Fix documentation

Author: smehta23

java/ql/lib/semmle/code/java/security/PartialPathTraversal.qll

@@ -1,51 +1,56 @@
+/** Provides classes to reason about partial path traversal vulnerabilities. */
+
 import java
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.environment.SystemProperty
 
-class MethodStringStartsWith extends Method {
+private class MethodStringStartsWith extends Method {
   MethodStringStartsWith() {
     this.getDeclaringType() instanceof TypeString and
     this.hasName("startsWith")
   }
 }
 
-class MethodFileGetCanonicalPath extends Method {
+private class MethodFileGetCanonicalPath extends Method {
   MethodFileGetCanonicalPath() {
     this.getDeclaringType() instanceof TypeFile and
     this.hasName("getCanonicalPath")
   }
 }
 
-class MethodAccessFileGetCanonicalPath extends MethodAccess {
+private class MethodAccessFileGetCanonicalPath extends MethodAccess {
   MethodAccessFileGetCanonicalPath() { this.getMethod() instanceof MethodFileGetCanonicalPath }
 }
 
-abstract class FileSeparatorExpr extends Expr { }
+private abstract class FileSeparatorExpr extends Expr { }
 
-class SystemPropFileSeparatorExpr extends FileSeparatorExpr {
+private class SystemPropFileSeparatorExpr extends FileSeparatorExpr {
   SystemPropFileSeparatorExpr() { this = getSystemProperty("file.separator") }
 }
 
-class StringLiteralFileSeparatorExpr extends FileSeparatorExpr, StringLiteral {
+private class StringLiteralFileSeparatorExpr extends FileSeparatorExpr, StringLiteral {
   StringLiteralFileSeparatorExpr() {
     this.getValue().matches("%/") or this.getValue().matches("%\\")
   }
 }
 
-class CharacterLiteralFileSeparatorExpr extends FileSeparatorExpr, CharacterLiteral {
+private class CharacterLiteralFileSeparatorExpr extends FileSeparatorExpr, CharacterLiteral {
   CharacterLiteralFileSeparatorExpr() { this.getValue() = "/" or this.getValue() = "\\" }
 }
 
-class FileSeparatorAppend extends AddExpr {
+private class FileSeparatorAppend extends AddExpr {
   FileSeparatorAppend() { this.getRightOperand() instanceof FileSeparatorExpr }
 }
 
-predicate isSafe(Expr expr) {
+private predicate isSafe(Expr expr) {
   DataFlow::localExprFlow(any(Expr e |
       e instanceof FileSeparatorAppend or e instanceof FileSeparatorExpr
     ), expr)
 }
 
+/**
+ * A method access that returns a boolean that incorrectly guards against Partial Path Traversal.
+ */
 class PartialPathTraversalMethodAccess extends MethodAccess {
   PartialPathTraversalMethodAccess() {
     this.getMethod() instanceof MethodStringStartsWith and

java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll

@@ -1,12 +1,19 @@
+/** Provides taint tracking configurations to be used in partial path traversal queries. */
+
 import java
 import semmle.code.java.security.PartialPathTraversal
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to validate against path traversal, but is insufficient
+ * and remains vulnerable to Partial Path Traversal.
+ */
 class PartialPathTraversalFromRemoteConfig extends TaintTracking::Configuration {
-    PartialPathTraversalFromRemoteConfig() { this = "PartialPathTraversalFromRemoteConfig" }
+  PartialPathTraversalFromRemoteConfig() { this = "PartialPathTraversalFromRemoteConfig" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
 

java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.qhelp

@@ -3,51 +3,10 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>A common way to check that a user-supplied path <code>SUBDIR</code> falls inside a directory <code>DIR</code>
-is to use <code>getCanonicalPath()</code> to remove any path-traversal elements and then check that <code>DIR</code>
-is a prefix. However, if <code>DIR</code> is not slash-terminated, this can unexpectedly allow accessing siblings of <code>DIR</code>.</p>
+<include src="PartialPathTraversalOverview.inc.qhelp"> 
+<p>See also <code>java/partial-path-traversal-from-remote</code>, which is similar to this query but only flags instances with evidence of remote exploitability</p>
 </overview>
-<recommendation>
 
-<p>If the user should only access items within a certain directory <code>DIR</code>, ensure that <code>DIR</code> is slash-terminated
-before checking that <code>DIR</code> is a prefix of the user-provided path, <code>SUBDIR</code>. Note, Java's <code>getCanonicalPath()</code>
-returns a <b>non</b>-slash-terminated path string, so a slash must be added to <code>DIR</code> if that method is used.</p>
+<include src="PartialPathTraversalRemainder.inc.qhelp">
 
-</recommendation>
-<example>
-
-<p> 
-
-
-In this example, the <code>if</code> statement checks if <code>parent.getCanonicalPath()</code> 
-is a prefix of <code>dir.getCanonicalPath()</code>. However, <code>parent.getCanonicalPath()</code> is 
-not slash-terminated. So, the user that supplies <code>dir</code> may be allowed to access siblings of <code>parent</code> 
-and not just children of <code>parent</code>, which is a security issue.
-
-</p>
-
-<sample src="PartialPathTraversalBad.java" />
-
-<p>
-
-In this example, the <code>if</code> statement checks if <code>parent.getCanonicalPath() + File.separator </code> 
-is a prefix of <code>dir.getCanonicalPath()</code>. Because <code>parent.getCanonicalPath().toPath()</code> is 
-indeed slash-terminated, the user supplying <code>dir</code> can only access children of 
-<code>parent</code>, as desired.
-
-</p>
-
-<sample src="PartialPathTraversalGood.java" />
-
-</example>
-<references>
-
-<li>
-OWASP:
-<a href="https://owasp.org/www-community/attacks/Path_Traversal">Partial Path Traversal</a>.
-CVE-2022-23457:
-<a href="https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md"> ESAPI Vulnerability Report</a>
-</li>
-
-</references>
 </qhelp>

java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.qhelp

@@ -0,0 +1,11 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<include src="PartialPathTraversalOverview.inc.qhelp"> 
+</overview>
+
+<include src="PartialPathTraversalRemainder.inc.qhelp">
+
+</qhelp>

java/ql/src/Security/CWE/CWE-023/PartialPathTraversalOverview.inc.qhelp

@@ -0,0 +1,10 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<p>A common way to check that a user-supplied path <code>SUBDIR</code> falls inside a directory <code>DIR</code>
+is to use <code>getCanonicalPath()</code> to remove any path-traversal elements and then check that <code>DIR</code>
+is a prefix. However, if <code>DIR</code> is not slash-terminated, this can unexpectedly allow accessing siblings of <code>DIR</code>.</p>
+
+</qhelp>

java/ql/src/Security/CWE/CWE-023/PartialPathTraversalRemainder.inc.qhelp

@@ -0,0 +1,51 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<recommendation>
+
+<p>If the user should only access items within a certain directory <code>DIR</code>, ensure that <code>DIR</code> is slash-terminated
+before checking that <code>DIR</code> is a prefix of the user-provided path, <code>SUBDIR</code>. Note, Java's <code>getCanonicalPath()</code>
+returns a <b>non</b>-slash-terminated path string, so a slash must be added to <code>DIR</code> if that method is used.</p>
+
+</recommendation>
+<example>
+
+<p> 
+
+
+In this example, the <code>if</code> statement checks if <code>parent.getCanonicalPath()</code> 
+is a prefix of <code>dir.getCanonicalPath()</code>. However, <code>parent.getCanonicalPath()</code> is 
+not slash-terminated. So, the user that supplies <code>dir</code> may be allowed to access siblings of <code>parent</code> 
+and not just children of <code>parent</code>, which is a security issue.
+
+</p>
+
+<sample src="PartialPathTraversalBad.java" />
+
+<p>
+
+In this example, the <code>if</code> statement checks if <code>parent.getCanonicalPath() + File.separator </code> 
+is a prefix of <code>dir.getCanonicalPath()</code>. Because <code>parent.getCanonicalPath().toPath()</code> is 
+indeed slash-terminated, the user supplying <code>dir</code> can only access children of 
+<code>parent</code>, as desired.
+
+</p>
+
+<sample src="PartialPathTraversalGood.java" />
+
+</example>
+<references>
+
+<li>
+OWASP:
+<a href="https://owasp.org/www-community/attacks/Path_Traversal">Partial Path Traversal</a>.
+CVE-2022-23457:
+<a href="https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md"> ESAPI Vulnerability Report</a>
+</li>
+
+</references>
+
+
+</qhelp>