Skip to content

Commit e28f1ff

Browse files
atorralbaatorralba
authored
Merge pull request github#11346 from atorralba/atorralba/java/fix-path-models
Java: Fix a couple of taint models for `java.nio.file.Path(s)`
2 parents 4f08000 + 5000a14 commit e28f1ff

File tree

3 files changed

+132
-11
lines changed

3 files changed

+132
-11
lines changed

java/ql/lib/change-notes/2022-11-21-paths-get-fix.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* Added a taint model for the method `java.nio.file.Path.getParent`.
5+
* Fixed a problem in the taint model for the method `java.nio.file.Paths.get`.

java/ql/lib/semmle/code/java/security/Files.qll

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,13 +84,15 @@ private class FileSummaryModels extends SummaryModelCsv {
8484
"java.io;File;true;toPath;;;Argument[-1];ReturnValue;taint;manual",
8585
"java.io;File;true;toString;;;Argument[-1];ReturnValue;taint;manual",
8686
"java.io;File;true;toURI;;;Argument[-1];ReturnValue;taint;manual",
87+
"java.nio.file;Path;true;getParent;;;Argument[-1];ReturnValue;taint;manual",
8788
"java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint;manual",
8889
"java.nio.file;Path;true;resolve;;;Argument[-1..0];ReturnValue;taint;manual",
8990
"java.nio.file;Path;true;toAbsolutePath;;;Argument[-1];ReturnValue;taint;manual",
9091
"java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint;manual",
9192
"java.nio.file;Path;true;toString;;;Argument[-1];ReturnValue;taint;manual",
9293
"java.nio.file;Path;true;toUri;;;Argument[-1];ReturnValue;taint;manual",
93-
"java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual",
94+
"java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;taint;manual",
95+
"java.nio.file;Paths;true;get;;;Argument[1].ArrayElement;ReturnValue;taint;manual",
9496
"java.nio.file;FileSystem;true;getPath;;;Argument[0];ReturnValue;taint;manual",
9597
"java.nio.file;FileSystem;true;getRootDirectories;;;Argument[0];ReturnValue;taint;manual"
9698
]

java/ql/test/library-tests/paths/Test.java

Lines changed: 124 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22

33
import java.io.File;
44
import java.net.URI;
5+
import java.nio.file.FileSystem;
56
import java.nio.file.Path;
67
import java.nio.file.Paths;
78

@@ -13,6 +14,119 @@ void sink(Object o) { }
1314

1415
public void test() throws Exception {
1516

17+
{
18+
// "java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual"
19+
File out = null;
20+
File in = (File)source();
21+
out = new File(in, (String)null);
22+
sink(out); // $ hasTaintFlow
23+
}
24+
{
25+
// "java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual"
26+
File out = null;
27+
String in = (String)source();
28+
out = new File(in);
29+
sink(out); // $ hasTaintFlow
30+
}
31+
{
32+
// "java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual"
33+
File out = null;
34+
String in = (String)source();
35+
out = new File(in, (String)null);
36+
sink(out); // $ hasTaintFlow
37+
}
38+
{
39+
// "java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual"
40+
File out = null;
41+
URI in = (URI)source();
42+
out = new File(in);
43+
sink(out); // $ hasTaintFlow
44+
}
45+
{
46+
// "java.io;File;false;File;;;Argument[1];Argument[-1];taint;manual"
47+
File out = null;
48+
String in = (String)source();
49+
out = new File((File)null, in);
50+
sink(out); // $ hasTaintFlow
51+
}
52+
{
53+
// "java.io;File;false;File;;;Argument[1];Argument[-1];taint;manual"
54+
File out = null;
55+
String in = (String)source();
56+
out = new File((String)null, in);
57+
sink(out); // $ hasTaintFlow
58+
}
59+
{
60+
// "java.io;File;true;getAbsoluteFile;;;Argument[-1];ReturnValue;taint;manual"
61+
File out = null;
62+
File in = (File)source();
63+
out = in.getAbsoluteFile();
64+
sink(out); // $ hasTaintFlow
65+
}
66+
{
67+
// "java.io;File;true;getAbsolutePath;;;Argument[-1];ReturnValue;taint;manual"
68+
String out = null;
69+
File in = (File)source();
70+
out = in.getAbsolutePath();
71+
sink(out); // $ hasTaintFlow
72+
}
73+
{
74+
// "java.io;File;true;getCanonicalFile;;;Argument[-1];ReturnValue;taint;manual"
75+
File out = null;
76+
File in = (File)source();
77+
out = in.getCanonicalFile();
78+
sink(out); // $ hasTaintFlow
79+
}
80+
{
81+
// "java.io;File;true;getCanonicalPath;;;Argument[-1];ReturnValue;taint;manual"
82+
String out = null;
83+
File in = (File)source();
84+
out = in.getCanonicalPath();
85+
sink(out); // $ hasTaintFlow
86+
}
87+
{
88+
// "java.io;File;true;toPath;;;Argument[-1];ReturnValue;taint;manual"
89+
Path out = null;
90+
File in = (File)source();
91+
out = in.toPath();
92+
sink(out); // $ hasTaintFlow
93+
}
94+
{
95+
// "java.io;File;true;toString;;;Argument[-1];ReturnValue;taint;manual"
96+
String out = null;
97+
File in = (File)source();
98+
out = in.toString();
99+
sink(out); // $ hasTaintFlow
100+
}
101+
{
102+
// "java.io;File;true;toURI;;;Argument[-1];ReturnValue;taint;manual"
103+
URI out = null;
104+
File in = (File)source();
105+
out = in.toURI();
106+
sink(out); // $ hasTaintFlow
107+
}
108+
{
109+
// "java.nio.file;FileSystem;true;getPath;;;Argument[0];ReturnValue;taint;manual"
110+
Path out = null;
111+
String in = (String)source();
112+
FileSystem instance = null;
113+
out = instance.getPath(in, (String[])null);
114+
sink(out); // $ hasTaintFlow
115+
}
116+
{
117+
// "java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint;manual"
118+
File out = null;
119+
Path in = (Path)source();
120+
out = in.toFile();
121+
sink(out); // $ hasTaintFlow
122+
}
123+
{
124+
// "java.nio.file;Path;true;getParent;;;Argument[-1];ReturnValue;taint;manual"
125+
Path out = null;
126+
Path in = (Path)source();
127+
out = in.getParent();
128+
sink(out); // $ hasTaintFlow
129+
}
16130
{
17131
// "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint;manual"
18132
Path out = null;
@@ -51,10 +165,10 @@ public void test() throws Exception {
51165
sink(out); // $ hasTaintFlow
52166
}
53167
{
54-
// "java.nio.file;Path;true;toFile;;;Argument[-1];ReturnValue;taint;manual"
55-
File out = null;
168+
// "java.nio.file;Path;true;toAbsolutePath;;;Argument[-1];ReturnValue;taint;manual"
169+
Path out = null;
56170
Path in = (Path)source();
57-
out = in.toFile();
171+
out = in.toAbsolutePath();
58172
sink(out); // $ hasTaintFlow
59173
}
60174
{
@@ -72,24 +186,24 @@ public void test() throws Exception {
72186
sink(out); // $ hasTaintFlow
73187
}
74188
{
75-
// "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual"
189+
// "java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;taint;manual"
76190
Path out = null;
77191
String in = (String)source();
78192
out = Paths.get(in, (String[])null);
79193
sink(out); // $ hasTaintFlow
80194
}
81195
{
82-
// "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual"
196+
// "java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;taint;manual"
83197
Path out = null;
84-
String[] in = (String[])source();
85-
out = Paths.get((String)null, in);
198+
URI in = (URI)source();
199+
out = Paths.get(in);
86200
sink(out); // $ hasTaintFlow
87201
}
88202
{
89-
// "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual"
203+
// "java.nio.file;Paths;true;get;;;Argument[1].ArrayElement;ReturnValue;taint;manual"
90204
Path out = null;
91-
URI in = (URI)source();
92-
out = Paths.get(in);
205+
String[] in = (String[])new String[]{(String)source()};
206+
out = Paths.get((String)null, in);
93207
sink(out); // $ hasTaintFlow
94208
}
95209

0 commit comments

Comments
 (0)