Merge remote-tracking branch 'origin/main' into dbartol/provenance/qltest

Author: Dave Bartolomeo

java/ql/lib/ext/experimental/java.nio.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.nio.file","FileSystems",true,"getFileSystem","(URI)","","Argument[0]","path-injection","manual"]
+      - ["java.nio.channels","AsynchronousFileChannel",true,"open","(Path,OpenOption[])","","Argument[0]","path-injection","manual"]
+      - ["java.nio.channels","AsynchronousFileChannel",true,"open","(Path,Set,ExecutorService,FileAttribute[])","","Argument[0]","path-injection","manual"]

java/ql/lib/ext/experimental/java.util.zip.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.util.zip","ZipFile",true,"ZipFile","(String)","","Argument[0]","path-injection","manual"]

java/ql/lib/ext/experimental/s3-transfer-manager.model.yml

@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["software.amazon.awssdk.transfer.s3.model","ResumableFileUpload",true,"serializeToFile","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","DownloadFileRequest$Builder",true,"destination","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","UploadFileRequest$Builder",true,"source","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","DownloadDirectoryRequest$Builder",true,"destination","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","ResumableFileDownload",true,"fromFile","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","ResumableFileDownload",true,"serializeToFile","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","ResumableFileUpload",true,"fromFile","(Path)","","Argument[0]","path-injection","manual"]
+      - ["software.amazon.awssdk.transfer.s3.model","UploadDirectoryRequest$Builder",true,"source","(Path)","","Argument[0]","path-injection","manual"]

java/ql/lib/ext/experimental/spring-core.model.yml

@@ -0,0 +1,26 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(FileSystem,String)","","Argument[1]","path-injection","manual"]
+      - ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(File)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(Path)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","FileSystemResource",true,"FileSystemResource","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","FileUrlResource",true,"FileUrlResource","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","FileUrlResource",true,"FileUrlResource","(URL)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","PathResource",true,"PathResource","(Path)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","PathResource",true,"PathResource","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","PathResource",true,"PathResource","(URI)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(String,String,String)","","Argument[1]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(String,String)","","Argument[1]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(URI)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.core.io","UrlResource",true,"UrlResource","(URL)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"copyRecursively","(Path,Path)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"copyRecursively","(Path,Path)","","Argument[1]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"deleteRecursively","(File)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"deleteRecursively","(Path)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","ResourceUtils",true,"getFile","(String)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileCopyUtils",true,"copyToByteArray","(File)","","Argument[0]","path-injection","manual"]
+      - ["org.springframework.util","FileSystemUtils",true,"copyRecursively","(File,File)","","Argument[0]","path-injection","manual"]

java/ql/lib/ext/experimental/zip4j.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["net.lingala.zip4j","ZipFile",true,"extractAll","(String)","","Argument[0]","path-injection","manual"]
+      - ["net.lingala.zip4j","ZipFile",true,"ZipFile","(String)","","Argument[0]","path-injection","manual"]

java/ql/test/experimental/query-tests/security/CWE-022/AmazonS3.java

@@ -0,0 +1,131 @@
+import software.amazon.awssdk.transfer.s3.S3TransferManager;
+import software.amazon.awssdk.transfer.s3.model.UploadFileRequest;
+import software.amazon.awssdk.transfer.s3.model.FileUpload;
+import software.amazon.awssdk.transfer.s3.model.FileDownload;
+import software.amazon.awssdk.transfer.s3.model.DirectoryUpload;
+import software.amazon.awssdk.transfer.s3.model.CompletedDirectoryUpload;
+import software.amazon.awssdk.transfer.s3.model.DirectoryDownload;
+import software.amazon.awssdk.transfer.s3.model.CompletedDirectoryDownload;
+import software.amazon.awssdk.transfer.s3.model.DownloadDirectoryRequest;
+import software.amazon.awssdk.transfer.s3.model.DownloadFileRequest;
+import software.amazon.awssdk.transfer.s3.model.ResumableFileUpload;
+import software.amazon.awssdk.transfer.s3.model.UploadDirectoryRequest;
+import software.amazon.awssdk.transfer.s3.model.ResumableFileDownload;
+import software.amazon.awssdk.transfer.s3.model.CompletedFileUpload;
+import software.amazon.awssdk.transfer.s3.model.CompletedFileDownload;
+import software.amazon.awssdk.transfer.s3.progress.LoggingTransferListener;
+
+import java.net.URI;
+import java.nio.file.Paths;
+
+public class AmazonS3 {
+  S3TransferManager transferManager = S3TransferManager.create();
+  String bucketName = "bucketTest";
+  String key = "keyTest";
+
+  public String uploadFile(URI filePathURI) {
+    UploadFileRequest uploadFileRequest =
+        UploadFileRequest.builder()
+            .putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
+            .addTransferListener(LoggingTransferListener.create())
+            .source(Paths.get(filePathURI)) // $ hasTaintFlow="get(...)"
+            .build();
+
+    FileUpload fileUpload = this.transferManager.uploadFile(uploadFileRequest);
+
+    CompletedFileUpload uploadResult = fileUpload.completionFuture().join();
+    return uploadResult.response().eTag();
+  }
+
+  public String uploadFileResumable(URI filePathURI) {
+    UploadFileRequest uploadFileRequest =
+        UploadFileRequest.builder()
+            .putObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
+            .addTransferListener(LoggingTransferListener.create())
+            .source(Paths.get(filePathURI)) // $ hasTaintFlow="get(...)"
+            .build();
+
+    // Initiate the transfer
+    FileUpload upload = this.transferManager.uploadFile(uploadFileRequest);
+    // Pause the upload
+    ResumableFileUpload resumableFileUpload = upload.pause();
+    // Optionally, persist the resumableFileUpload
+    resumableFileUpload.serializeToFile(Paths.get(filePathURI)); // $ hasTaintFlow="get(...)"
+    // Retrieve the resumableFileUpload from the file
+    ResumableFileUpload persistedResumableFileUpload =
+        ResumableFileUpload.fromFile(Paths.get(filePathURI)); // $ hasTaintFlow="get(...)"
+    // Resume the upload
+    FileUpload resumedUpload = this.transferManager.resumeUploadFile(persistedResumableFileUpload);
+    // Wait for the transfer to complete
+    resumedUpload.completionFuture().join();
+    FileUpload fileUpload = this.transferManager.uploadFile(uploadFileRequest);
+    CompletedFileUpload uploadResult = fileUpload.completionFuture().join();
+    return uploadResult.response().eTag();
+  }
+
+  public String downloadFileResumable(URI downloadedFileWithPath) {
+    DownloadFileRequest downloadFileRequest =
+        DownloadFileRequest.builder()
+            .getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
+            .addTransferListener(LoggingTransferListener.create())
+            .destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow="get(...)"
+            .build();
+
+    // Initiate the transfer
+    FileDownload download = this.transferManager.downloadFile(downloadFileRequest);
+    // Pause the download
+    ResumableFileDownload resumableFileDownload = download.pause();
+    // Optionally, persist the resumableFileDownload
+    resumableFileDownload.serializeToFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow="get(...)"
+    // Retrieve the resumableFileDownload from the file
+    ResumableFileDownload persistedResumableFileDownload =
+        ResumableFileDownload.fromFile(Paths.get(downloadedFileWithPath)); // $ hasTaintFlow="get(...)"
+    // Resume the download
+    FileDownload resumedDownload =
+        this.transferManager.resumeDownloadFile(persistedResumableFileDownload);
+    // Wait for the transfer to complete
+    resumedDownload.completionFuture().join();
+    FileDownload filedownload = this.transferManager.downloadFile(downloadFileRequest);
+    CompletedFileDownload downloadResult = filedownload.completionFuture().join();
+    return downloadResult.response().eTag();
+  }
+
+  public Integer uploadDirectory(URI sourceDirectory) {
+    DirectoryUpload directoryUpload =
+        this.transferManager.uploadDirectory(
+            UploadDirectoryRequest.builder()
+                .source(Paths.get(sourceDirectory)) // $ hasTaintFlow="get(...)"
+                .bucket(this.bucketName)
+                .build());
+
+    CompletedDirectoryUpload completedDirectoryUpload = directoryUpload.completionFuture().join();
+    return completedDirectoryUpload.failedTransfers().size();
+  }
+
+  public Long downloadFile(String downloadedFileWithPath) {
+    DownloadFileRequest downloadFileRequest =
+        DownloadFileRequest.builder()
+            .getObjectRequest(b -> b.bucket(this.bucketName).key(this.key))
+            .addTransferListener(LoggingTransferListener.create())
+            .destination(Paths.get(downloadedFileWithPath)) // $ hasTaintFlow="get(...)"
+            .build();
+
+    FileDownload downloadFile = this.transferManager.downloadFile(downloadFileRequest);
+
+    CompletedFileDownload downloadResult = downloadFile.completionFuture().join();
+    return downloadResult.response().contentLength();
+  }
+
+  public Integer downloadObjectsToDirectory(URI destinationPathURI) {
+    DirectoryDownload directoryDownload =
+        this.transferManager.downloadDirectory(
+            DownloadDirectoryRequest.builder()
+                .destination(Paths.get(destinationPathURI)) // $ hasTaintFlow="get(...)"
+                .bucket(this.bucketName)
+                .build());
+    CompletedDirectoryDownload completedDirectoryDownload =
+        directoryDownload.completionFuture().join();
+
+    return completedDirectoryDownload.failedTransfers().size();
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-022/JavaNio.java

@@ -0,0 +1,39 @@
+import java.io.IOException;
+import java.io.File;
+import java.nio.channels.AsynchronousFileChannel;
+import java.nio.file.Path;
+import java.nio.file.LinkOption;
+import java.nio.file.FileSystems;
+import java.nio.file.attribute.FileAttribute;
+import java.util.Set;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+
+public class JavaNio {
+  static class FileAttr implements FileAttribute<String> {
+    public String name() {
+      return "file";
+    }
+
+    public String value() {
+      return "value";
+    }
+  }
+
+  public void PathInjection(Path src, File srcF) throws IOException {
+    AsynchronousFileChannel.open(src); // $ hasTaintFlow="src"
+    AsynchronousFileChannel.open(src, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow="src"
+    AsynchronousFileChannel.open(
+        src, LinkOption.NOFOLLOW_LINKS, LinkOption.NOFOLLOW_LINKS); // $ hasTaintFlow="src"
+    ExecutorService executor = Executors.newFixedThreadPool(10);
+    AsynchronousFileChannel.open(
+        src, Set.of(LinkOption.NOFOLLOW_LINKS), executor); // $ hasTaintFlow="src"
+    AsynchronousFileChannel.open(
+        src, // $ hasTaintFlow="src"
+        Set.of(LinkOption.NOFOLLOW_LINKS),
+        executor,
+        new FileAttr());
+
+    FileSystems.getFileSystem(srcF.toURI()); // $ hasTaintFlow="toURI(...)"
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-022/Main.java

@@ -0,0 +1,35 @@
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
+import java.net.Socket;
+
+public class Main {
+  public void sendUserFileGood(Socket sock) throws IOException {
+    BufferedReader filenameReader =
+        new BufferedReader(new InputStreamReader(sock.getInputStream(), StandardCharsets.UTF_8));
+    String path = filenameReader.readLine();
+    Path src = Path.of(path);
+    File srcF = new File(path);
+
+    new JavaNio().PathInjection(src, srcF);
+
+    new SpringIo().PathInjection(path);
+
+    AmazonS3 s3PathInjection = new AmazonS3();
+    s3PathInjection.downloadFileResumable(src.toUri());
+    s3PathInjection.downloadFile(path);
+    s3PathInjection.downloadObjectsToDirectory(src.toUri());
+    s3PathInjection.uploadFileResumable(src.toUri());
+    s3PathInjection.uploadDirectory(src.toUri());
+    s3PathInjection.uploadFile(src.toUri());
+
+    Zip4j zip4jfile = new Zip4j();
+    zip4jfile.PathInjection(path);
+
+    ZipFile zipfile = new ZipFile();
+    zipfile.PathInjection(path);
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-022/PathInjection.iml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module version="4">
+  <component name="AdditionalModuleElements">
+    <content url="file://$MODULE_DIR$" dumb="true">
+      <sourceFolder url="file://$MODULE_DIR$" isTestSource="false" />
+    </content>
+  </component>
+</module>

java/ql/test/experimental/query-tests/security/CWE-022/SpringIo.java

@@ -0,0 +1,46 @@
+import java.io.File;
+import java.io.IOException;
+import java.net.URI;
+import java.nio.file.FileSystems;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import org.springframework.core.io.FileUrlResource;
+import org.springframework.core.io.FileSystemResource;
+import org.springframework.core.io.PathResource;
+import org.springframework.core.io.UrlResource;
+import org.springframework.util.FileCopyUtils;
+import org.springframework.util.FileSystemUtils;
+
+public class SpringIo {
+  public void PathInjection(String path) throws IOException {
+    Path fileStorageLocation = Paths.get(path).toAbsolutePath().normalize();
+    Path filePath = fileStorageLocation.resolve(path).normalize();
+    File pathFile = new File(path);
+
+    new UrlResource(filePath.toUri()); // $ hasTaintFlow="toUri(...)"
+    new UrlResource(filePath.toUri().toURL()); // $ hasTaintFlow="toURL(...)"
+    new UrlResource("file", path); // $ hasTaintFlow="path"
+    new UrlResource("file", path, "#"); // $ hasTaintFlow="path"
+    new UrlResource(path); // $ hasTaintFlow="path"
+
+    new PathResource(path); // $ hasTaintFlow="path"
+    new PathResource(filePath); // $ hasTaintFlow="filePath"
+    new PathResource(filePath.toUri()); // $ hasTaintFlow="toUri(...)"
+
+    new FileUrlResource(filePath.toUri().toURL()); // $ hasTaintFlow="toURL(...)"
+    new FileUrlResource(path); // $ hasTaintFlow="path"
+
+    new FileSystemResource(pathFile); // $ hasTaintFlow="pathFile"
+    new FileSystemResource(path); // $ hasTaintFlow="path"
+    new FileSystemResource(filePath); // $ hasTaintFlow="filePath"
+    new FileSystemResource(
+        FileSystems.getFileSystem(URI.create("file:///")), path); // $ hasTaintFlow="path"
+
+    FileSystemUtils.copyRecursively(filePath, filePath.resolve("/newPath")); // $ hasTaintFlow="filePath" hasTaintFlow="resolve(...)"
+    FileSystemUtils.copyRecursively(pathFile, pathFile); // $ hasTaintFlow="pathFile"
+    FileSystemUtils.deleteRecursively(pathFile); // $ hasTaintFlow="pathFile"
+    FileSystemUtils.deleteRecursively(filePath); // $ hasTaintFlow="filePath"
+    FileCopyUtils.copy(pathFile, pathFile); // $ hasTaintFlow="pathFile"
+    FileCopyUtils.copyToByteArray(pathFile); // $ hasTaintFlow="pathFile"
+  }
+}