File tree Expand file tree Collapse file tree 1 file changed +34
-0
lines changed
csharp/ql/lib/semmle/code/csharp/security/dataflow Expand file tree Collapse file tree 1 file changed +34
-0
lines changed Original file line number Diff line number Diff line change @@ -52,6 +52,40 @@ private class GetFullPathStep extends PathNormalizationStep {
5252 }
5353}
5454
55+ /** Holds if `e` may evaluate to an absolute path. */
56+ bindingset [ e]
57+ pragma [ inline_late]
58+ private predicate isAbsolute ( Expr e ) {
59+ exists ( Expr absolute | DataFlow:: localExprFlow ( absolute , e ) |
60+ exists ( Call call | absolute = call |
61+ call .getARuntimeTarget ( )
62+ .hasFullyQualifiedName ( [ "System.Web.HttpServerUtilityBase" , "System.Web.HttpRequest" ] ,
63+ "MapPath" )
64+ or
65+ call .getARuntimeTarget ( ) .hasFullyQualifiedName ( "System.IO.Path" , "GetFullPath" )
66+ or
67+ call .getARuntimeTarget ( ) .hasFullyQualifiedName ( "System.IO.Directory" , "GetCurrentDirectory" )
68+ )
69+ or
70+ exists ( PropertyRead read | absolute = read |
71+ read .getTarget ( ) .hasFullyQualifiedName ( "System" , "Environment" , "CurrentDirectory" )
72+ )
73+ )
74+ }
75+
76+ private class PathCombineStep extends PathNormalizationStep {
77+ override predicate isAdditionalFlowStep ( DataFlow:: Node n1 , DataFlow:: Node n2 ) {
78+ exists ( Call call |
79+ // The result of `Path.Combine(x, y)` is an absolute path when `x` is an
80+ // absolute path.
81+ call .getARuntimeTarget ( ) .hasFullyQualifiedName ( "System.IO.Path" , "Combine" ) and
82+ isAbsolute ( call .getArgument ( 0 ) ) and
83+ n1 .asExpr ( ) = call .getArgument ( 1 ) and
84+ n2 .asExpr ( ) = call
85+ )
86+ }
87+ }
88+
5589/**
5690 * A taint-tracking configuration for uncontrolled data in path expression vulnerabilities.
5791 */
You can’t perform that action at this time.
0 commit comments