Fix partial path traversal Java example

ataillefer · ataillefer · commit 660e6d70855f · 2023-01-16T21:14:29.000+01:00
The Java recommendation example for the "Partial path traversal vulnerability from remote" query doesn't seem right to me. Indeed, the following statement doesn't compile, since `dir.getCanonicalPath()` returns a String:
```
dir.getCanonicalPath().toPath()
```
Maybe the author wanted to state `dir.getCanonicalFile().toPath()`, which would compile, but is useless compared to `dir.getCanonicalPath()`.

Moreover, `parent.getCanonicalFile().toPath()` or `parent.getCanonicalPath()` will **not** be slash-terminated, contrary to what the description says.
From what I can see (and test), the correct fix is to concatenate `File.separator` to the parent canonical path.
diff --git a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java
@@ -1,6 +1,6 @@
 public class PartialPathTraversalGood {
     public void example(File dir, File parent) throws IOException {
-        if (!dir.getCanonicalPath().toPath().startsWith(parent.getCanonicalPath().toPath())) {
+        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separator)) {
             throw new IOException("Invalid directory: " + dir.getCanonicalPath());
         }
     }
diff --git a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalRemainder.inc.qhelp b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalRemainder.inc.qhelp
@@ -27,7 +27,7 @@ and not just children of <code>parent</code>, which is a security issue.
 <p>
 
 In this example, the <code>if</code> statement checks if <code>parent.getCanonicalPath() + File.separator </code> 
-is a prefix of <code>dir.getCanonicalPath()</code>. Because <code>parent.getCanonicalPath().toPath()</code> is 
+is a prefix of <code>dir.getCanonicalPath()</code>. Because <code>parent.getCanonicalPath() + File.separator</code> is
 indeed slash-terminated, the user supplying <code>dir</code> can only access children of 
 <code>parent</code>, as desired.
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`public class PartialPathTraversalGood {`
`2`	`2`	`public void example(File dir, File parent) throws IOException {`
`3`		`- if (!dir.getCanonicalPath().toPath().startsWith(parent.getCanonicalPath().toPath())) {`
	`3`	`+ if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separator)) {`
`4`	`4`	`throw new IOException("Invalid directory: " + dir.getCanonicalPath());`
`5`	`5`	`}`
`6`	`6`	`}`