Centralize and model additional path creations.

Author: intrigus

java/ql/src/Security/CWE/CWE-022/PathsCommon.qll

@@ -14,7 +14,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import PathsCommon
+import semmle.code.java.security.PathCreation
 import DataFlow::PathGraph
 
 class ContainsDotDotSanitizer extends DataFlow::BarrierGuard {

java/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -14,7 +14,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import PathsCommon
+import semmle.code.java.security.PathCreation
 import DataFlow::PathGraph
 
 class TaintedPathLocalConfig extends TaintTracking::Configuration {

java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql

@@ -0,0 +1,165 @@
+/**
+ * Models the different ways to create paths. Either by using `java.io.File`-related APIs or `java.nio.file.Path`-related APIs.
+ */
+
+import java
+import semmle.code.java.controlflow.Guards
+
+/** Models the creation of a path. */
+abstract class PathCreation extends Expr {
+  /** Gets an input that is used in the creation of this path. */
+  abstract Expr getInput();
+}
+
+/** Models the `java.nio.file.Paths.get` method. */
+class PathsGet extends PathCreation, MethodAccess {
+  PathsGet() {
+    exists(Method m | m = this.getMethod() |
+      m.getDeclaringType() instanceof TypePaths and
+      m.getName() = "get"
+    )
+  }
+
+  override Expr getInput() { result = this.getAnArgument() }
+}
+
+/** Models the `java.nio.file.FileSystem.getPath` method. */
+class FileSystemGetPath extends PathCreation, MethodAccess {
+  FileSystemGetPath() {
+    exists(Method m | m = this.getMethod() |
+      m.getDeclaringType() instanceof TypeFileSystem and
+      m.getName() = "getPath"
+    )
+  }
+
+  override Expr getInput() { result = this.getAnArgument() }
+}
+
+/** Models the `new java.io.File(...)` constructor. */
+class FileCreation extends PathCreation, ClassInstanceExpr {
+  FileCreation() { this.getConstructedType() instanceof TypeFile }
+
+  override Expr getInput() {
+    result = this.getAnArgument() and
+    // Relevant arguments include those that are not a `File`.
+    not result.getType() instanceof TypeFile
+  }
+}
+
+/** Models the `java.nio.file.Path.resolveSibling` method. */
+class PathResolveSiblingCreation extends PathCreation, MethodAccess {
+  PathResolveSiblingCreation() {
+    exists(Method m | m = this.getMethod() |
+      m.getDeclaringType() instanceof TypePath and
+      m.getName() = "resolveSibling"
+    )
+  }
+
+  override Expr getInput() {
+    result = this.getAnArgument() and
+    // Relevant arguments are those of type `String`.
+    result.getType() instanceof TypeString
+  }
+}
+
+/** Models the `java.nio.file.Path.resolve` method. */
+class PathResolveCreation extends PathCreation, MethodAccess {
+  PathResolveCreation() {
+    exists(Method m | m = this.getMethod() |
+      m.getDeclaringType() instanceof TypePath and
+      m.getName() = "resolve"
+    )
+  }
+
+  override Expr getInput() {
+    result = this.getAnArgument() and
+    // Relevant arguments are those of type `String`.
+    result.getType() instanceof TypeString
+  }
+}
+
+/** Models the `java.nio.file.Path.of` method. */
+class PathOfCreation extends PathCreation, MethodAccess {
+  PathOfCreation() {
+    exists(Method m | m = this.getMethod() |
+      m.getDeclaringType() instanceof TypePath and
+      m.getName() = "of"
+    )
+  }
+
+  override Expr getInput() { result = this.getAnArgument() }
+}
+
+/** Models the `new java.io.FileWriter(...)` constructor. */
+class FileWriterCreation extends PathCreation, ClassInstanceExpr {
+  FileWriterCreation() { this.getConstructedType().hasQualifiedName("java.io", "FileWriter") }
+
+  override Expr getInput() {
+    result = this.getAnArgument() and
+    // Relevant arguments are those of type `String`.
+    result.getType() instanceof TypeString
+  }
+}
+
+/** Models the `new java.io.FileReader(...)` constructor. */
+class FileReaderCreation extends PathCreation, ClassInstanceExpr {
+  FileReaderCreation() { this.getConstructedType().hasQualifiedName("java.io", "FileReader") }
+
+  override Expr getInput() {
+    result = this.getAnArgument() and
+    // Relevant arguments are those of type `String`.
+    result.getType() instanceof TypeString
+  }
+}
+
+/** Models the `new java.io.FileInputStream(...)` constructor. */
+class FileInputStreamCreation extends PathCreation, ClassInstanceExpr {
+  FileInputStreamCreation() {
+    this.getConstructedType().hasQualifiedName("java.io", "FileInputStream")
+  }
+
+  override Expr getInput() {
+    result = this.getAnArgument() and
+    // Relevant arguments are those of type `String`.
+    result.getType() instanceof TypeString
+  }
+}
+
+/** Models the `new java.io.FileOutputStream(...)` constructor. */
+class FileOutputStreamCreation extends PathCreation, ClassInstanceExpr {
+  FileOutputStreamCreation() {
+    this.getConstructedType().hasQualifiedName("java.io", "FileOutputStream")
+  }
+
+  override Expr getInput() {
+    result = this.getAnArgument() and
+    // Relevant arguments are those of type `String`.
+    result.getType() instanceof TypeString
+  }
+}
+
+private predicate inWeakCheck(Expr e) {
+  // None of these are sufficient to guarantee that a string is safe.
+  exists(MethodAccess m, Method def | m.getQualifier() = e and m.getMethod() = def |
+    def.getName() = "startsWith" or
+    def.getName() = "endsWith" or
+    def.getName() = "isEmpty" or
+    def.getName() = "equals"
+  )
+  or
+  // Checking against `null` has no bearing on path traversal.
+  exists(EqualityTest b | b.getAnOperand() = e | b.getAnOperand() instanceof NullLiteral)
+}
+
+// Ignore cases where the variable has been checked somehow,
+// but allow some particularly obviously bad cases.
+predicate guarded(VarAccess e) {
+  exists(PathCreation p | e = p.getInput()) and
+  exists(ConditionBlock cb, Expr c |
+    cb.getCondition().getAChildExpr*() = c and
+    c = e.getVariable().getAnAccess() and
+    cb.controls(e.getBasicBlock(), true) and
+    // Disallow a few obviously bad checks.
+    not inWeakCheck(c)
+  )
+}

java/ql/src/semmle/code/java/security/PathCreation.qll

@@ -0,0 +1,21 @@
+| PathCreation.java:13:18:13:32 | new File(...) |
+| PathCreation.java:14:19:14:40 | new File(...) |
+| PathCreation.java:18:18:18:49 | new File(...) |
+| PathCreation.java:18:27:18:41 | new File(...) |
+| PathCreation.java:22:18:22:41 | new File(...) |
+| PathCreation.java:26:18:26:31 | of(...) |
+| PathCreation.java:27:19:27:39 | of(...) |
+| PathCreation.java:31:18:31:40 | of(...) |
+| PathCreation.java:35:18:35:33 | get(...) |
+| PathCreation.java:36:19:36:41 | get(...) |
+| PathCreation.java:40:18:40:42 | get(...) |
+| PathCreation.java:44:18:44:56 | getPath(...) |
+| PathCreation.java:45:19:45:64 | getPath(...) |
+| PathCreation.java:49:18:49:31 | of(...) |
+| PathCreation.java:49:18:49:53 | resolveSibling(...) |
+| PathCreation.java:53:18:53:31 | of(...) |
+| PathCreation.java:53:18:53:46 | resolve(...) |
+| PathCreation.java:57:25:57:45 | new FileWriter(...) |
+| PathCreation.java:61:25:61:45 | new FileReader(...) |
+| PathCreation.java:65:32:65:58 | new FileOutputStream(...) |
+| PathCreation.java:69:31:69:56 | new FileInputStream(...) |

java/ql/test/library-tests/pathcreation/PathCreation.expected

@@ -0,0 +1,71 @@
+import java.io.File;
+import java.io.FileWriter;
+import java.io.FileReader;
+import java.io.FileOutputStream;
+import java.io.FileInputStream;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.FileSystems;
+import java.net.URI;
+
+class PathCreation {
+    public void testNewFileWithString() {
+        File f = new File("dir");
+        File f2 = new File("dir", "sub");
+    }
+
+    public void testNewFileWithFileString() {
+        File f = new File(new File("dir"), "sub");
+    }
+
+    public void testNewFileWithURI() {
+        File f = new File(new URI("dir"));
+    }
+
+    public void testPathOfWithString() {
+        Path p = Path.of("dir");
+        Path p2 = Path.of("dir", "sub");
+    }
+
+    public void testPathOfWithURI() {
+        Path p = Path.of(new URI("dir"));
+    }
+
+    public void testPathsGetWithString() {
+        Path p = Paths.get("dir");
+        Path p2 = Paths.get("dir", "sub");
+    }
+
+    public void testPathsGetWithURI() {
+        Path p = Paths.get(new URI("dir"));
+    }
+
+    public void testFileSystemGetPathWithString() {
+        Path p = FileSystems.getDefault().getPath("dir");
+        Path p2 = FileSystems.getDefault().getPath("dir", "sub");
+    }
+
+    public void testPathResolveSiblingWithString() {
+        Path p = Path.of("dir").resolveSibling("sub");
+    }
+
+    public void testPathResolveWithString() {
+        Path p = Path.of("dir").resolve("sub");
+    }
+
+    public void testNewFileWriterWithString() {
+        FileWriter fw = new FileWriter("dir");
+    }
+
+    public void testNewFileReaderWithString() {
+        FileReader fr = new FileReader("dir");
+    }
+
+    public void testNewFileOutputStreamWithString() {
+        FileOutputStream fos = new FileOutputStream("dir");
+    }
+
+    public void testNewFileInputStreamWithString() {
+        FileInputStream fis = new FileInputStream("dir");
+    }
+}

java/ql/test/library-tests/pathcreation/PathCreation.java

@@ -0,0 +1,5 @@
+import java
+import semmle.code.java.security.PathCreation
+
+from PathCreation path
+select path