From 0c70be145f366446fc593b1617268b4bd9728693 Mon Sep 17 00:00:00 2001 From: Daniel Beck Date: Sat, 10 Oct 2020 20:29:01 +0200 Subject: [PATCH] Track taint through java.io.File constructor and #toURI; URI#toURL --- .../code/java/dataflow/internal/TaintTrackingUtil.qll | 11 +++++++++++ java/ql/test/library-tests/dataflow/taint/B.java | 3 +++ .../test/library-tests/dataflow/taint/test.expected | 1 + 3 files changed, 15 insertions(+) diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index 93b5f85c384a..8818dc37b1a6 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -234,6 +234,11 @@ private predicate constructorStep(Expr tracked, ConstructorCall sink) { or //a URI constructed from a tainted string is tainted. s = "java.net.URI" and argi = 0 and sink.getNumArgument() = 1 + or + //a File constructed from a tainted string is tainted. + s = "java.io.File" and argi = 0 + or + s = "java.io.File" and argi = 1 ) or exists(RefType t | t.getQualifiedName() = "java.lang.Number" | @@ -372,6 +377,12 @@ private predicate taintPreservingQualifierToMethod(Method m) { m.getDeclaringType().hasQualifiedName("java.nio", "ByteBuffer") and m.hasName("get") or + m.getDeclaringType().hasQualifiedName("java.io", "File") and + m.hasName("toURI") + or + m.getDeclaringType().hasQualifiedName("java.net", "URI") and + m.hasName("toURL") + or m = any(GuiceProvider gp).getAnOverridingGetMethod() or m = any(ProtobufMessageLite p).getAGetterMethod() diff --git a/java/ql/test/library-tests/dataflow/taint/B.java b/java/ql/test/library-tests/dataflow/taint/B.java index a5b4c41c8a74..1bef2f12a459 100644 --- a/java/ql/test/library-tests/dataflow/taint/B.java +++ b/java/ql/test/library-tests/dataflow/taint/B.java @@ -129,6 +129,9 @@ public static void maintest() { String[][][] taintedArray3 = new String[][][] { { { s } } }; sink(taintedArray3); + // Tainted file path and URI + sink(new java.io.File(s).toURI().toURL()); + return; } diff --git a/java/ql/test/library-tests/dataflow/taint/test.expected b/java/ql/test/library-tests/dataflow/taint/test.expected index 0bb70838d08b..2b47ef74a8cd 100644 --- a/java/ql/test/library-tests/dataflow/taint/test.expected +++ b/java/ql/test/library-tests/dataflow/taint/test.expected @@ -33,6 +33,7 @@ | B.java:15:21:15:27 | taint(...) | B.java:126:10:126:21 | taintedArray | | B.java:15:21:15:27 | taint(...) | B.java:128:10:128:22 | taintedArray2 | | B.java:15:21:15:27 | taint(...) | B.java:130:10:130:22 | taintedArray3 | +| B.java:15:21:15:27 | taint(...) | B.java:133:10:133:44 | toURL(...) | | MethodFlow.java:7:22:7:28 | taint(...) | MethodFlow.java:8:10:8:16 | tainted | | MethodFlow.java:9:31:9:37 | taint(...) | MethodFlow.java:10:10:10:17 | tainted2 | | MethodFlow.java:11:35:11:41 | taint(...) | MethodFlow.java:12:10:12:17 | tainted3 |