Java: Track taint through constructor arguments of java.net.URI.

Sebastian Bauersfeld · Sebastian Bauersfeld · commit 0468b3a36131 · 2022-09-13T11:35:04.000+07:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -401,6 +401,11 @@ private class SummaryModelCsvBase extends SummaryModelCsv {
         "java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual",
         "java.io;File;false;File;;;Argument[1];Argument[-1];taint;manual",
         "java.net;URI;false;URI;(String);;Argument[0];Argument[-1];taint;manual",
+        "java.net;URI;false;URI;(String,String,String);;Argument[0..2];Argument[-1];taint;manual",
+        "java.net;URI;false;URI;(String,String,String,int,String,String,String);;Argument[0..2];Argument[-1];taint;manual",
+        "java.net;URI;false;URI;(String,String,String,int,String,String,String);;Argument[4..6];Argument[-1];taint;manual",
+        "java.net;URI;false;URI;(String,String,String,String);;Argument[0..3];Argument[-1];taint;manual",
+        "java.net;URI;false;URI;(String,String,String,String,String);;Argument[0..4];Argument[-1];taint;manual",
         "java.net;URL;false;URL;(String);;Argument[0];Argument[-1];taint;manual",
         "javax.xml.transform.stream;StreamSource;false;StreamSource;;;Argument[0];Argument[-1];taint;manual",
         "javax.xml.transform.sax;SAXSource;false;SAXSource;(InputSource);;Argument[0];Argument[-1];taint;manual",
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
@@ -9,6 +9,42 @@ edges
 | Test.java:80:31:80:32 | br : BufferedReader | Test.java:80:31:80:43 | readLine(...) : String |
 | Test.java:80:31:80:43 | readLine(...) : String | Test.java:82:67:82:81 | ... + ... |
 | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:20:96:20 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:23:96:23 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:26:96:26 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:20:97:20 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:23:97:23 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:26:97:26 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:29:97:29 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:20:98:20 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:23:98:23 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:26:98:26 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:29:98:29 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:32:98:32 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:20:99:20 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:23:99:23 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:26:99:26 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:32:99:32 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:35:99:35 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:38:99:38 | t : String |
+| Test.java:96:20:96:20 | t : String | Test.java:96:12:96:27 | new URI(...) |
+| Test.java:96:23:96:23 | t : String | Test.java:96:12:96:27 | new URI(...) |
+| Test.java:96:26:96:26 | t : String | Test.java:96:12:96:27 | new URI(...) |
+| Test.java:97:20:97:20 | t : String | Test.java:97:12:97:30 | new URI(...) |
+| Test.java:97:23:97:23 | t : String | Test.java:97:12:97:30 | new URI(...) |
+| Test.java:97:26:97:26 | t : String | Test.java:97:12:97:30 | new URI(...) |
+| Test.java:97:29:97:29 | t : String | Test.java:97:12:97:30 | new URI(...) |
+| Test.java:98:20:98:20 | t : String | Test.java:98:12:98:33 | new URI(...) |
+| Test.java:98:23:98:23 | t : String | Test.java:98:12:98:33 | new URI(...) |
+| Test.java:98:26:98:26 | t : String | Test.java:98:12:98:33 | new URI(...) |
+| Test.java:98:29:98:29 | t : String | Test.java:98:12:98:33 | new URI(...) |
+| Test.java:98:32:98:32 | t : String | Test.java:98:12:98:33 | new URI(...) |
+| Test.java:99:20:99:20 | t : String | Test.java:99:12:99:39 | new URI(...) |
+| Test.java:99:23:99:23 | t : String | Test.java:99:12:99:39 | new URI(...) |
+| Test.java:99:26:99:26 | t : String | Test.java:99:12:99:39 | new URI(...) |
+| Test.java:99:32:99:32 | t : String | Test.java:99:12:99:39 | new URI(...) |
+| Test.java:99:35:99:35 | t : String | Test.java:99:12:99:39 | new URI(...) |
+| Test.java:99:38:99:38 | t : String | Test.java:99:12:99:39 | new URI(...) |
 nodes
 | Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:24:20:24:23 | temp | semmle.label | temp |
@@ -23,6 +59,29 @@ nodes
 | Test.java:82:67:82:81 | ... + ... | semmle.label | ... + ... |
 | Test.java:88:17:88:37 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:90:26:90:29 | temp | semmle.label | temp |
+| Test.java:95:14:95:34 | getHostName(...) : String | semmle.label | getHostName(...) : String |
+| Test.java:96:12:96:27 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:96:20:96:20 | t : String | semmle.label | t : String |
+| Test.java:96:23:96:23 | t : String | semmle.label | t : String |
+| Test.java:96:26:96:26 | t : String | semmle.label | t : String |
+| Test.java:97:12:97:30 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:97:20:97:20 | t : String | semmle.label | t : String |
+| Test.java:97:23:97:23 | t : String | semmle.label | t : String |
+| Test.java:97:26:97:26 | t : String | semmle.label | t : String |
+| Test.java:97:29:97:29 | t : String | semmle.label | t : String |
+| Test.java:98:12:98:33 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:98:20:98:20 | t : String | semmle.label | t : String |
+| Test.java:98:23:98:23 | t : String | semmle.label | t : String |
+| Test.java:98:26:98:26 | t : String | semmle.label | t : String |
+| Test.java:98:29:98:29 | t : String | semmle.label | t : String |
+| Test.java:98:32:98:32 | t : String | semmle.label | t : String |
+| Test.java:99:12:99:39 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:99:20:99:20 | t : String | semmle.label | t : String |
+| Test.java:99:23:99:23 | t : String | semmle.label | t : String |
+| Test.java:99:26:99:26 | t : String | semmle.label | t : String |
+| Test.java:99:32:99:32 | t : String | semmle.label | t : String |
+| Test.java:99:35:99:35 | t : String | semmle.label | t : String |
+| Test.java:99:38:99:38 | t : String | semmle.label | t : String |
 subpaths
 #select
 | Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
@@ -31,3 +90,7 @@ subpaths
 | Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
 | Test.java:82:52:82:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value |
 | Test.java:90:26:90:29 | temp | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp | $@ flows to here and is used in a path. | Test.java:88:17:88:37 | getHostName(...) | User-provided value |
+| Test.java:96:3:96:28 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:12:96:27 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
+| Test.java:97:3:97:31 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:30 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
+| Test.java:98:3:98:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:12:98:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
+| Test.java:99:3:99:40 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:39 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
@@ -6,7 +6,7 @@
 import javax.servlet.ServletException;
 
 import java.io.*;
-import java.net.InetAddress;
+import java.net.*;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.FileSystems;
@@ -89,4 +89,13 @@ void doGet4(InetAddress address)
 		// BAD: open a file based on user input, using a MaD-documented API
 		new LockableFileWriter(temp);
 	}
+
+	void doGet5(InetAddress address)
+	throws URISyntaxException {
+		String t = address.getHostName();
+		new File(new URI(t, t, t));
+		new File(new URI(t, t, t, t));
+		new File(new URI(t, t, t, t, t));
+		new File(new URI(t, t, t, 0, t, t, t));
+	}
 }
