Update normalized path node

luchua-bc · luchua-bc · commit e3d0e9f083c0 · 2022-02-11T12:38:05.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
@@ -25,7 +25,7 @@ class InjectFilePathConfig extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(PathCreation p).getAnInput() and
-    not sink instanceof SanitizedNode
+    not sink instanceof NormalizedPathNode
   }
 
   override predicate isSanitizer(DataFlow::Node node) {
diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/PathSanitizer.qll b/java/ql/src/experimental/Security/CWE/CWE-073/PathSanitizer.qll
@@ -174,12 +174,10 @@ private class UrlDecodeSanitizer extends MethodAccess {
   }
 }
 
-/** A sanitized node that is protected against path traversal vulnerabilities. */
-abstract class SanitizedNode extends DataFlow::Node { }
-
-class NodeWithPathNormalizer extends SanitizedNode {
-  NodeWithPathNormalizer() {
-    DataFlow::localExprFlow(this.asExpr(), any(PathNormalizeSanitizer ma))
+/** A node with path normalization. */
+class NormalizedPathNode extends DataFlow::Node {
+  NormalizedPathNode() {
+    TaintTracking::localExprTaint(this.asExpr(), any(PathNormalizeSanitizer ma))
   }
 }
 
@@ -188,8 +186,8 @@ private class PathDataModel extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        "java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;value",
-        "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;value"
+        "java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;taint",
+        "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint"
       ]
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ class InjectFilePathConfig extends TaintTracking::Configuration {`
`25`	`25`
`26`	`26`	`override predicate isSink(DataFlow::Node sink) {`
`27`	`27`	`sink.asExpr() = any(PathCreation p).getAnInput() and`
`28`		`- not sink instanceof SanitizedNode`
	`28`	`+ not sink instanceof NormalizedPathNode`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`override predicate isSanitizer(DataFlow::Node node) {`
Original file line number	Diff line number	Diff line change
`@@ -174,12 +174,10 @@ private class UrlDecodeSanitizer extends MethodAccess {`
`174`	`174`	`}`
`175`	`175`	`}`
`176`	`176`
`177`		`-/** A sanitized node that is protected against path traversal vulnerabilities. */`
`178`		`-abstract class SanitizedNode extends DataFlow::Node { }`
`179`		`-`
`180`		`-class NodeWithPathNormalizer extends SanitizedNode {`
`181`		`- NodeWithPathNormalizer() {`
`182`		`- DataFlow::localExprFlow(this.asExpr(), any(PathNormalizeSanitizer ma))`
	`177`	`+/** A node with path normalization. */`
	`178`	`+class NormalizedPathNode extends DataFlow::Node {`
	`179`	`+ NormalizedPathNode() {`
	`180`	`+ TaintTracking::localExprTaint(this.asExpr(), any(PathNormalizeSanitizer ma))`
`183`	`181`	`}`
`184`	`182`	`}`
`185`	`183`
`@@ -188,8 +186,8 @@ private class PathDataModel extends SummaryModelCsv {`
`188`	`186`	`override predicate row(string row) {`
`189`	`187`	`row =`
`190`	`188`	`[`
`191`		`- "java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;value",`
`192`		`- "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;value"`
	`189`	`+ "java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;taint",`
	`190`	`+ "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint"`
`193`	`191`	`]`
`194`	`192`	`}`
`195`	`193`	`}`