Address review comments.

Sebastian Bauersfeld · Sebastian Bauersfeld · commit 20d78972f58c · 2022-09-15T16:44:36.000+07:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -401,11 +401,6 @@ private class SummaryModelCsvBase extends SummaryModelCsv {
         "java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual",
         "java.io;File;false;File;;;Argument[1];Argument[-1];taint;manual",
         "java.net;URI;false;URI;(String);;Argument[0];Argument[-1];taint;manual",
-        "java.net;URI;false;URI;(String,String,String);;Argument[0..2];Argument[-1];taint;manual",
-        "java.net;URI;false;URI;(String,String,String,int,String,String,String);;Argument[0..2];Argument[-1];taint;manual",
-        "java.net;URI;false;URI;(String,String,String,int,String,String,String);;Argument[4..6];Argument[-1];taint;manual",
-        "java.net;URI;false;URI;(String,String,String,String);;Argument[0..3];Argument[-1];taint;manual",
-        "java.net;URI;false;URI;(String,String,String,String,String);;Argument[0..4];Argument[-1];taint;manual",
         "java.net;URL;false;URL;(String);;Argument[0];Argument[-1];taint;manual",
         "javax.xml.transform.stream;StreamSource;false;StreamSource;;;Argument[0];Argument[-1];taint;manual",
         "javax.xml.transform.sax;SAXSource;false;SAXSource;(InputSource);;Argument[0];Argument[-1];taint;manual",
diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPathCommon.qll b/java/ql/src/Security/CWE/CWE-022/TaintedPathCommon.qll
@@ -5,6 +5,19 @@
 import java
 import semmle.code.java.controlflow.Guards
 import semmle.code.java.security.PathCreation
+import semmle.code.java.dataflow.ExternalFlow
+
+class TaintedPathInjectionSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "java.net;URI;false;URI;(String,String,String);;Argument[1];Argument[-1];taint;manual",
+        "java.net;URI;false;URI;(String,String,String,String);;Argument[1..2];Argument[-1];taint;manual",
+        "java.net;URI;false;URI;(String,String,String,String,String);;Argument[2];Argument[-1];taint;manual",
+        "java.net;URI;false;URI;(String,String,String,int,String,String,String);;Argument[4];Argument[-1];taint;manual",
+      ]
+  }
+}
 
 private predicate inWeakCheck(Expr e) {
   // None of these are sufficient to guarantee that a string is safe.
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
@@ -9,42 +9,16 @@ edges
 | Test.java:80:31:80:32 | br : BufferedReader | Test.java:80:31:80:43 | readLine(...) : String |
 | Test.java:80:31:80:43 | readLine(...) : String | Test.java:82:67:82:81 | ... + ... |
 | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:20:96:20 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:23:96:23 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:26:96:26 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:20:97:20 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:23:97:23 | t : String |
 | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:26:97:26 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:29:97:29 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:20:98:20 | t : String |
 | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:23:98:23 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:26:98:26 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:29:98:29 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:32:98:32 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:20:99:20 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:23:99:23 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:26:99:26 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:32:99:32 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:35:99:35 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:38:99:38 | t : String |
-| Test.java:96:20:96:20 | t : String | Test.java:96:12:96:27 | new URI(...) |
-| Test.java:96:23:96:23 | t : String | Test.java:96:12:96:27 | new URI(...) |
-| Test.java:96:26:96:26 | t : String | Test.java:96:12:96:27 | new URI(...) |
-| Test.java:97:20:97:20 | t : String | Test.java:97:12:97:30 | new URI(...) |
-| Test.java:97:23:97:23 | t : String | Test.java:97:12:97:30 | new URI(...) |
-| Test.java:97:26:97:26 | t : String | Test.java:97:12:97:30 | new URI(...) |
-| Test.java:97:29:97:29 | t : String | Test.java:97:12:97:30 | new URI(...) |
-| Test.java:98:20:98:20 | t : String | Test.java:98:12:98:33 | new URI(...) |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:29:99:29 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:32:100:32 | t : String |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:41:101:41 | t : String |
+| Test.java:97:26:97:26 | t : String | Test.java:97:12:97:33 | new URI(...) |
 | Test.java:98:23:98:23 | t : String | Test.java:98:12:98:33 | new URI(...) |
-| Test.java:98:26:98:26 | t : String | Test.java:98:12:98:33 | new URI(...) |
-| Test.java:98:29:98:29 | t : String | Test.java:98:12:98:33 | new URI(...) |
-| Test.java:98:32:98:32 | t : String | Test.java:98:12:98:33 | new URI(...) |
-| Test.java:99:20:99:20 | t : String | Test.java:99:12:99:39 | new URI(...) |
-| Test.java:99:23:99:23 | t : String | Test.java:99:12:99:39 | new URI(...) |
-| Test.java:99:26:99:26 | t : String | Test.java:99:12:99:39 | new URI(...) |
-| Test.java:99:32:99:32 | t : String | Test.java:99:12:99:39 | new URI(...) |
-| Test.java:99:35:99:35 | t : String | Test.java:99:12:99:39 | new URI(...) |
-| Test.java:99:38:99:38 | t : String | Test.java:99:12:99:39 | new URI(...) |
+| Test.java:99:29:99:29 | t : String | Test.java:99:12:99:33 | new URI(...) |
+| Test.java:100:32:100:32 | t : String | Test.java:100:12:100:45 | new URI(...) |
+| Test.java:101:41:101:41 | t : String | Test.java:101:12:101:54 | new URI(...) |
 nodes
 | Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:24:20:24:23 | temp | semmle.label | temp |
@@ -60,28 +34,16 @@ nodes
 | Test.java:88:17:88:37 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:90:26:90:29 | temp | semmle.label | temp |
 | Test.java:95:14:95:34 | getHostName(...) : String | semmle.label | getHostName(...) : String |
-| Test.java:96:12:96:27 | new URI(...) | semmle.label | new URI(...) |
-| Test.java:96:20:96:20 | t : String | semmle.label | t : String |
-| Test.java:96:23:96:23 | t : String | semmle.label | t : String |
-| Test.java:96:26:96:26 | t : String | semmle.label | t : String |
-| Test.java:97:12:97:30 | new URI(...) | semmle.label | new URI(...) |
-| Test.java:97:20:97:20 | t : String | semmle.label | t : String |
-| Test.java:97:23:97:23 | t : String | semmle.label | t : String |
+| Test.java:97:12:97:33 | new URI(...) | semmle.label | new URI(...) |
 | Test.java:97:26:97:26 | t : String | semmle.label | t : String |
-| Test.java:97:29:97:29 | t : String | semmle.label | t : String |
 | Test.java:98:12:98:33 | new URI(...) | semmle.label | new URI(...) |
-| Test.java:98:20:98:20 | t : String | semmle.label | t : String |
 | Test.java:98:23:98:23 | t : String | semmle.label | t : String |
-| Test.java:98:26:98:26 | t : String | semmle.label | t : String |
-| Test.java:98:29:98:29 | t : String | semmle.label | t : String |
-| Test.java:98:32:98:32 | t : String | semmle.label | t : String |
-| Test.java:99:12:99:39 | new URI(...) | semmle.label | new URI(...) |
-| Test.java:99:20:99:20 | t : String | semmle.label | t : String |
-| Test.java:99:23:99:23 | t : String | semmle.label | t : String |
-| Test.java:99:26:99:26 | t : String | semmle.label | t : String |
-| Test.java:99:32:99:32 | t : String | semmle.label | t : String |
-| Test.java:99:35:99:35 | t : String | semmle.label | t : String |
-| Test.java:99:38:99:38 | t : String | semmle.label | t : String |
+| Test.java:99:12:99:33 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:99:29:99:29 | t : String | semmle.label | t : String |
+| Test.java:100:12:100:45 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:100:32:100:32 | t : String | semmle.label | t : String |
+| Test.java:101:12:101:54 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:101:41:101:41 | t : String | semmle.label | t : String |
 subpaths
 #select
 | Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
@@ -90,7 +52,8 @@ subpaths
 | Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
 | Test.java:82:52:82:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value |
 | Test.java:90:26:90:29 | temp | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp | $@ flows to here and is used in a path. | Test.java:88:17:88:37 | getHostName(...) | User-provided value |
-| Test.java:96:3:96:28 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:12:96:27 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
-| Test.java:97:3:97:31 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:30 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
+| Test.java:97:3:97:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
 | Test.java:98:3:98:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:12:98:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
-| Test.java:99:3:99:40 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:39 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
+| Test.java:99:3:99:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
+| Test.java:100:3:100:46 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
+| Test.java:101:3:101:55 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
@@ -93,9 +93,11 @@ void doGet4(InetAddress address)
 	void doGet5(InetAddress address)
 	throws URISyntaxException {
 		String t = address.getHostName();
-		new File(new URI(t, t, t));
-		new File(new URI(t, t, t, t));
-		new File(new URI(t, t, t, t, t));
-		new File(new URI(t, t, t, 0, t, t, t));
+		// BAD: construct a file path with user input
+		new File(new URI(null, t, null));
+		new File(new URI(t, t, null, t));
+		new File(new URI(t, null, t, t));
+		new File(new URI(null, null, t, null, null));
+		new File(new URI(null, null, null, 0, t, null, null));
 	}
 }
