Java: Convert zipslip sinks to CSV format

tamasvajk · tamasvajk · commit 9e2832a82d7e · 2021-04-09T11:43:29.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
@@ -17,6 +17,7 @@ import semmle.code.java.dataflow.SSA
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow
 import PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A method that returns the name of an archive entry.
@@ -33,34 +34,6 @@ class ArchiveEntryNameMethod extends Method {
   }
 }
 
-/**
- * An expression that will be treated as the destination of a write.
- */
-class WrittenFileName extends Expr {
-  WrittenFileName() {
-    // Constructors that write to their first argument.
-    exists(ConstructorCall ctr | this = ctr.getArgument(0) |
-      exists(Class c | ctr.getConstructor() = c.getAConstructor() |
-        c.hasQualifiedName("java.io", "FileOutputStream") or
-        c.hasQualifiedName("java.io", "RandomAccessFile") or
-        c.hasQualifiedName("java.io", "FileWriter")
-      )
-    )
-    or
-    // Methods that write to their n'th argument
-    exists(MethodAccess call, int n | this = call.getArgument(n) |
-      call.getMethod().getDeclaringType().hasQualifiedName("java.nio.file", "Files") and
-      (
-        call.getMethod().getName().regexpMatch("new.*Reader|newOutputStream|create.*") and n = 0
-        or
-        call.getMethod().hasName("copy") and n = 1
-        or
-        call.getMethod().hasName("move") and n = 1
-      )
-    )
-  }
-}
-
 /**
  * Holds if `n1` to `n2` is a dataflow step that converts between `String`,
  * `File`, and `Path`.
@@ -151,7 +124,7 @@ class ZipSlipConfiguration extends TaintTracking::Configuration {
     source.asExpr().(MethodAccess).getMethod() instanceof ArchiveEntryNameMethod
   }
 
-  override predicate isSink(Node sink) { sink.asExpr() instanceof WrittenFileName }
+  override predicate isSink(Node sink) { sinkNode(sink, "create-file") }
 
   override predicate isAdditionalTaintStep(Node n1, Node n2) {
     filePathStep(n1, n2) or fileTaintStep(n1, n2)
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -189,7 +189,21 @@ private predicate sinkModelCsv(string row) {
     [
       // Open URL
       "java.net;URL;false;openConnection;;;Argument[-1];open-url",
-      "java.net;URL;false;openStream;;;Argument[-1];open-url"
+      "java.net;URL;false;openStream;;;Argument[-1];open-url",
+      // Create file
+      "java.io;FileOutputStream;false;FileOutputStream;;;Argument[0];create-file",
+      "java.io;RandomAccessFile;false;RandomAccessFile;;;Argument[0];create-file",
+      "java.io;FileWriter;false;FileWriter;;;Argument[0];create-file",
+      "java.nio.file;Files;false;move;;;Argument[1];create-file",
+      "java.nio.file;Files;false;copy;;;Argument[1];create-file",
+      "java.nio.file;Files;false;newOutputStream;;;Argument[0];create-file",
+      "java.nio.file;Files;false;newBufferedReader;;;Argument[0];create-file",
+      "java.nio.file;Files;false;createDirectory;;;Argument[0];create-file",
+      "java.nio.file;Files;false;createFile;;;Argument[0];create-file",
+      "java.nio.file;Files;false;createLink;;;Argument[0];create-file",
+      "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file",
+      "java.nio.file;Files;false;createTempDirectory;;;Argument[0];create-file",
+      "java.nio.file;Files;false;createTempFile;;;Argument[0];create-file"
     ]
 }
 
