Improve PathSanitizer

atorralba · atorralba · commit 5706e8b3772b · 2022-10-04T12:26:17.000+02:00
Rename PathTraversalSanitizer to PathInjectionSanitizer
diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -1,17 +1,12 @@
+/** Provides classes and predicates to reason about sanitization of path injection vulnerabilities. */
+
 import java
 private import semmle.code.java.controlflow.Guards
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
 
-/**
- * DEPRECATED: Use `PathTraversalSanitizer` instead.
- *
- * A barrier guard that protects against path traversal vulnerabilities.
- */
-abstract deprecated class PathTraversalBarrierGuard extends DataFlow::BarrierGuard { }
-
-/** A sanitizer that protects against path traversal vulnerabilities. */
-abstract class PathTraversalSanitizer extends DataFlow::Node { }
+/** A sanitizer that protects against path injection vulnerabilities. */
+abstract class PathInjectionSanitizer extends DataFlow::Node { }
 
 /**
  * Holds if `g` is guard that compares a string to a trusted value.
@@ -26,7 +21,7 @@ private predicate exactStringPathMatchGuard(Guard g, Expr e, boolean branch) {
   )
 }
 
-private class ExactStringPathMatchSanitizer extends PathTraversalSanitizer {
+private class ExactStringPathMatchSanitizer extends PathInjectionSanitizer {
   ExactStringPathMatchSanitizer() {
     this = DataFlow::BarrierGuard<exactStringPathMatchGuard/3>::getABarrierNode()
   }
@@ -38,7 +33,7 @@ private class ExactStringPathMatchSanitizer extends PathTraversalSanitizer {
  * This is used to look through field accessors such as `uri.getPath()`.
  */
 private Expr getUnderlyingVarAccess(Expr e) {
-  result = getUnderlyingVarAccess(e.(MethodAccess).getQualifier())
+  result = getUnderlyingVarAccess(e.(MethodAccess).getQualifier().getUnderlyingExpr())
   or
   result = e.(VarAccess)
 }
@@ -49,7 +44,9 @@ private class AllowListGuard extends Guard instanceof MethodAccess {
     not isDisallowedWord(super.getAnArgument())
   }
 
-  Expr getCheckedExpr() { result = getUnderlyingVarAccess(super.getQualifier()) }
+  Expr getCheckedExpr() {
+    result = getUnderlyingVarAccess(super.getQualifier().getUnderlyingExpr())
+  }
 }
 
 /**
@@ -72,7 +69,7 @@ private predicate allowListGuard(Guard g, Expr e, boolean branch) {
   )
 }
 
-private class AllowListSanitizer extends PathTraversalSanitizer {
+private class AllowListSanitizer extends PathInjectionSanitizer {
   AllowListSanitizer() { this = DataFlow::BarrierGuard<allowListGuard/3>::getABarrierNode() }
 }
 
@@ -90,7 +87,7 @@ private predicate dotDotCheckGuard(Guard g, Expr e, boolean branch) {
   )
 }
 
-private class DotDotCheckSanitizer extends PathTraversalSanitizer {
+private class DotDotCheckSanitizer extends PathInjectionSanitizer {
   DotDotCheckSanitizer() { this = DataFlow::BarrierGuard<dotDotCheckGuard/3>::getABarrierNode() }
 }
 
@@ -100,7 +97,9 @@ private class BlockListGuard extends Guard instanceof MethodAccess {
     isDisallowedWord(super.getAnArgument())
   }
 
-  Expr getCheckedExpr() { result = getUnderlyingVarAccess(super.getQualifier()) }
+  Expr getCheckedExpr() {
+    result = getUnderlyingVarAccess(super.getQualifier().getUnderlyingExpr())
+  }
 }
 
 /**
@@ -123,7 +122,7 @@ private predicate blockListGuard(Guard g, Expr e, boolean branch) {
   )
 }
 
-private class BlockListSanitizer extends PathTraversalSanitizer {
+private class BlockListSanitizer extends PathInjectionSanitizer {
   BlockListSanitizer() { this = DataFlow::BarrierGuard<blockListGuard/3>::getABarrierNode() }
 }
 
@@ -140,7 +139,7 @@ private predicate urlEncodingGuard(Guard g, Expr e, boolean branch) {
   )
 }
 
-private class UrlEncodingSanitizer extends PathTraversalSanitizer {
+private class UrlEncodingSanitizer extends PathInjectionSanitizer {
   UrlEncodingSanitizer() { this = DataFlow::BarrierGuard<urlEncodingGuard/3>::getABarrierNode() }
 }
 
@@ -149,38 +148,51 @@ private class UrlEncodingSanitizer extends PathTraversalSanitizer {
  */
 private predicate isStringPartialMatch(MethodAccess ma) {
   ma.getMethod().getDeclaringType() instanceof TypeString and
-  ma.getMethod().getName() =
-    ["contains", "startsWith", "matches", "regionMatches", "indexOf", "lastIndexOf"]
+  ma.getMethod()
+      .hasName(["contains", "startsWith", "matches", "regionMatches", "indexOf", "lastIndexOf"])
 }
 
 /**
- * Holds if `ma` is a call to a method of `java.nio.file.Path` that checks a partial path match.
+ * Holds if `ma` is a call to a method that checks a partial path match.
  */
 private predicate isPathPartialMatch(MethodAccess ma) {
   ma.getMethod().getDeclaringType() instanceof TypePath and
-  ma.getMethod().getName() = "startsWith"
+  ma.getMethod().hasName("startsWith")
+  or
+  ma.getMethod().getDeclaringType().hasQualifiedName("kotlin.io", "FilesKt") and
+  ma.getMethod().hasName("startsWith")
 }
 
 private predicate isDisallowedWord(CompileTimeConstantExpr word) {
   word.getStringValue().matches(["%WEB-INF%", "%META-INF%", "%..%"])
 }
 
 /** A complementary guard that protects against path traversal, by looking for the literal `..`. */
-class PathTraversalGuard extends Guard instanceof MethodAccess {
+private class PathTraversalGuard extends Guard instanceof MethodAccess {
   PathTraversalGuard() {
     super.getMethod().getDeclaringType() instanceof TypeString and
     super.getMethod().hasName(["contains", "indexOf"]) and
     super.getAnArgument().(CompileTimeConstantExpr).getStringValue() = ".."
   }
 
-  Expr getCheckedExpr() { result = getUnderlyingVarAccess(super.getQualifier()) }
+  Expr getCheckedExpr() {
+    result = getUnderlyingVarAccess(super.getQualifier().getUnderlyingExpr())
+  }
 }
 
 /** A complementary sanitizer that protects against path traversal using path normalization. */
 private class PathNormalizeSanitizer extends MethodAccess {
   PathNormalizeSanitizer() {
-    this.getMethod().getDeclaringType().hasQualifiedName("java.nio.file", "Path") and
-    this.getMethod().hasName("normalize")
+    exists(RefType t |
+      t instanceof TypePath or
+      t.hasQualifiedName("kotlin.io", "FilesKt")
+    |
+      this.getMethod().getDeclaringType() = t and
+      this.getMethod().hasName("normalize")
+    )
+    or
+    this.getMethod().getDeclaringType() instanceof TypeFile and
+    this.getMethod().hasName(["getCanonicalPath", "getCanonicalFile"])
   }
 }
 
@@ -198,8 +210,13 @@ private class UrlEncodingGuard extends Guard instanceof MethodAccess {
 /** A complementary sanitizer that protects against double URL encoding using URL decoding. */
 private class UrlDecodeSanitizer extends MethodAccess {
   UrlDecodeSanitizer() {
-    this.getMethod().getDeclaringType().hasQualifiedName("java.net", "URLDecoder") and
-    this.getMethod().hasName("decode")
+    exists(RefType t |
+      this.getMethod().getDeclaringType() = t and
+      this.getMethod().hasName("decode")
+    |
+      t.hasQualifiedName("java.net", "URLDecoder") or
+      t.hasQualifiedName("android.net", "Uri")
+    )
   }
 }
 
@@ -209,14 +226,3 @@ class NormalizedPathNode extends DataFlow::Node {
     TaintTracking::localExprTaint(this.asExpr(), any(PathNormalizeSanitizer ma))
   }
 }
-
-/** Data model related to `java.nio.file.Path`. */
-private class PathDataModel extends SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;taint;manual",
-        "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint;manual"
-      ]
-  }
-}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
@@ -31,7 +31,7 @@ class InjectFilePathConfig extends TaintTracking::Configuration {
   override predicate isSanitizer(DataFlow::Node node) {
     exists(Type t | t = node.getType() | t instanceof BoxedType or t instanceof PrimitiveType)
     or
-    node instanceof PathTraversalSanitizer
+    node instanceof PathInjectionSanitizer
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql b/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
@@ -24,7 +24,7 @@ class InsecureWebResourceResponseConfig extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof WebResourceResponseSink }
 
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof PathTraversalSanitizer }
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof PathInjectionSanitizer }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureWebResourceResponseConfig conf
diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
@@ -37,7 +37,7 @@ class UnsafeUrlForwardFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSanitizer(DataFlow::Node node) {
     node instanceof UnsafeUrlForwardSanitizer or
-    node instanceof PathTraversalSanitizer
+    node instanceof PathInjectionSanitizer
   }
 
   override DataFlow::FlowFeature getAFeature() {

Original file line number	Diff line number	Diff line change
`@@ -1,17 +1,12 @@`
	`1`	`+/** Provides classes and predicates to reason about sanitization of path injection vulnerabilities. */`
	`2`	`+`
`1`	`3`	`import java`
`2`	`4`	`private import semmle.code.java.controlflow.Guards`
`3`	`5`	`private import semmle.code.java.dataflow.FlowSources`
`4`	`6`	`private import semmle.code.java.dataflow.ExternalFlow`
`5`	`7`
`6`		`-/**`
`7`		- * DEPRECATED: Use `PathTraversalSanitizer` instead.
`8`		`- *`
`9`		`- * A barrier guard that protects against path traversal vulnerabilities.`
`10`		`- */`
`11`		`-abstract deprecated class PathTraversalBarrierGuard extends DataFlow::BarrierGuard { }`
`12`		`-`
`13`		`-/** A sanitizer that protects against path traversal vulnerabilities. */`
`14`		`-abstract class PathTraversalSanitizer extends DataFlow::Node { }`
	`8`	`+/** A sanitizer that protects against path injection vulnerabilities. */`
	`9`	`+abstract class PathInjectionSanitizer extends DataFlow::Node { }`
`15`	`10`
`16`	`11`	`/**`
`17`	`12`	* Holds if `g` is guard that compares a string to a trusted value.
`@@ -26,7 +21,7 @@ private predicate exactStringPathMatchGuard(Guard g, Expr e, boolean branch) {`
`26`	`21`	`)`
`27`	`22`	`}`
`28`	`23`
`29`		`-private class ExactStringPathMatchSanitizer extends PathTraversalSanitizer {`
	`24`	`+private class ExactStringPathMatchSanitizer extends PathInjectionSanitizer {`
`30`	`25`	`ExactStringPathMatchSanitizer() {`
`31`	`26`	`this = DataFlow::BarrierGuard<exactStringPathMatchGuard/3>::getABarrierNode()`
`32`	`27`	`}`
`@@ -38,7 +33,7 @@ private class ExactStringPathMatchSanitizer extends PathTraversalSanitizer {`
`38`	`33`	* This is used to look through field accessors such as `uri.getPath()`.
`39`	`34`	`*/`
`40`	`35`	`private Expr getUnderlyingVarAccess(Expr e) {`
`41`		`- result = getUnderlyingVarAccess(e.(MethodAccess).getQualifier())`
	`36`	`+ result = getUnderlyingVarAccess(e.(MethodAccess).getQualifier().getUnderlyingExpr())`
`42`	`37`	`or`
`43`	`38`	`result = e.(VarAccess)`
`44`	`39`	`}`
`@@ -49,7 +44,9 @@ private class AllowListGuard extends Guard instanceof MethodAccess {`
`49`	`44`	`not isDisallowedWord(super.getAnArgument())`
`50`	`45`	`}`
`51`	`46`
`52`		`- Expr getCheckedExpr() { result = getUnderlyingVarAccess(super.getQualifier()) }`
	`47`	`+ Expr getCheckedExpr() {`
	`48`	`+ result = getUnderlyingVarAccess(super.getQualifier().getUnderlyingExpr())`
	`49`	`+ }`
`53`	`50`	`}`
`54`	`51`
`55`	`52`	`/**`
`@@ -72,7 +69,7 @@ private predicate allowListGuard(Guard g, Expr e, boolean branch) {`
`72`	`69`	`)`
`73`	`70`	`}`
`74`	`71`
`75`		`-private class AllowListSanitizer extends PathTraversalSanitizer {`
	`72`	`+private class AllowListSanitizer extends PathInjectionSanitizer {`
`76`	`73`	`AllowListSanitizer() { this = DataFlow::BarrierGuard<allowListGuard/3>::getABarrierNode() }`
`77`	`74`	`}`
`78`	`75`
`@@ -90,7 +87,7 @@ private predicate dotDotCheckGuard(Guard g, Expr e, boolean branch) {`
`90`	`87`	`)`
`91`	`88`	`}`
`92`	`89`
`93`		`-private class DotDotCheckSanitizer extends PathTraversalSanitizer {`
	`90`	`+private class DotDotCheckSanitizer extends PathInjectionSanitizer {`
`94`	`91`	`DotDotCheckSanitizer() { this = DataFlow::BarrierGuard<dotDotCheckGuard/3>::getABarrierNode() }`
`95`	`92`	`}`
`96`	`93`
`@@ -100,7 +97,9 @@ private class BlockListGuard extends Guard instanceof MethodAccess {`
`100`	`97`	`isDisallowedWord(super.getAnArgument())`
`101`	`98`	`}`
`102`	`99`
`103`		`- Expr getCheckedExpr() { result = getUnderlyingVarAccess(super.getQualifier()) }`
	`100`	`+ Expr getCheckedExpr() {`
	`101`	`+ result = getUnderlyingVarAccess(super.getQualifier().getUnderlyingExpr())`
	`102`	`+ }`
`104`	`103`	`}`
`105`	`104`
`106`	`105`	`/**`
`@@ -123,7 +122,7 @@ private predicate blockListGuard(Guard g, Expr e, boolean branch) {`
`123`	`122`	`)`
`124`	`123`	`}`
`125`	`124`
`126`		`-private class BlockListSanitizer extends PathTraversalSanitizer {`
	`125`	`+private class BlockListSanitizer extends PathInjectionSanitizer {`
`127`	`126`	`BlockListSanitizer() { this = DataFlow::BarrierGuard<blockListGuard/3>::getABarrierNode() }`
`128`	`127`	`}`
`129`	`128`
`@@ -140,7 +139,7 @@ private predicate urlEncodingGuard(Guard g, Expr e, boolean branch) {`
`140`	`139`	`)`
`141`	`140`	`}`
`142`	`141`
`143`		`-private class UrlEncodingSanitizer extends PathTraversalSanitizer {`
	`142`	`+private class UrlEncodingSanitizer extends PathInjectionSanitizer {`
`144`	`143`	`UrlEncodingSanitizer() { this = DataFlow::BarrierGuard<urlEncodingGuard/3>::getABarrierNode() }`
`145`	`144`	`}`
`146`	`145`
`@@ -149,38 +148,51 @@ private class UrlEncodingSanitizer extends PathTraversalSanitizer {`
`149`	`148`	`*/`
`150`	`149`	`private predicate isStringPartialMatch(MethodAccess ma) {`
`151`	`150`	`ma.getMethod().getDeclaringType() instanceof TypeString and`
`152`		`- ma.getMethod().getName() =`
`153`		`- ["contains", "startsWith", "matches", "regionMatches", "indexOf", "lastIndexOf"]`
	`151`	`+ ma.getMethod()`
	`152`	`+ .hasName(["contains", "startsWith", "matches", "regionMatches", "indexOf", "lastIndexOf"])`
`154`	`153`	`}`
`155`	`154`
`156`	`155`	`/**`
`157`		- * Holds if `ma` is a call to a method of `java.nio.file.Path` that checks a partial path match.
	`156`	+ * Holds if `ma` is a call to a method that checks a partial path match.
`158`	`157`	`*/`
`159`	`158`	`private predicate isPathPartialMatch(MethodAccess ma) {`
`160`	`159`	`ma.getMethod().getDeclaringType() instanceof TypePath and`
`161`		`- ma.getMethod().getName() = "startsWith"`
	`160`	`+ ma.getMethod().hasName("startsWith")`
	`161`	`+ or`
	`162`	`+ ma.getMethod().getDeclaringType().hasQualifiedName("kotlin.io", "FilesKt") and`
	`163`	`+ ma.getMethod().hasName("startsWith")`
`162`	`164`	`}`
`163`	`165`
`164`	`166`	`private predicate isDisallowedWord(CompileTimeConstantExpr word) {`
`165`	`167`	`word.getStringValue().matches(["%WEB-INF%", "%META-INF%", "%..%"])`
`166`	`168`	`}`
`167`	`169`
`168`	`170`	/** A complementary guard that protects against path traversal, by looking for the literal `..`. */
`169`		`-class PathTraversalGuard extends Guard instanceof MethodAccess {`
	`171`	`+private class PathTraversalGuard extends Guard instanceof MethodAccess {`
`170`	`172`	`PathTraversalGuard() {`
`171`	`173`	`super.getMethod().getDeclaringType() instanceof TypeString and`
`172`	`174`	`super.getMethod().hasName(["contains", "indexOf"]) and`
`173`	`175`	`super.getAnArgument().(CompileTimeConstantExpr).getStringValue() = ".."`
`174`	`176`	`}`
`175`	`177`
`176`		`- Expr getCheckedExpr() { result = getUnderlyingVarAccess(super.getQualifier()) }`
	`178`	`+ Expr getCheckedExpr() {`
	`179`	`+ result = getUnderlyingVarAccess(super.getQualifier().getUnderlyingExpr())`
	`180`	`+ }`
`177`	`181`	`}`
`178`	`182`
`179`	`183`	`/** A complementary sanitizer that protects against path traversal using path normalization. */`
`180`	`184`	`private class PathNormalizeSanitizer extends MethodAccess {`
`181`	`185`	`PathNormalizeSanitizer() {`
`182`		`- this.getMethod().getDeclaringType().hasQualifiedName("java.nio.file", "Path") and`
`183`		`- this.getMethod().hasName("normalize")`
	`186`	`+ exists(RefType t \|`
	`187`	`+ t instanceof TypePath or`
	`188`	`+ t.hasQualifiedName("kotlin.io", "FilesKt")`
	`189`	`+ \|`
	`190`	`+ this.getMethod().getDeclaringType() = t and`
	`191`	`+ this.getMethod().hasName("normalize")`
	`192`	`+ )`
	`193`	`+ or`
	`194`	`+ this.getMethod().getDeclaringType() instanceof TypeFile and`
	`195`	`+ this.getMethod().hasName(["getCanonicalPath", "getCanonicalFile"])`
`184`	`196`	`}`
`185`	`197`	`}`
`186`	`198`
`@@ -198,8 +210,13 @@ private class UrlEncodingGuard extends Guard instanceof MethodAccess {`
`198`	`210`	`/** A complementary sanitizer that protects against double URL encoding using URL decoding. */`
`199`	`211`	`private class UrlDecodeSanitizer extends MethodAccess {`
`200`	`212`	`UrlDecodeSanitizer() {`
`201`		`- this.getMethod().getDeclaringType().hasQualifiedName("java.net", "URLDecoder") and`
`202`		`- this.getMethod().hasName("decode")`
	`213`	`+ exists(RefType t \|`
	`214`	`+ this.getMethod().getDeclaringType() = t and`
	`215`	`+ this.getMethod().hasName("decode")`
	`216`	`+ \|`
	`217`	`+ t.hasQualifiedName("java.net", "URLDecoder") or`
	`218`	`+ t.hasQualifiedName("android.net", "Uri")`
	`219`	`+ )`
`203`	`220`	`}`
`204`	`221`	`}`
`205`	`222`
`@@ -209,14 +226,3 @@ class NormalizedPathNode extends DataFlow::Node {`
`209`	`226`	`TaintTracking::localExprTaint(this.asExpr(), any(PathNormalizeSanitizer ma))`
`210`	`227`	`}`
`211`	`228`	`}`
`212`		`-`
`213`		-/** Data model related to `java.nio.file.Path`. */
`214`		`-private class PathDataModel extends SummaryModelCsv {`
`215`		`- override predicate row(string row) {`
`216`		`- row =`
`217`		`- [`
`218`		`- "java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;taint;manual",`
`219`		`- "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint;manual"`
`220`		`- ]`
`221`		`- }`
`222`		`-}`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ class InjectFilePathConfig extends TaintTracking::Configuration {`
`31`	`31`	`override predicate isSanitizer(DataFlow::Node node) {`
`32`	`32`	`exists(Type t \| t = node.getType() \| t instanceof BoxedType or t instanceof PrimitiveType)`
`33`	`33`	`or`
`34`		`- node instanceof PathTraversalSanitizer`
	`34`	`+ node instanceof PathInjectionSanitizer`
`35`	`35`	`}`
`36`	`36`	`}`
`37`	`37`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ class InsecureWebResourceResponseConfig extends TaintTracking::Configuration {`
`24`	`24`
`25`	`25`	`override predicate isSink(DataFlow::Node sink) { sink instanceof WebResourceResponseSink }`
`26`	`26`
`27`		`- override predicate isSanitizer(DataFlow::Node node) { node instanceof PathTraversalSanitizer }`
	`27`	`+ override predicate isSanitizer(DataFlow::Node node) { node instanceof PathInjectionSanitizer }`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureWebResourceResponseConfig conf`
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ class UnsafeUrlForwardFlowConfig extends TaintTracking::Configuration {`
`37`	`37`
`38`	`38`	`override predicate isSanitizer(DataFlow::Node node) {`
`39`	`39`	`node instanceof UnsafeUrlForwardSanitizer or`
`40`		`- node instanceof PathTraversalSanitizer`
	`40`	`+ node instanceof PathInjectionSanitizer`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`override DataFlow::FlowFeature getAFeature() {`