Java: test perf

Jami Cogswell · Jami Cogswell · commit 1a1a3a3046c0 · 2025-02-03T19:34:41.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -354,8 +354,11 @@ private class FileGetNameSanitizer extends PathInjectionSanitizer {
 }
 
 /** Holds if `expr` may be null. */
-private predicate maybeNull(Expr expr) {
-  exists(DataFlow::Node src, DataFlow::Node sink |
+private predicate maybeNullArg(Expr expr) {
+  exists(DataFlow::Node src, DataFlow::Node sink, ConstructorCall constrCall |
+    constrCall.getConstructedType() instanceof TypeFile and
+    constrCall.getNumArgument() = 2 and
+    expr = constrCall.getArgument(0) and
     src.asExpr() = nullExpr() and
     sink.asExpr() = expr
   |
@@ -365,16 +368,27 @@ private predicate maybeNull(Expr expr) {
 
 /** A taint-tracking configuration for reasoning about tainted nodes. */
 private module TaintedConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
+  predicate isSource(DataFlow::Node source) {
+    source instanceof ActiveThreatModelSource
+    or
+    // ZipSlip uses ApiSourceNode instead of ActiveThreatModelSource
+    source instanceof ApiSourceNode
+  }
 
-  predicate isSink(DataFlow::Node sink) { any() }
+  predicate isSink(DataFlow::Node sink) {
+    exists(ConstructorCall constrCall |
+      constrCall.getConstructedType() instanceof TypeFile and
+      constrCall.getNumArgument() = 2 and
+      sink.asExpr() = constrCall.getArgument(0)
+    )
+  }
 }
 
 /** Tracks flow from any `ActiveThreatModelSource` to any node. */
 private module TaintedFlow = TaintTracking::Global<TaintedConfig>;
 
 /** Holds if `expr is tainted by an `ActiveThreatModelSource`. */
-private predicate isTainted(Expr expr) { TaintedFlow::flowToExpr(expr) }
+private predicate isTaintedArg(Expr expr) { TaintedFlow::flowToExpr(expr) }
 
 /** Holds if `g` is a guard that checks for `..` components. */
 private predicate pathTraversalGuard(Guard g, Expr e, boolean branch) {
@@ -394,8 +408,8 @@ private class FileConstructorSanitizer extends PathInjectionSanitizer {
       // Exclude cases where the parent argument is null since the
       // `java.io.File` documentation states that such cases are
       // treated as if invoking the single-argument `File` constructor.
-      not maybeNull(constrCall.getArgument(0)) and
-      not isTainted(constrCall.getArgument(0)) and
+      not maybeNullArg(constrCall.getArgument(0)) and
+      not isTaintedArg(constrCall.getArgument(0)) and
       arg = constrCall.getArgument(1) and
       (
         arg = DataFlow::BarrierGuard<pathTraversalGuard/3>::getABarrierNode().asExpr() or
