Java: Add TaintedPath test.

aschackmull · aschackmull · commit daad62c4e0d9 · 2021-04-19T10:07:03.000+02:00
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
@@ -2,12 +2,19 @@ edges
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp |
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp |
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp |
+| Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp |
+| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:81:67:81:81 | ... + ... |
 nodes
 | Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:24:20:24:23 | temp | semmle.label | temp |
 | Test.java:27:21:27:24 | temp | semmle.label | temp |
 | Test.java:30:44:30:47 | temp | semmle.label | temp |
+| Test.java:34:21:34:24 | temp | semmle.label | temp |
+| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| Test.java:81:67:81:81 | ... + ... | semmle.label | ... + ... |
 #select
 | Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
 | Test.java:27:11:27:25 | get(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
 | Test.java:30:11:30:48 | getPath(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
+| Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
+| Test.java:81:52:81:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:81:67:81:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value |
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
@@ -3,10 +3,10 @@
 package test.cwe22.semmle.tests;
 
 
+import javax.servlet.http.*;
+import javax.servlet.ServletException;
 
-
-import java.io.IOException;
-import java.io.File;
+import java.io.*;
 import java.net.InetAddress;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -28,6 +28,11 @@ void doGet1(InetAddress address)
 					
 			// BAD: construct a path with user input
 			path = FileSystems.getDefault().getPath(temp);
+
+			// BAD: insufficient check
+			if (temp.startsWith("/some_safe_dir/")) {
+				file = new File(temp);
+			}
 	}
 	
 	void doGet2(InetAddress address)
@@ -68,4 +73,12 @@ boolean isSortOfSafe(String pathSpec) {
 			return false;
 		return true;
 	}
+
+    public class MyServlet extends HttpServlet {
+        public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+            BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
+            String filename = br.readLine();
+            BufferedWriter bw = new BufferedWriter(new FileWriter("dir/"+filename, true));
+        }
+    }
 }
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/options b/java/ql/test/query-tests/security/CWE-022/semmle/tests/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4`