow
         }
+        {
+            String source = (String) source();
+            if ("/safe/path".equals(source))
+                sink(source); // Safe
+            else
+                sink(source); // $ hasTaintFlow
+        }
         {
             URI source = (URI) source();
             if (source.equals(new URI("http://safe/uri")))

java/ql/test/library-tests/pathsanitizer/TestKt.kt

@@ -25,6 +25,13 @@ class TestKt {
             else
                 sink(source) // $ hasTaintFlow
         }
+        run {
+            val source = source() as String?
+            if ("/safe/path".equals(source))
+                sink(source) // Safe
+            else
+                sink(source) // $ hasTaintFlow
+        }
         run {
             val source = source() as URI?
             if (source!!.equals(URI("http://safe/uri")))