Skip to content

Commit 282632c

Browse files
atorralbaatorralba
committed
Add new snippets as tests
1 parent 73e3fad commit 282632c

File tree

2 files changed

+62
-13
lines changed

2 files changed

+62
-13
lines changed

java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected

Lines changed: 24 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,14 @@
11
edges
2-
| TaintedPath.java:11:38:11:110 | new BufferedReader(...) : BufferedReader | TaintedPath.java:12:24:12:37 | filenameReader : BufferedReader |
3-
| TaintedPath.java:11:57:11:109 | new InputStreamReader(...) : InputStreamReader | TaintedPath.java:11:38:11:110 | new BufferedReader(...) : BufferedReader |
4-
| TaintedPath.java:11:79:11:99 | getInputStream(...) : InputStream | TaintedPath.java:11:57:11:109 | new InputStreamReader(...) : InputStreamReader |
5-
| TaintedPath.java:12:24:12:37 | filenameReader : BufferedReader | TaintedPath.java:12:24:12:48 | readLine(...) : String |
6-
| TaintedPath.java:12:24:12:48 | readLine(...) : String | TaintedPath.java:14:68:14:75 | filename |
2+
| TaintedPath.java:12:38:12:110 | new BufferedReader(...) : BufferedReader | TaintedPath.java:13:24:13:37 | filenameReader : BufferedReader |
3+
| TaintedPath.java:12:57:12:109 | new InputStreamReader(...) : InputStreamReader | TaintedPath.java:12:38:12:110 | new BufferedReader(...) : BufferedReader |
4+
| TaintedPath.java:12:79:12:99 | getInputStream(...) : InputStream | TaintedPath.java:12:57:12:109 | new InputStreamReader(...) : InputStreamReader |
5+
| TaintedPath.java:13:24:13:37 | filenameReader : BufferedReader | TaintedPath.java:13:24:13:48 | readLine(...) : String |
6+
| TaintedPath.java:13:24:13:48 | readLine(...) : String | TaintedPath.java:15:68:15:75 | filename |
7+
| TaintedPath.java:38:41:39:70 | new BufferedReader(...) : BufferedReader | TaintedPath.java:40:27:40:40 | filenameReader : BufferedReader |
8+
| TaintedPath.java:39:17:39:69 | new InputStreamReader(...) : InputStreamReader | TaintedPath.java:38:41:39:70 | new BufferedReader(...) : BufferedReader |
9+
| TaintedPath.java:39:39:39:59 | getInputStream(...) : InputStream | TaintedPath.java:39:17:39:69 | new InputStreamReader(...) : InputStreamReader |
10+
| TaintedPath.java:40:27:40:40 | filenameReader : BufferedReader | TaintedPath.java:40:27:40:51 | readLine(...) : String |
11+
| TaintedPath.java:40:27:40:51 | readLine(...) : String | TaintedPath.java:43:46:43:53 | filename |
712
| Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp |
813
| Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp |
914
| Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp |
@@ -189,12 +194,18 @@ edges
189194
| mad/Test.java:221:26:221:33 | source(...) : String | mad/Test.java:221:19:221:33 | (...)... |
190195
| mad/Test.java:226:29:226:36 | source(...) : String | mad/Test.java:226:20:226:36 | (...)... |
191196
nodes
192-
| TaintedPath.java:11:38:11:110 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
193-
| TaintedPath.java:11:57:11:109 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
194-
| TaintedPath.java:11:79:11:99 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
195-
| TaintedPath.java:12:24:12:37 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
196-
| TaintedPath.java:12:24:12:48 | readLine(...) : String | semmle.label | readLine(...) : String |
197-
| TaintedPath.java:14:68:14:75 | filename | semmle.label | filename |
197+
| TaintedPath.java:12:38:12:110 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
198+
| TaintedPath.java:12:57:12:109 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
199+
| TaintedPath.java:12:79:12:99 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
200+
| TaintedPath.java:13:24:13:37 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
201+
| TaintedPath.java:13:24:13:48 | readLine(...) : String | semmle.label | readLine(...) : String |
202+
| TaintedPath.java:15:68:15:75 | filename | semmle.label | filename |
203+
| TaintedPath.java:38:41:39:70 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
204+
| TaintedPath.java:39:17:39:69 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
205+
| TaintedPath.java:39:39:39:59 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
206+
| TaintedPath.java:40:27:40:40 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
207+
| TaintedPath.java:40:27:40:51 | readLine(...) : String | semmle.label | readLine(...) : String |
208+
| TaintedPath.java:43:46:43:53 | filename | semmle.label | filename |
198209
| Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
199210
| Test.java:24:20:24:23 | temp | semmle.label | temp |
200211
| Test.java:27:21:27:24 | temp | semmle.label | temp |
@@ -386,7 +397,8 @@ nodes
386397
| mad/Test.java:226:29:226:36 | source(...) : String | semmle.label | source(...) : String |
387398
subpaths
388399
#select
389-
| TaintedPath.java:14:53:14:76 | new FileReader(...) | TaintedPath.java:11:79:11:99 | getInputStream(...) : InputStream | TaintedPath.java:14:68:14:75 | filename | This path depends on a $@. | TaintedPath.java:11:79:11:99 | getInputStream(...) | user-provided value |
400+
| TaintedPath.java:15:53:15:76 | new FileReader(...) | TaintedPath.java:12:79:12:99 | getInputStream(...) : InputStream | TaintedPath.java:15:68:15:75 | filename | This path depends on a $@. | TaintedPath.java:12:79:12:99 | getInputStream(...) | user-provided value |
401+
| TaintedPath.java:43:25:43:54 | resolve(...) | TaintedPath.java:39:39:39:59 | getInputStream(...) : InputStream | TaintedPath.java:43:46:43:53 | filename | This path depends on a $@. | TaintedPath.java:39:39:39:59 | getInputStream(...) | user-provided value |
390402
| Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | This path depends on a $@. | Test.java:19:18:19:38 | getHostName(...) | user-provided value |
391403
| Test.java:27:11:27:25 | get(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp | This path depends on a $@. | Test.java:19:18:19:38 | getHostName(...) | user-provided value |
392404
| Test.java:30:11:30:48 | getPath(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp | This path depends on a $@. | Test.java:19:18:19:38 | getHostName(...) | user-provided value |

java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java

Lines changed: 38 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
11
import java.io.BufferedReader;
2+
import java.io.File;
23
import java.io.FileReader;
4+
import java.io.IOException;
35
import java.io.InputStreamReader;
46
import java.net.Socket;
57
import java.nio.file.Path;
68
import java.nio.file.Paths;
7-
import java.io.IOException;
89

910
public class TaintedPath {
1011
public void sendUserFile(Socket sock, String user) throws IOException {
@@ -32,4 +33,40 @@ public void sendUserFileGood(Socket sock, String user) throws IOException {
3233
}
3334
}
3435
}
36+
37+
public void sendUserFileGood2(Socket sock, String user) throws Exception {
38+
BufferedReader filenameReader = new BufferedReader(
39+
new InputStreamReader(sock.getInputStream(), "UTF-8"));
40+
String filename = filenameReader.readLine();
41+
42+
Path publicFolder = Paths.get("/home/" + user + "/public").normalize().toAbsolutePath();
43+
Path filePath = publicFolder.resolve(filename).normalize().toAbsolutePath(); // FP until the path-injection sinks are reworked
44+
45+
// GOOD: ensure that the path stays within the public folder
46+
if (!filePath.startsWith(publicFolder + File.separator)) {
47+
throw new IllegalArgumentException("Invalid filename");
48+
}
49+
BufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));
50+
String fileLine = fileReader.readLine();
51+
while(fileLine != null) {
52+
sock.getOutputStream().write(fileLine.getBytes());
53+
fileLine = fileReader.readLine();
54+
}
55+
}
56+
57+
public void sendUserFileGood3(Socket sock, String user) throws Exception {
58+
BufferedReader filenameReader = new BufferedReader(
59+
new InputStreamReader(sock.getInputStream(), "UTF-8"));
60+
String filename = filenameReader.readLine();
61+
// GOOD: ensure that the filename has no path separators or parent directory references
62+
if (filename.contains("..") || filename.contains("/") || filename.contains("\\")) {
63+
throw new IllegalArgumentException("Invalid filename");
64+
}
65+
BufferedReader fileReader = new BufferedReader(new FileReader(filename));
66+
String fileLine = fileReader.readLine();
67+
while(fileLine != null) {
68+
sock.getOutputStream().write(fileLine.getBytes());
69+
fileLine = fileReader.readLine();
70+
}
71+
}
3572
}

0 commit comments

Comments
 (0)