Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 36f41a3

Browse files
aschackmullaschackmull
committed
Java: Fix performance issue, and add Path.resolve as taint step.
1 parent 4953e49 commit 36f41a3

1 file changed

Lines changed: 19 additions & 3 deletions

File tree

java/ql/src/Security/CWE/CWE-022/ZipSlip.ql

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -81,11 +81,25 @@ predicate filePathStep(ExprNode n1, ExprNode n2) {
8181
)
8282
}
8383

84+
predicate fileTaintStep(ExprNode n1, ExprNode n2) {
85+
exists(MethodAccess ma, Method m |
86+
n1.asExpr() = ma.getQualifier() or
87+
n1.asExpr() = ma.getAnArgument()
88+
|
89+
n2.asExpr() = ma and
90+
ma.getMethod() = m and
91+
m.getDeclaringType() instanceof TypePath and
92+
m.hasName("resolve")
93+
)
94+
}
95+
8496
predicate localFileValueStep(Node n1, Node n2) {
8597
localFlowStep(n1, n2) or
8698
filePathStep(n1, n2)
8799
}
88100

101+
predicate localFileValueStepPlus(Node n1, Node n2) = fastTC(localFileValueStep/2)(n1, n2)
102+
89103
/**
90104
* Holds if `check` is a guard that checks whether `var` is a file path with a
91105
* specific prefix when put in canonical form, thus guarding against ZipSlip.
@@ -97,10 +111,10 @@ predicate validateFilePath(SsaVariable var, Guard check) {
97111
exists(MethodAccess normalize, MethodAccess startsWith, Node n1, Node n2, Node n3, Node n4 |
98112
n1.asExpr() = var.getAUse() and
99113
n2.asExpr() = normalize.getQualifier() and
100-
localFileValueStep*(n1, n2) and
114+
(n1 = n2 or localFileValueStepPlus(n1, n2)) and
101115
n3.asExpr() = normalize and
102116
n4.asExpr() = startsWith.getQualifier() and
103-
localFileValueStep*(n3, n4) and
117+
(n3 = n4 or localFileValueStepPlus(n3, n4)) and
104118
check = startsWith and
105119
startsWith.getMethod().hasName("startsWith") and
106120
(
@@ -136,7 +150,9 @@ class ZipSlipConfiguration extends TaintTracking::Configuration {
136150

137151
override predicate isSink(Node sink) { sink.asExpr() instanceof WrittenFileName }
138152

139-
override predicate isAdditionalTaintStep(Node n1, Node n2) { filePathStep(n1, n2) }
153+
override predicate isAdditionalTaintStep(Node n1, Node n2) {
154+
filePathStep(n1, n2) or fileTaintStep(n1, n2)
155+
}
140156

141157
override predicate isSanitizer(Node node) {
142158
exists(Guard g, SsaVariable var, RValue varuse | validateFilePath(var, g) |

0 commit comments

Comments
 (0)