Fix partial path traversal Java example Again

JLLeitschuh · JLLeitschuh · commit 0d774a647ca4 · 2023-03-31T23:36:07.000-04:00
The original wouldn't compile, and the fix made by github#11899 is sub-optimal. This keeps the entire comparision using the Java `Path` object, which is optimal. Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java
@@ -225,6 +225,12 @@ void foo24(File dir, File parent) throws IOException {
         }
     }
 
+    public void doesNotFlagOptimalSafeVersion(File dir, File parent) throws IOException {
+        if (!dir.toPath().normalize().startsWith(parent.toPath())) { // Safe
+            throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
+        }
+    }
+
     public void doesNotFlag() {
         "hello".startsWith("goodbye");
     }

Original file line number	Diff line number	Diff line change
`@@ -225,6 +225,12 @@ void foo24(File dir, File parent) throws IOException {`
`225`	`225`	`}`
`226`	`226`	`}`
`227`	`227`
	`228`	`+ public void doesNotFlagOptimalSafeVersion(File dir, File parent) throws IOException {`
	`229`	`+ if (!dir.toPath().normalize().startsWith(parent.toPath())) { // Safe`
	`230`	`+ throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());`
	`231`	`+ }`
	`232`	`+ }`
	`233`	`+`
`228`	`234`	`public void doesNotFlag() {`
`229`	`235`	`"hello".startsWith("goodbye");`
`230`	`236`	`}`