Finish Partial Path Traversal Query

smehta23 · smehta23 · commit 7122f2929666 · 2022-06-28T15:02:06.000-04:00
diff --git a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.expected b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.expected
diff --git a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.ql b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.ql
@@ -10,15 +10,47 @@
  *       external/cwe/cwe-023
  */
 
-import java 
-
+import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.environment.SystemProperty
 
 class MethodStringStartsWith extends Method {
-    MethodStringStartsWith() {
-        this.hasName("startsWith")
-    }
+  MethodStringStartsWith() {
+    this.getDeclaringType() instanceof TypeString and
+    this.hasName("startsWith")
+  }
+}
+
+class MethodFileGetCanonicalPath extends Method {
+  MethodFileGetCanonicalPath() {
+    this.getDeclaringType() instanceof TypeFile and
+    this.hasName("getCanonicalPath")
+  }
 }
 
-from MethodAccess ma 
-where ma.getMethod() instanceof MethodStringStartsWith
-select ma, "Partial Path Traversal Vulnerability due to insufficient guard against path traversal"
+class MethodAccessFileGetCanonicalPath extends MethodAccess {
+  MethodAccessFileGetCanonicalPath() { this.getMethod() instanceof MethodFileGetCanonicalPath }
+}
+
+abstract class FileSeparatorExpr extends Expr { }
+
+class SystemPropFileSeparatorExpr extends FileSeparatorExpr {
+  SystemPropFileSeparatorExpr() { this = getSystemProperty("file.separator") }
+}
+
+class StringLiteralFileSeparatorExpr extends FileSeparatorExpr, StringLiteral {
+  StringLiteralFileSeparatorExpr() { this.getValue() = "/" }
+}
+
+class FileSeparatorAppend extends AddExpr {
+  FileSeparatorAppend() { this.getRightOperand() instanceof FileSeparatorExpr }
+}
+
+predicate isSafe(Expr expr) { DataFlow::localExprFlow(any(FileSeparatorAppend fsa), expr) }
+
+from MethodAccess ma
+where
+  ma.getMethod() instanceof MethodStringStartsWith and
+  DataFlow::localExprFlow(any(MethodAccessFileGetCanonicalPath gcpma), ma.getQualifier()) and
+  not isSafe(ma.getArgument(0))
+select ma, "Partial Path Traversal Vulnerability due to insufficient guard against path traversal"
diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.expected b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.expected
@@ -11,7 +11,6 @@
 | PartialPathTraversalTest.java:94:14:94:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
 | PartialPathTraversalTest.java:102:14:102:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
 | PartialPathTraversalTest.java:105:14:105:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
-| PartialPathTraversalTest.java:150:9:150:43 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
 | PartialPathTraversalTest.java:173:14:173:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
 | PartialPathTraversalTest.java:191:18:191:87 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
 | PartialPathTraversalTest.java:209:14:209:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal |
diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java
@@ -211,6 +211,13 @@ void foo22(File dir, File dir2, File parent, boolean conditional) throws IOExcep
         }
     }
 
+    void foo23(File dir, File parent) throws IOException {
+        String parentCanonical = parent.getCanonicalPath();
+        if (!dir.getCanonicalPath().startsWith(parentCanonical + "/")) {
+            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        }
+    }
+
     public void doesNotFlag() {
         "hello".startsWith("goodbye");
     }

Original file line number	Diff line number	Diff line change
`@@ -211,6 +211,13 @@ void foo22(File dir, File dir2, File parent, boolean conditional) throws IOExcep`
`211`	`211`	`}`
`212`	`212`	`}`
`213`	`213`
	`214`	`+ void foo23(File dir, File parent) throws IOException {`
	`215`	`+ String parentCanonical = parent.getCanonicalPath();`
	`216`	`+ if (!dir.getCanonicalPath().startsWith(parentCanonical + "/")) {`
	`217`	`+ throw new IOException("Invalid directory: " + dir.getCanonicalPath());`
	`218`	`+ }`
	`219`	`+ }`
	`220`	`+`
`214`	`221`	`public void doesNotFlag() {`
`215`	`222`	`"hello".startsWith("goodbye");`
`216`	`223`	`}`