Add additional example.

Max Schaefer · Max Schaefer · commit 947b09438727 · 2023-11-16T10:06:19.000Z
diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPath.qhelp b/java/ql/src/Security/CWE/CWE-022/TaintedPath.qhelp
@@ -46,6 +46,11 @@ not contain ".." and starts with the public folder.</p>
 
 <sample src="TaintedPathGood.java" />
 
+<p>Alternatively, if we only want to allow simple filenames without a path component, we can remove all path
+separators ("/" or "\") and all ".." sequences from the input before using it to construct a file path.</p>
+
+<sample src="TaintedPathGood2.java" />
+
 </example>
 <references>
 
diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPathGood2.java b/java/ql/src/Security/CWE/CWE-022/TaintedPathGood2.java
@@ -0,0 +1,13 @@
+public void sendUserFileGood(Socket sock, String user) {
+	BufferedReader filenameReader = new BufferedReader(
+			new InputStreamReader(sock.getInputStream(), "UTF-8"));
+	String filename = filenameReader.readLine();
+	// GOOD: remove all ".." sequences and path separators from the filename
+	filename = filename.replaceAll("\\.\\.|[/\\\\]", "");
+	BufferedReader fileReader = new BufferedReader(new FileReader(filename));
+	String fileLine = fileReader.readLine();
+	while(fileLine != null) {
+		sock.getOutputStream().write(fileLine.getBytes());
+		fileLine = fileReader.readLine();
+	}
+}
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
@@ -32,4 +32,17 @@ public void sendUserFileGood(Socket sock, String user) throws IOException {
             }
         }
     }
+
+    public void sendUserFileGood2(Socket sock, String user) throws IOException {
+        BufferedReader filenameReader = new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
+        String filename = filenameReader.readLine();
+        // GOOD: remove all ".." sequences and path separators from the filename
+        filename = filename.replaceAll("\\.\\.|[/\\\\]", "");
+        BufferedReader fileReader = new BufferedReader(new FileReader(filename));
+        String fileLine = fileReader.readLine();
+        while(fileLine != null) {
+            sock.getOutputStream().write(fileLine.getBytes());
+            fileLine = fileReader.readLine();
+        }
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -32,4 +32,17 @@ public void sendUserFileGood(Socket sock, String user) throws IOException {`
`32`	`32`	`}`
`33`	`33`	`}`
`34`	`34`	`}`
	`35`	`+`
	`36`	`+ public void sendUserFileGood2(Socket sock, String user) throws IOException {`
	`37`	`+ BufferedReader filenameReader = new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));`
	`38`	`+ String filename = filenameReader.readLine();`
	`39`	`+ // GOOD: remove all ".." sequences and path separators from the filename`
	`40`	`+ filename = filename.replaceAll("\\.\\.\|[/\\\\]", "");`
	`41`	`+ BufferedReader fileReader = new BufferedReader(new FileReader(filename));`
	`42`	`+ String fileLine = fileReader.readLine();`
	`43`	`+ while(fileLine != null) {`
	`44`	`+ sock.getOutputStream().write(fileLine.getBytes());`
	`45`	`+ fileLine = fileReader.readLine();`
	`46`	`+ }`
	`47`	`+ }`
`35`	`48`	`}`