Skip to content

Commit dff878e

Browse files
atorralbaatorralba
committed
Apply TaintedPath recent changes to TaintedPathLocal
1 parent 5706e8b commit dff878e

File tree

1 file changed

+25
-10
lines changed

1 file changed

+25
-10
lines changed

java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql

Lines changed: 25 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515

1616
import java
1717
import semmle.code.java.dataflow.FlowSources
18+
private import semmle.code.java.dataflow.ExternalFlow
1819
import semmle.code.java.security.PathCreation
1920
import DataFlow::PathGraph
2021
import TaintedPathCommon
@@ -25,20 +26,34 @@ class TaintedPathLocalConfig extends TaintTracking::Configuration {
2526
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
2627

2728
override predicate isSink(DataFlow::Node sink) {
28-
sink.asExpr() = any(PathCreation p).getAnInput()
29+
(
30+
sink.asExpr() = any(PathCreation p).getAnInput()
31+
or
32+
sinkNode(sink, "create-file")
33+
) and
34+
not guarded(sink.asExpr())
2935
}
3036

3137
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
3238
any(TaintedPathAdditionalTaintStep s).step(n1, n2)
3339
}
3440
}
3541

36-
from
37-
DataFlow::PathNode source, DataFlow::PathNode sink, PathCreation p, Expr e,
38-
TaintedPathLocalConfig conf
39-
where
40-
e = sink.getNode().asExpr() and
41-
e = p.getAnInput() and
42-
conf.hasFlowPath(source, sink) and
43-
not guarded(e)
44-
select p, source, sink, "This path depends on a $@.", source.getNode(), "user-provided value"
42+
/**
43+
* Gets the data-flow node at which to report a path ending at `sink`.
44+
*
45+
* Previously this query flagged alerts exclusively at `PathCreation` sites,
46+
* so to avoid perturbing existing alerts, where a `PathCreation` exists we
47+
* continue to report there; otherwise we report directly at `sink`.
48+
*/
49+
DataFlow::Node getReportingNode(DataFlow::Node sink) {
50+
any(TaintedPathLocalConfig c).hasFlowTo(sink) and
51+
if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
52+
then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
53+
else result = sink
54+
}
55+
56+
from DataFlow::PathNode source, DataFlow::PathNode sink, TaintedPathLocalConfig conf
57+
where conf.hasFlowPath(source, sink)
58+
select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
59+
source.getNode(), "user-provided value"

0 commit comments

Comments
 (0)