[JAVA] Partial Path Traversal Vuln Query

smehta23 · smehta23 · commit 4c7d476280b8 · 2022-06-28T13:52:41.000-04:00
diff --git a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.expected b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.expected
diff --git a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.ql b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.ql
@@ -0,0 +1,24 @@
+/**
+ * @name Partial Path Traversal Vulnerability
+ * @description A misuse of the String `startsWith` method as a guard to protect against path traversal is insufficient.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9.3
+ * @precision high
+ * @id java/partial-path-traversal
+ * @tags security
+ *       external/cwe/cwe-023
+ */
+
+import java 
+
+
+class MethodStringStartsWith extends Method {
+    MethodStringStartsWith() {
+        this.hasName("startsWith")
+    }
+}
+
+from MethodAccess ma 
+where ma.getMethod() instanceof MethodStringStartsWith
+select ma, "Partial Path Traversal Vulnerability due to insufficient guard against path traversal"
diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.expected b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.expected
@@ -0,0 +1,17 @@
+| PartialPathTraversalTest.java:10:14:10:73 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:17:9:17:72 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:29:14:29:58 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:35:14:35:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:42:14:42:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:49:14:49:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:53:14:53:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:61:14:61:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:64:14:64:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:75:14:75:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:94:14:94:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:102:14:102:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:105:14:105:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:150:9:150:43 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:173:14:173:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:191:18:191:87 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
+| PartialPathTraversalTest.java:209:14:209:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.qlref b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-023/PartialPathTraversal.ql
diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java
@@ -0,0 +1,218 @@
+import java.io.IOException;
+import java.io.File;
+import java.io.InputStream;
+import static java.io.File.separatorChar;
+import java.nio.file.Files;
+
+
+public class PartialPathTraversalTest {
+    public void esapiExample(File dir, File parent) throws IOException {
+        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    @SuppressWarnings("ResultOfMethodCallIgnored")
+    void foo1(File dir, File parent) throws IOException {
+        (dir.getCanonicalPath()).startsWith((parent.getCanonicalPath()));
+    }
+
+    void foo2(File dir, File parent) throws IOException {
+        dir.getCanonicalPath();
+        if ("potato".startsWith(parent.getCanonicalPath())) {
+            System.out.println("Hello!");
+        }
+    }
+
+    void foo3(File dir, File parent) throws IOException {
+        String parentPath = parent.getCanonicalPath();
+        if (!dir.getCanonicalPath().startsWith(parentPath)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo4(File dir) throws IOException {
+        if (!dir.getCanonicalPath().startsWith("/usr" + "/dir")) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo5(File dir, File parent) throws IOException {
+        String canonicalPath = dir.getCanonicalPath();
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo6(File dir, File parent) throws IOException {
+        String canonicalPath = dir.getCanonicalPath();
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+        String canonicalPath2 = dir.getCanonicalPath();
+        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo7(File dir, File parent) throws IOException {
+        String canonicalPath = dir.getCanonicalPath();
+        String canonicalPath2 = dir.getCanonicalPath();
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    File getChild() {
+        return null;
+    }
+
+    void foo8(File parent) throws IOException {
+        String canonicalPath = getChild().getCanonicalPath();
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) {
+            throw new IOException("Invalid directory: " + getChild().getCanonicalPath());
+        }
+    }
+
+    void foo9(File dir, File parent) throws IOException {
+        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separator)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo10(File dir, File parent) throws IOException {
+        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separatorChar)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo11(File dir, File parent) throws IOException {
+        String parentCanonical = parent.getCanonicalPath();
+        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo12(File dir, File parent) throws IOException {
+        String parentCanonical = parent.getCanonicalPath();
+        String parentCanonical2 = parent.getCanonicalPath();
+        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+        if (!dir.getCanonicalPath().startsWith(parentCanonical2)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo13(File dir, File parent) throws IOException {
+        String parentCanonical = parent.getCanonicalPath() + File.separatorChar;
+        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo14(File dir, File parent) throws IOException {
+        String parentCanonical = parent.getCanonicalPath() + separatorChar;
+        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo15(File dir, File parent) throws IOException {
+        String parentCanonical = parent.getCanonicalPath() + File.separatorChar;
+        String parentCanonical2 = parent.getCanonicalPath() + File.separatorChar;
+        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+        if (!dir.getCanonicalPath().startsWith(parentCanonical2)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo16(File dir, File parent) throws IOException {
+        String parentCanonical = parent.getCanonicalPath() + File.separator;
+        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    @SuppressWarnings({
+            "IfStatementWithIdenticalBranches",
+            "MismatchedStringCase",
+            "UnusedAssignment",
+            "ResultOfMethodCallIgnored"
+    })
+    void foo17(File dir, File parent, boolean branch) throws IOException {
+        String parentCanonical = null;
+        "test ".startsWith("somethingElse");
+        if (branch) {
+            parentCanonical = parent.getCanonicalPath() + File.separatorChar;
+        } else {
+            parentCanonical = parent.getCanonicalPath() + File.separatorChar;
+        }
+        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo18(File dir, File parent, boolean branch) throws IOException {
+        String parentCanonical = parent.getCanonicalPath();
+        if (branch) {
+            parentCanonical = parent.getCanonicalPath() + File.separatorChar;
+        }
+        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo19(File dir, File parent) throws IOException {
+        String parentCanonical = parent.getCanonicalPath() + "/potato";
+        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    private File cacheDir;
+
+    InputStream foo20(String... path) {
+        StringBuilder sb = new StringBuilder();
+        sb.append(cacheDir.getAbsolutePath());
+        for (String p : path) {
+            sb.append(File.separatorChar);
+            sb.append(p);
+        }
+        sb.append(".gz");
+        String filePath = sb.toString();
+        File encodedFile = new File(filePath);
+        try {
+            if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) {
+                return null;
+            }
+            return Files.newInputStream(encodedFile.toPath());
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    void foo21(File dir, File parent) throws IOException {
+        String parentCanonical = parent.getCanonicalPath();
+        if (!dir.getCanonicalPath().startsWith(parentCanonical + File.separator)) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    void foo22(File dir, File dir2, File parent, boolean conditional) throws IOException {
+        String canonicalPath = conditional ? dir.getCanonicalPath() : dir2.getCanonicalPath();
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
+    public void doesNotFlag() {
+        "hello".startsWith("goodbye");
+    }
+
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security/CWE/CWE-023/PartialPathTraversal.ql`